The GDPR is coming! You may have noticed. Tasked with bringing 20+ websites in to line with the new legislation by the 25th May, I have been up to my elbows in GDPR recently and have found it astonishingly difficult to find authoritative answers to anything beyond the very broadest of questions. While the quantity of articles already written on the subject is naturally very high, the vast majority simply regurgitate a very high level overview of what the GDPR (General Data Protection Regulation) is, normally seasoned with some shock headlines about the eye watering fines that may be imposed for non-compliance.

And so this is not one of those posts. For an overview of the GDPR, the ICO would be a good start. It does not, sadly, provide all of the answers, but at least avoids the scaremongering and misinformation that is so abundant elsewhere. In this series of posts, I will document whatever information I have found to my more specific questions about the nuts and bolts of how my clients’ websites (and my own when I get around to it) can comply with the new regulations. At the bottom of each post will be a small section (subject to revision) that will show the solution I have arrived at. In this particular post, on Google Analytics, I’m shocked at the volume of information I have had to sift through to come to a reasonable understanding of why the solution really doesn’t require much change, if any. It should be clearly understood that I am not a lawyer and none of this constitutes legal advice. Or any sort of advice!

Google Analytics uses Cookies 🙁

First on the hit list – Google Analytics. I’m pretty sure every single website I manage uses Analytics. Analytics does use cookies, and cookies are frightening people just now. Google Analytics cookies are responsible for the vast majority of those annoying cookie banners we have all become blind to now. Without Analytics, millions of small websites would not use any cookies at all, and would be exempt from displaying the cookie banners.

But the GDPR isn’t really about cookies

But there is an important piece of information that is missing from almost every GDPR overview I have read. Cookies are mentioned just once in the 99 articles that make up the GDPR, and then, only those that store personal data are implicated. Which Google Analytics cookies don’t** (sort of – see caveat below). To comply with the GDPR you probably don’t have to do anything different where Analytics are concerned, because the UK law that governs the placement of cookies on a user’s computer is, and continues to be, the Privacy and Electronic Communications Regulations (PECR –no sniggering), which is derived from the EU e-Privacy Directive.

Things might even get easier

Now the e-Privacy Directive is certainly getting a good shake up, but the revised laws will not be implemented until 2019 and until then, apart from some leaked details, we don’t yet know what to expect, and will just have to continue to comply with the existing laws. However, those leaked details sound very encouraging in that it looks likely that the browser vendors (Chrome, Firefox, Edge, et al) may be expected to be the vehicles to give the user control over their cookies, sparing website visitors countless annoying popups, and website owners and managers the need to implement the banners, and the degradation of the customer experience that results. I certainly hope that will be the case.

But until then

In the mean time, how do websites that use only Google Analytics and nothing more intrusive, comply with the existing laws for the next year or so? I’m afraid you probably ought to hang on to your annoying cookie banner for now, and you will certainly want to get your privacy policy up to scratch. Let’s be clear that in the case of Google Analytics, the question is not one of personal data; the reason you should display the information is because Google Analytics places cookies on the user’s device and then they, a third party, process the (non-personal) data that they receive from it. And that I’m afraid, does require consent, as it has done since 2011.

So how do we get consent?

Well yes that is where it all gets a bit vague, and where the GDPR does get involved a little bit. Under GDPR, consent should be explicit and not implicit, as was the case previously. But explicit consent does not necessarily require the tick of a box or the click of a button – a gesture such as scrolling or browsing to another page on the website are accepted as explicit consent, on condition that the user was informed of the use of cookies, provided with the opportunity to find out more detail about their use, and clearly informed what actions on their part will be taken as consent. All of this can easily be incorporated in to the cookie popup banner.

Should consent be obtained before Google Analytics cookies are placed (prior consent)?

What I have found trickier to navigate is the concept of prior consent, particularly in the context of inoffensive little cookies such as those used in Analytics. In other words are we permitted to place cookies on the user’s device in anticipation of their consent being given? The logical answer of course would be no! If consent is required in order to place cookies, the cookies must not be placed until consent has been obtained. In fact this is only partly a GDPR problem, in that GDPR will apply equally to all EU member states (and the UK). In some countries in the EU, prior consent is already required, though rarely implemented, because it is so difficult and obstructive! There are two problems with this approach:

  1. Prior consent requires a solution that is more technically advanced than most cookie consent banners I have encountered to date. In most cases, it requires that whatever script is responsible for the cookie consent banner, is also responsible for placing the scripts that place the cookies (e.g. your Google Analytics tracking code), only once consent has been obtained. In other words, you can’t just paste your Analytics script and your cookie script in to your web pages separately. They need to work together in some way.
  2. If we do this with Analytics code, our Analytics data will be substantially altered because we will not be able to register first time users who only visit a single page. We will only be able to start collecting data about their visit once they navigate to another page. This will mean we can no longer monitor and address our bounce rate, and could prevent any sort of useful tracking of responses to links in social media for example.

Personally, I feel a little pragmatism is called for. Here are the reasons that I don’t think I will be recommending that people who use Analytics tracking should be forced to obtain prior consent. Of course, once again, I am not a lawyer and this is certainly not legal advice, we all have to find our own solutions:

  1. Analytics cookies are un-intrusive, collect no personal data and pose no risk at all to the user. In short, they are not what the GDPR, PECR, or ePrivacy are there for. In spite of the scaremongering about fines, the ICO themselves have made it very clear that fines will be a last resort, in cases where people’s personal data has been misused or put at risk.
  2. It will be difficult and costly for many small businesses to implement a new solution that does gain prior consent.
  3. If they do so it will degrade the usefulness of their Analytics data.
  4. In 2019, the new ePrivacy directive should hopefully solve this problem once and for all by taking it off your hands and giving it to the browsers to deal with.

**That little caveat about personal data

Standard analytics code and cookies do not process any personal data, with one very marginal, borderline exception. The user’s IP address, although not available to you in your Analytics data, is sent to Google and could, maybe, theoretically be seen by Google employees. IP addresses are used to provide geographical data about your users, so you can see what country people come from, but not their actual IP address. There is a way around this though, if it bothers you, which is to adjust your Analytics tracking code to anonymise the IP address before it is sent to Google. This may have a minor impact on the accuracy of your geographical data, but that’s all. Here is some more information from Google.

Just one last point on personal data – while Google Analytics is not itself set up in a way that processes personal data; in a few rare instances, it is possible to inadvertently send them personal data, and if you are doing so, you need to stop it right now! But you’re almost certainly not. An example scenario may be a custom developed membership website that uses email addresses in the URL strings of publicly accessible pages. It’s bad practice anyway, contravenes Google’s own rules, and would also be in contravention of GDPR.

Finally – my solution where only Google Analytics cookies are used

  1. Because I will be providing this as a service and want to be thorough; because it won’t take me too long and won’t have a detrimental impact, I will be adjusting Analytics code to anonymise IP addresses before sending to Google. Here’s how.
  2. Where no other cookies (at least no intrusive ones) are set by the website, if they are already adequate, I will continue to use whatever cookie popups are already in place, ensuring that they state clearly how continued use of the website will constitute acceptance of cookie use. The same banner will also include a link to the website privacy policy. For WordPress users, Cookie Notice is good and can also be used if necessary for those situations where prior consent really is required.
  3. I will be checking that the privacy policy exists, is easily accessible, that it clearly states that we use Google Analytics cookies to collect website data, and why, and providing a link to more information about cookies and how to disable them. Here is a good example of such a link.
  4. As I will be modifying the Analytics tracking code anyway for IP address anonymisation, I may also implement a direct opt out link in the privacy policy, which also requires some modifications to the tracking code. More information from Google on that. Then again, with this solution, the cookies are still set, but just don’t send any data, so I’m not sure it serves any useful purpose.
  5. Don’t panic. As stated, Analytics tracking is really not what any of this is about. So long as you demonstrate at least some effort to comply, it will almost certainly be adequate where you are not in fact handling personal data, as is the case with Google Analytics.