Skip to content
Rafa Jimenez

Founder of SEAL Metrics. Privacy Marketer.

GDPR and Google Analytics Guide

What is the GDPR?

We have created this GDPR guide for marketers to shed some light on how it affects our digital businesses.

GDPR stands for General Data Protection Regulation. It came into force in May 2018.

The GDPR aims to protect users’ personal data and empower them to have more control over that data.

We are talking about a regulation that seeks to ensure that companies that receive personal data from their customers keep it protected.

What is personal data under the GDPR?

  • name and surname,
  • address,
  • e-mail address, of the type name.lastname@company.com,
  • national identity card number,
  • location data (such as the location data function of a cell phone) (*),
  • Internet protocol (IP) address,
  • the identifier of a cookie (*),
  • the phone’s advertising identifier,
  • Data held by a hospital or doctor could be a token that uniquely identifies an individual.

What is NOT personal data under the GDPR?

  • Business registration number,
  • e-mail address, such as info@company.com,
  • anonymized data.

Fines for not complying with the GDPR:

  1. Up to 10 Million or 2% of total turnover.
  2. Up to 20 Million or 4% of total turnover.

Depending on the type of offense.

The GDPR affects all of us who have online businesses and deal with users’ personal data. Therefore, we must be very attentive to the regulation.

How to comply with the GDPR if we work with Google Analytics?

To comply with GDPR if you are working with Google Analytics, check these points. Remember that you have in SEAL Metrics a legal, simple, data-agnostic, and helpful alternative to Google Analytics.

  1. You cannot “set” the Google Analytics cookie without the user’s consent.
  2. Make your cookie policy easily accessible and transparent.
  3. Make clear and accessible information about your privacy policy.
  4. Audit your website and detect points where you collect personal data.
  5. Do not activate the advertising Features.
  6. Do not activate the Remarketing option from Google Analytics.
  7. Do not connect your Google Ads account with Google Analytics.
  8. Anonymize IPs
  9. Do not save or store personal data of your users.
  10. Do not upload data to Google Analytics that contains personal data.

It may all sound very aggressive, but this is truly the way to go. Another issue is that once you are GDPR compliant because you have done the above steps, you still have to comply with the ePrivacy Regulation.

What does the ePrivacy Regulation consist of?

I will summarize it for you because we have already explained in this post the main differences between GDPR vs ePrivacy Regulation.

Basically, GDPR consists of “anonymizing” and protecting our users’ data. ePrivacy is about not being able to measure user navigation with any technology individually. Therefore, if you work with cookies, or with Google Analytics, if you are measuring individually, you are not ePrivacy compliant.

You can be GDPR compliant but your measurement tool is most likely not ePrivacy compliant.

GDPR & Google Analytics FAQs:

On Wednesdays, we host webinars where we share data and information on Sales Scalability and Web Analytics. Here’s a summary of the main questions we get asked by users.

  1. If I comply with GDPR should I ask for consent?
  2. Do I have to ask for consent for my Remarketing campaigns?
  3. Do I have to ask for consent if I work with anonymous userID?
  4. Do I have to ask for consent if I work with digital fingerprinting?
  5. Do I have to ask for consent to measure conversions?
  6. Do I have to ask for consent if I work with Server Side Tags?
  7. Do I have to ask for consent if I work with Google Floc?
  8. Do I have to ask for consent if I use a modeling system to calculate statistics?

If I comply with GDPR should I ask for consent?

Yes, you should ask for consent because even if you are GDPR compliant you will most likely not be ePrivacy compliant. That is why we recommend working with SEAL Metrics.

Do I have to ask for consent for my Remarketing campaigns?

Of course, you do, since remarketing campaigns work by measuring the user individually ergo for ePrivacy, you have to ask for it.

Do I have to ask for consent if I work with an anonymous userID?

Yes, you must ask for consent. Since the User-id is an id that identifies an individual user, you must ask for consent for ePrivacy.

Do I have to ask for consent if I work with digital fingerprinting?

Yes, you must request it. Digital fingerprinting is a technique that makes it possible to identify a device. This technique applied to web analytics allows measuring the interactions of a user’s terminal without the need for cookies. As the regulation says, regardless of the technology applied, measuring a user individually is impossible; ergo it requires consent.

Do I have to ask for consent to measure conversions?

You do if you are going to do data aggregation to count conversions. I mean, I generated 30 sales yesterday and nothing else. You could work without consent. But what happens is that the reality is different. You’ll surely see conversions by traffic source, campaign, keyword… To assign conversions to a traffic source you have to analyze it individually, and you know what the regulations say, it requires consent.

Do I have to ask for consent if I work with Server Side Tags?

Measuring from the webserver instead of from Google Analytics, for example, is a particularly useful technique to “skip” the adblockers or restrictive browsers or more wary of user privacy as is the case of Safari or Firefox among others.

Server-side tags mean that the Google Analytics pixel sets the cookie from the client’s domain instead of Google’s domain, so usually, it is not blocked.

In the end, this technique measures in an individualized way, so it requires consent.

Do I have to ask for consent if I work with Google Floc?

Google Floc was a measurement process invented by Google to be able to “measure” where consent did not allow it.

That is, Google Floc measures a percentage of your visitors, creating cohorts or groups of users of 1%, 3% or 5% of your traffic. They model (as they say) from this information and calculate the total traffic between those accepting cookies and those in the cohort group.

The idea seems exciting but it doesn’t work, it requires consent anyway. ePrivacy does not say that you can measure cohorts, no matter how small they are, without consent. It says that whatever the case may be, if there is individualized measurement, it requires consent.

Do I have to ask for consent to use a modeling system to calculate statistics?

Yes, exactly the same as in the Google Floc example.

SEAL Metrics alternative to Google Analytics

If you want to try SEAL metrics, you have a 7-day free trial, fixed price, unlimited domains, and unlimited traffic. Choose the package you are interested in and start seeing the reality of your data.

Explore More: How GDPR Affects Google Analytics

If you’ve found this guide helpful, you may also be interested in our in-depth article on How GDPR Affects Google Analytics. This companion piece dives deeper into the core principles of GDPR and how they intersect with Google Analytics.

In the article, you’ll discover:

  • Key Principles of GDPR: Understand the foundational elements of the General Data Protection Regulation and why they matter for your analytics.
  • Types of Data Collected: Learn about the different kinds of data that Google Analytics collects and how GDPR regulations apply to them.
  • User Consent: Gain insights into the importance of obtaining user consent before collecting data and how to manage this process effectively.
  • Legal Ramifications: Get to know the potential legal consequences, including fines and lawsuits, of not complying with GDPR while using Google Analytics.
  • Best Practices: Pick up actionable tips and best practices for ensuring that your use of Google Analytics is GDPR-compliant.

Don’t miss out on this valuable resource that complements the insights you’ve gained here. Read it now!

Categories:

Privacy Marketing

The Newsletter for Privacy Marketers

Everything a marketer needs to know about privacy

Related articles

Discussion (0)