Cookie Policy - Google Analytics

Google Analytics Cookie Usage on Websites

This document describes how Google Analytics uses cookies to measure user-interactions on websites.

Overview

Google Analytics is a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. The Google Analytics JavaScript libraries use HTTP Cookies to "remember" what a user has done on previous pages / interactions with the website.

How to Disable Analytics Cookies- User Opt Out

In some cases, it may be necessary to disable the Google Analytics tracking code on a page without having to remove the JavaScript tracking snippet. For example, you might do this if your site's privacy policy includes the ability for a user to opt-out of Google Analytics tracking.

Google Analytics Opt-out Browser Add-on

To provide website visitors the ability to prevent their data from being used by Google Analytics, we have developed the Google Analytics opt-out browser add-on for the Google Analytics JavaScript (ga.js, analytics.js, dc.js).

If you want to opt out, download and install the add-on for your web browser. The Google Analytics opt-out add-on is designed to be compatible with Chrome, Internet Explorer 11, Safari, Firefox and Opera. In order to function, the opt-out add-on must be able to load and execute properly on your browser. For Internet Explorer, 3rd-party cookies must be enabled. Learn more about the opt-out and how to properly install the browser add-on here.

Google Analytics opt-out browser add-on

You can opt-out of having making your site activity available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (gtag.js, ga.js, analytics.js, and dc.js) that is running on websites from sharing information with Google Analytics about visit activity.

Using the Google Analytics opt-out browser add-on will not prevent site owners from using other tools to measure site analytics. It does not prevent data from being sent to the website itself or in other ways to web analytics services.

Important: Read the Google Analytics privacy document for more details about the data collected by Google Analytics.

What is Google Analytics?

Google Analytics is Google’s powerful and widely used traffic analytics tool that allows website owners to get deep and real time insight into how their site is being used, how much, and by whom.

How do users find your website, how do they move around on it, how long do they stay for, and where do they go from there?

As such, Google Analytics is essentially a user data processing tool.

What is the GDPR and how does it affect my website?

The General Data Protection Regulation is a EU law that sets out strict requirements on how data of EU citizens may be handled.

It was enforced on 25 May 2018 and affects companies, organizations and websites large and small, that handle personal data of users from the EU.

For website owners, the regulation means that you have to go through all of your personal data processing activities and make sure that they comply.

Typically, data processing activities on websites are one of two types:

on the one hand, contact forms, email subscriptions and the like, where the personal data is explicitly requested and submitted directly by the user,
and cookies and online tracking on the other.

The GDPR means you have to go through both, and revise what data you are gathering, whether you really need this data and why, and how you are keeping it secure.

The problem with cookies in the GDPR

Due to their multiple uses, cookies are often the tricky part of ensuring compliance with the regulation.

Cookies serve a range of different purposes from functionality and performance, over statistics, to targeted marketing.

Some are necessary for the website to work, and some are not. Some enhance the user experience, some serve for monitoring and user profiling, and some do both.

Some are set by the website itself, while the majority are of third party provenance, typically set by embedded third party plug-ins.

On top of that, cookies on websites tend to change, meaning that getting an overview once and for all will not suffice.

In general terms, though, cookies do track users’ actions and are therefore subject to the GDPR.

The regulation affects your use of cookies and online tracking, your cookie policy and privacy policy, and the manner in which you obtain consentfrom your users for setting the cookies.

Plugins, embedded content, and tools in use on your website all set cookies.

As a website owner, you are responsible for all of the data processing activities going on on your website, of first party and third party provenance unheeded.

What is considered “personal data” in the GDPR?

The issue for website owners when it comes to using tools such as analytics, is the broad definition of personal data in the GDPR:

Not only IP addresses, contact information and sensitive data such as medical and financial records are personal, but also any data which can identify someone “directly or indirectly” using “all means reasonably likely to be used”.

This includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.

What personal data does Google Analytics collect?

Google Analytics works by means of tracking code that is added to the pages of your website. Every user is registered with a unique ID, so that Google Analytics can provide you with insight into how many unique visitors there are to the site, for example, and how many users return.

With Google Analytics, one can survey how often any single user has visited the website, what pages they visited, for how long they stayed and how they interacted with the site.

Combined with their enormous statistical data on internet users, Google Analytics can provide very precise information on what segments your website attracts according to demographics such as age, gender, professional and private interests, geographical location etc.

An accurate overview of what data Google Analytics actually tracks is difficult to get hold of, as it is constantly developing and improving, and Google does not provide transparency about their methods.

According to their Google Ads Data Protection Terms: Service Information, Google Analytics collects the following types of personal data:

Online identifiers including cookie identifiers
internet protocol addresses and device identifiers
client identifiers

To get a general picture of what data Google is gathering, you may take a look at Google's privacy policy:

"We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.

We collect information in two ways:

1. Information you give us.

For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.

2. Information we get from your use of our services.

We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content."

According to the GDPR’s definition of personal data described above, the tracking of user behaviour and profiling is only compliant with the EU-regulations when the website obtains prior consent from the visitor, i.e. blocking Analytics until the visitor has opted in.

So, what has Google done to make Google Analytics GDPR ready?

On their blog, Google in Europe, Google has been sharing information about how they are preparing to meet the requirements of the GDPR since August 2017.

During the spring 2018, they have regularly released updates about their work to become GDPR compliant: they have updated their EU User Consent Policy, made changes to their contract terms, and made changes to their products in order to meet the requirements:

Google Analytics' Updated EU User Consent Policy

In accordance to their advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy.Google's EU User Consent Policy is being updated to reflect the legal requirements of the GDPR.

It sets out website owners responsibilities for making disclosures to, and obtaining consents from end users in the European Economic Area (henceforth EEA).

For example, under that policy, advertisers will be required to obtain consent from users for the collection of data for personalized ads (e.g. remarketing tags to build audience lists) and for the use of cookies where legally required (e.g. conversion tags).

The policy is incorporated into the contracts for most Google ads and measurement products globally.

Google Analytics' contract changes

Google has been rolling out updates to their contracts for many products since August 2017, reflecting their status as either a processor or a controller under the GDPR (see full classification of Googles Ads products).

The new GDPR terms supplement your contract with Google and came into force on 25 May 2018.

In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.

For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ➝ Account Settings).
For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
If you don’t contract with Google for your use of Google products, Google advises to seek advice from the parties with whom you contract.

Google Analytics' product changes

To comply, and support their customers compliance with GDPR, Google is:

Making some changes across the network of publisher sites on which your ads may appear - enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps.
Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
They have introduced granular data retention controls that allow you to manage how long your user and event data is held on their servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select.
They are in the proces of launching a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase).
Exploring consent solutions for publishers, including working with industry groups like IAB Europe.

Find out more about Google Analytics GDPR'readiness

See privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as their data processing terms and data controller terms.

What YOU should do to make your use of Google Analytics GDPR compliant

However, all of these steps unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.

See this useful article on how to prepare your use of Google Analytics for the GDPR.

To prepare your use of Google Analytics for the GDPR, there are basically two things you should do:

Make changes in your Google Analytics account settings
Make sure that your website’s use of Google Analytics and other tools is compliant.

Checklist 1: Steps to make your Google Analytics GDPR compliant

1. Control how you are transmitting personal data to Google

It is not sufficient to filter out personal data via the Google Analytics filters.

The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics.

Check your page url’s, page titles and other dimensions. Ensure that no personal data is being collected.

A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter.

If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!

2. Turn on IP Anonymization in your Google Analytics account

The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.

Therefore, it is a good idea to turn on the IP anonymization feature in Google Analytics.

This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.

To turn on anonymization, you must make a change in the code.

If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.

If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.

Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’). Once this features is enabled, the full IP address is never written to the disk according to Google.

3. Go through the collection of Pseudonymous Identifiers in your Google Analytics

Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:

User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames etc.

Hashed/Encrypted data such as email address: Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.

Transaction IDs : Transaction IDs are technically pseudonymous identifiers, since when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.

Checklist 2: Steps to make your website’s use of Google Analytics and privacy policy GDPR compliant

1. Provide transparency about the data processing on your site in your privacy policy and / or cookie policy

Make sure that the actual data processing that is going on on your website is clearly stated, for example in your privacy policy. It is a requirement of the GDPR, that the information on the data collection…

is specific and up-to-date at all times,
is written in a plain and understandable language,
provides clear instructions on how one may opt in and out of ones data being collected.

Read more about the requirements and how to comply in our article Privacy policy.

Do you have a proper cookie policy in place? The cookie policy should be accessible for your users, and outline what cookies are in use, what purpose they serve, and how one may opt in and out of them.

It doesn’t matter whether your cookie policy is an independent document or integrated in your privacy policy, as long as the information is easily accessible for your users.

Read more about the requirements for the cookie policy and how to comply with them.

With Cookiebot, the monthly report of the scan of your website can be published as an integrated part of your privacy policy and cookie policy.

That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.

Also, the declaration automatically provides the mandatory options of changing and revoking consent.

2. Google Analytics and GDPR consent to cookies and tracking

Getting a proper consent to the use of cookies from your visitors is a crucial part of rendering your website compliant with the GDPR. In order to be compliant, the consent has to be…

Obtained prior to the setting of the cookies on the user’s browser (strictly necessary cookies are excepted from this rule)
Given on the basis of clear and specific information about what the consent is given to
Based on a true choice. The user must be able to opt out of all but the strictly necessary cookies and still use the site.
Retrievable. The user must have access to their settings and make changes to what cookies they want to accept and reject.
Kept as documentation that the consent has been given.

Read more in our article about cookie consents and the GDPR.

Cookiebot is one of the few cookie consent solutions that does all of that.

You can’t control Google. But by implementing Cookiebot, you can make your website’s use of cookies and online tracking GDPR compliant.