November 8, 2019

GDPR consent needed for Google Analytics?

I haven't been able to find concrete answers on the topic. I wanted to add GA to my site but I'm not sure whether I need to have the consent dialog for EU users? To be honest from the user perspective it's super annoying.
FWIW my targeted users are in the USA.

  1. 2

    I would say don't worry about it too much (if it's really only GA), but you could do some nice things for all your users, even if you're not forced to do it:

    1. Disclose that you track users and utilize cookies

    2. Explain what exactly you track

    3. Do not collect private data, or if you gather it, don't associate it with analytics

    4. Always anonymize user IP. This is crucial for GDPR, you must alter your GA tracking code: https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization

    Also, I find it more comfortable to use services like iubenda to manage privacy policy: https://www.iubenda.com/en/features#privacy-and-cookie-it policy

  2. 1

    GDPR relates to the collection of personally identifiable data.

    It is against Google Analytics terms and conditions to use it to collect personally identifiable data.

    Therefore, if you are using a standard implementation of Google Analytics then you are not in breach of GDPR.

    1. 0

      Actually, with a standard GA implementation, there are at least a few problems, in terms of GDPR:

      1. It's recording a visitor IP which might be treated as a personal data

      2. Google is cross-referencing data with other products

      More info:

      https://www.iubenda.com/en/help/1184-how-to-anonymize-ip-addresses-and-avoid-the-cross-referencing-of-data-in-google-analytics

      https://www.jeffalytics.com/gdpr-ip-addresses-google-analytics/

      It's doubtful that any US (or even EU) based SMB would have any problems with it. But anonymizing IP and unchecking few checkboxes would be still a good idea to do, even if you don't really care too much.

      1. 1

        You can still collect personally identifiable data and be compliant with GDPR. It requires disclosing how the data is processed / stored / used etc.

        Google has some information here: https://privacy.google.com/businesses/compliance/#!?modal_active=none

        My understanding is they comply because their disclosure meets GDPR requirements.

        All that said, given IP addresses aren't useful to you as an end user of Google Analytics, taking the steps outlined in those articles to anonymise them certainly isn't a bad idea.

  3. 1

    If you’re targeting the US, I don’t see a need to bother with GDPR. It’s an EU thing.

    I am based in the US, and I comply with US laws. I think it’s silly to have to comply with everywhere else - do we also have to comply with Chinese or Iranian law?

    That said, don’t take my legal advice! :)

    1. 1

      If you store personal details of people in EU, you need to comply.

      GDPR is not about regulating businesses, it's about protecting personal data and rights of those people who's data it is, hence GDPR rules are a good practice to apply even if you don't store personal EU data:

      • tell your customers who'll you pass/sell their data to

      • allow them to request for their personal data to be deleted

      • don't store it longer than you need it

      All of that sounds fair and square, how every business in the world should operate and treat personal data from day 1.

      https://gdpr.eu/compliance-checklist-us-companies/

      1. 1

        Sure, as an optional "best practice" being transparent with user data is great. However I don't legally have to comply, and I'm not going to sacrifice my user's experience by slapping those dumb popups all over my page.

        1. 1

          I agree on popups and user experience with you, however, you have to legally comply if you store personal details of EU people, regardless if you're in United States or North Korea.

          That link above in previous comment has all the information about GDPR for US companies.

          You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.

          1. 1

            We will have to agree to disagree. We don't advertise or target the EU, we're registered in the US, and our clients are US/Canadian/Australian.

            Technically I also need to comply with Chinese internet law, but I'm not worrying about that either. I guess the EU and China can sue me if they want!

            1. 1

              It's a law, that can be enforced through mutual international treaties.

              However, common sense prevails in EU and especially with GDPR, so no one will go after you because of Google Analytics.

              But if you start collecting personal addresses, emails and phones disguised as a charity offering free gifts and then sell that to Chinese call centers for tax scams and upload it to 4chan, then yes, EU's reach will be tested.

              So yes, I agree with you, you don't need to show popups or anything like that when you're serving US/Canadian/Australian customers.