GDPR and Google Analytics – Make Your Site Compliant

Do you want to know about GDPR and Google Analytics? By now, we’re sure that you’ve received a few dozen emails regarding the General Data Protection Regulation (GDPR) that took effect on May 25th, 2018.

Due to the hefty penalties, up to 4% of annual revenue or 20 million euros (whichever is greater), the news of GDPR has caused quite a panic among businesses around the world.

We have received countless emails from SLG’ users asking us what changes we are making with regards to GDPR.

In this post, we’ll explain how the new SLG features, along with Google Analytics, will help automate some of the compliance processes for website owners.

Legal Disclaimer: Due to the dynamic nature of websites, no single plugin can offer 100% legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. Nothing on this website should be considered legal advice.

What is GDPR?

General Data Protection Regulation (GDPR) is a new privacy regulation passed by the European Union (EU) that will have a significant impact on businesses around the world.

The law is over 200 pages long and consists of data subject rights such as the right to be forgotten, breach notification, consent, etc.

It’s nearly impossible for any blog post to accurately describe all that’s involved, which is why we recommend consulting an attorney to discuss full compliance.

But we’ll do our best to summarize GDPR and Google Analytics, its impacts, and how can SLG help you.

How does GDPR affect Google Analytics?

According to GDPR, you must obtain explicit consent before collecting or processing any personal information of an EU resident or citizen.

Since you can use Google Analytics to track user ID / hashed personal data, IP addresses, cookies, and other behavioral profiling event data, you have one of two options:

  1. Anonymize potentially personal identifying data like IP addresses
  2. Obtain explicit consent before loading the Google Analytics script

If you don’t have consent, then you also cannot share the Demographics and Interest reports with your Remarketing / Advertising (Google Adwords) account.

Aside from that, you’ll also have to adjust the data retention controls in Google Analytics.

This will ensure that you continue to have historical data and can access ad-hoc reports like multi-channel funnel attribution reports, flow visualization reports, custom reports, etc. (more on this later in the article).

Now that we’ve answered how does Google Analytics tracking apply to GDPR, let’s see how you can make your site compliant.

How Does SLG Help with GDPR?

In case you’re wondering how to make Google Analytics GDPR compliant, then we have a solution for you.

Since SLG is the best WordPress GDPR plugin and offers third-party Google Analytics integration for WordPress, we’ve done our best to integrate the changes that Google Analytics has made to their product, so you can easily automate some of the GDPR compliance processes.

Earlier this week, we released our EU Compliance Addon for SLG which is available on all premium licenses.

To help you better understand the new features and changes, we’re going to break down every detail one-by-one.

1. Automatically Anonymize or Disable Personal Data Tracking

When you enable the SLG EU compliance addon, it automatically:

  • Anonymizes IP addresses on all Google Analytics hits, eCommerce hits, and form tracking hits
  • Disables UserID tracking on Google Analytics hits, eCommerce hits, form tracking hits, and the UserID dimension in the Custom Dimensions addon
  • Disables author tracking in the Custom Dimensions addon
  • Enables the ga() compatibility mode
  • Disables the Demographics and Interests Reports for Remarketing and Advertising tracking on Google Analytics hits
  • Integrates with CookieBot plugin and Cookie Notice plugin without any code changes required to MonsterInisghts
  • Allows AMP users to agree on the Google AMP Consent Box before being tracked

It’s important to note that it ONLY disables the demographics and interests reports for remarketing and advertising tracking (i.e Google Ads). You’ll continue to get demographics and interests reports from aggregated data in Google.

2. Enable Consent Box Integrations

If you want to continue to track personalized data, then you’ll need to get user consent. Instead of building a consent box solution inside SLG, we decided to integrate with existing popular solutions, so you can have a site-wide consent box that encompasses everything.

SLG EU compliance addon integrates seamlessly with the popular Cookie Notice plugin by dFactory and the new CookieBot plugin.

When you have one of the above plugins enabled, then SLG will wait to load the analytics script until the user gives their explicit consent. We’ve also enabled the ga() compatibility mode so Cookiebot can properly pass the data.

The downside of solution #2 is that, unless the users opt-in, they won’t be tracked, which will lead to a lot of missing GA sessions data. This is why we always recommend option #1 as an ideal solution.

However, enough users asked for this solution, so we made it available. To learn how to further customize this, please see our documentation on getting started with the EU compliance addon.

3. Easy Opt-out of Data Tracking

Depending on your needs, you may wish to provide an option for users to opt-out of tracking.

SLG has 3 ways to offer opt-out options for tracking:

  • If you are using Cookie Notice or CookieBot plugin, then you should use their respective built-in options.
  • If you are not using either of those plugins, then you can use one of SLG’s Opt-Out link integrations or easily create an opt-out link by following our guide.
  • We have also made SLG compatible with both Google Analytics’s Chrome browser opt-out extension and Google Analytics’s built-in cookie opt-out system.

GDPR and Google Analytics User and Event Data Retention Policy

By now you’ve likely received an email from Google Analytics to inform you about the changes coming to the data retention policy. Starting May 25, 2018, Google will automatically set your data retention to 26 months by default.

You have an option to choose from: 14 months, 26 months, 38 months, 50 months, or never expire user and event data.

You can configure this by logging into your Google Analytics account and clicking on the Gear icon at the bottom left of the page.

Admin Menu in Google Analytics

To edit, in the Property column click on Tracking Info » Data Retention.

Google Analytics Data Retention

According to Google, this setting will not affect most standard reporting based on aggregated data. But what does that really mean?

This means that you’ll have access to your default reports like Audience, Acquisition, Behavior, and Conversions because they use aggregated data.

You can select a date range for these reports, and they’ll generate in seconds because they’re readily available.

That sounds all great, but there’s a big problem unless you take action.

GDPR and Google Analytics Impact on Online Marketing

What Google isn’t telling you is that purging this data will eliminate your ability to run ad-hoc reports on historical data.

Ad-hoc reports are based on sample data that includes applying a segment, filter, secondary dimension, or a custom report. This includes losing access to historical data on your Multi-Channel Funnel and Attribution reports, Flow-visualization reports, etc.

While you may not use these reports every day, they can be pretty significant once you start diving deeper into your website analytics.

The decision to make the data-retention policy to “Never Expire” or expire in 50 months should be made by consulting with an attorney.

To learn more about this, this article by Jeff Sauer provides detailed insights and perspectives on the data-retention policy.

In Conclusion

We hope this article and our new features help you automate some of the Google Analytics GDPR compliance issues on your website.

Due to the dynamic nature of websites, no single plugin can offer 100% GDPR compliance. This is why different services and plugins are announcing their own GDPR enhancements to help your business comply with the law.

For example, our sister product, WPForms, recently came out with its own set of GDPR enhancements for WordPress forms.

At the end of the day, it is your responsibility as a business owner to comply with GDPR. You can go ahead and also check out our guide on how to make sure your Google Analytics complies with CCPA.

As always, thanks for your continued support of SLG and we look forward to bringing more new features to you.

Syed and the SLG Team

Not using SLG Pro? Upgrade your license to access the EU Compliance Addon among many other features!