GDPR and Google Analytics Guide

What is the GDPR?

From SEAL Metrics we have created this GDPR guide for marketers to shed some light on how it affects our digital businesses.

GDPR stands for General Data Protection Regulation. It came into force in May 2018.

The aim of the GDPR is to protect users’ personal data and empower them to have more control over that data.

We are talking about a regulation that seeks to ensure that companies that receive personal data from their customers keep it protected.

What is personal data under the GDPR?

  • name and surname,
  • address,
  • e-mail address, of the type name.lastname@company.com,
  • national identity card number,
  • location data (such as the location data function of a cell phone) (*),
  • internet protocol (IP) address,
  • the identifier of a cookie (*),
  • the phone’s advertising identifier,
  • data held by a hospital or doctor, which could be a token that uniquely identifies an individual.

What is NOT personal data under the GDPR?

  • Business registration number,
  • e-mail address, such as info@company.com,
  • anonymized data.

Fines for not complying with the GDPR:

  1. Up to 10 Million or 2% of total turnover.
  2. Up to 20 Million or 4% of total turnover.

Depending on the type of offense.

The GDPR affects all of us who have online businesses and deal with users’ personal data. Therefore we must be very attentive to the regulation.

How to comply with the GDPR if we work with Google Analytics?

To comply with GDPR if you are working with Google Analytics check these points. Remember that you have in SEAL Metrics a legal, simple, data agnostic and useful alternative to Google Analytics.

  1. You cannot “set” the Google Analytics cookie without the user’s consent.
  2. Make your cookie policy easily accessible and transparent.
  3. Make clear and accessible information about your privacy policy.
  4. Audit your website and detect points where you collect personal data.
  5. Do not activate the advertising Features.
  6. Do not activate the Remarketing option from Google Analytics.
  7. Do not connect your Google Ads account with Google Analytics.
  8. Anonymize IPs
  9. Do not save or store personal data of your users.
  10. Do not upload data to Google Analytics that contains personal data.

It may all sound very aggressive, but this is truly the way to go. Another issue is that once you are GDPR compliant because you have done the above steps, you still have to comply with the ePrivacy Regulation.

What does the ePrivacy Regulation consist of?

I will summarize it for you because we have already explained in this post the main differences between GDPR vs ePrivacy Regulation.

Basically, GDPR consists of “anonymizing” and protecting our users’ data. ePrivacy is about not being able to individually measure user navigation with any technology. Therefore, if you work with cookies, or with Google Analytics, if you are measuring individually, you are not ePrivacy compliant.

You can be GDPR compliant but your measurement tool is most likely not ePrivacy compliant.

GDPR & Google Analytics FAQs:

On Wednesdays, we host webinars where we share data and information on Sales Scalability and Web Analytics. Here’s a summary of the main questions we get asked by users.

  1. If I comply with GDPR should I ask for consent?
  2. Do I have to ask for consent for my Remarketing campaigns?
  3. Do I have to ask for consent if I work with anonymous userID?
  4. Do I have to ask for consent if I work with digital fingerprinting?
  5. Do I have to ask for consent to measure conversions?
  6. Do I have to ask for consent if I work with Server Side Tags?
  7. Do I have to ask for consent if I work with Google Floc?
  8. Do I have to ask for consent if I work with a modeling system to calculate statistics?

If I comply with GDPR should I ask for consent?

Yes, you should ask for consent because even if you are GDPR compliant you will most likely not be ePrivacy compliant. That is why we recommend working with SEAL Metrics.

Do I have to ask for consent for my Remarketing campaigns?

Of course, you do, since remarketing campaigns work by measuring the user individually, ergo for ePrivacy you have to ask for it.

Do I have to ask for consent if I work with an anonymous userID?

Yes, you must ask for consent. Since the User-id is an id that identifies an individual user, you must ask for consent for ePrivacy.

Do I have to ask for consent if I work with digital fingerprinting?

Yes, you must request it. Digital fingerprinting is a technique that makes it possible to identify a device. This technique applied to web analytics allows measuring the interactions of a user’s terminal without the need for cookies. As the regulation says, regardless of the technology applied, it is not possible to measure a user individually; ergo it requires consent.

Do I have to ask for consent to measure conversions?

You do if you are going to do data aggregation to count conversions. I mean, I generated 30 sales yesterday and nothing else. You could work without consent. But what happens is that the reality is different. I’m sure you’ll see conversions by traffic source, campaign, keyword… In order to assign conversions to a traffic source you have to analyze it individually, and you know what the regulations say, it requires consent.

Do I have to ask for consent if I work with Server Side Tags?

Being able to measure from the webserver instead of from Google Analytics, for example, is a particularly useful technique to “skip” the adblockers or restrictive browsers or more wary of user privacy as is the case of Safari or Firefox among others.

Server-side tags mean that the Google Analytics pixel sets the cookie from the client’s domain instead of Google’s domain, so usually, it is not blocked.

In the end, what this technique does is measure in an individualized way, so it requires consent.

Do I have to ask for consent if I work with Google Floc?

Google Floc was a measurement process invented by Google in order to be able to “measure” where consent did not allow it.

That is, Google Floc consists of measuring a percentage of your visitors, creating cohorts or groups of users of 1%, 3% or 5% of your traffic. They model (as they say) from this information and calculate the total traffic between those accepting cookies and those in the cohort group.

The idea seems interesting but it doesn’t work, it requires consent anyway. ePrivacy does not say that you can measure cohorts, no matter how small they are, without consent. It says that whatever the case may be, if there is individualized measurement, it requires consent.

Do I have to ask for consent if I work with a modeling system to calculate statistics?

Yes, exactly the same as in the Google Floc example.

SEAL Metrics alternative to Google Analytics

If you want to try SEAL metrics, you have 7 days free trial, fixed price unlimited domains, unlimited traffic. Choose the package you are interested in and start seeing the reality of your data.

Download GDPR Guide for Marketers

Download or free GDPR Guide With more than 800 downloads of best European Digital Marketers.

Download FREE

Access SEAL Metrics Demo Account

Take a look at the Best Cookiless and Privacy First Web Analytics

Access DEMO Account