Google Analytics is a staple for most
optimizers and marketers.
The ubiquity of this solution makes it
innocuous to the point where we tend to overlook the settings of our Google
Analytics account when privacy regulations roll out.
But the GDPR was a substantial nudge for
testers to scrutinize their Google Analytics data storage and
processing.
And now with the ePrivacy
Regulation, another layer of consideration – around how to gain visitor consent for the
use of the analytics suite – will be added to the plate of optimizers.
Originally meant to release on the same day as the GDPR, the ePrivacy Regulation is set to change how cookie consent works. It will redefine how websites seek consent from their users for installing cookies into their browsers. And because web analytics solutions like Google Analytics use cookies to collect, store, and track their analytics data, they naturally fall under its purview.
So will the ePrivacy Regulation need every website that uses Google Analytics (and caters to European audiences) to seek explicit cookie consent?
Well, the answer is subjective.
And it depends largely on how a Google
Analytics account is set up and configured.
Let’s take a closer look.
If you only use Google Analytics as a simple first-party data analytics tool to learn about your website audience in a non-invasive way, you might not need to seek explicit cookie consent. In fact, the European Commission’s ePrivacy Regulation proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes:
“The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”
Dubbed as the “cookie provision,”
this consent exemption allows webmasters who have configured their Google
Analytics in a privacy-friendly way to install their cookies without seeking
explicit consent.
Also, in its Cookie
Consent Exemption paper, the Working Party — an
independent European advisory body on data protection and privacy constituted
by the European Parliament — made a special case for such first party analytics
cookies to be exempted under the revised ePrivacy Regulation proposal:
However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.
Following from this, you might not necessarily
need to add explicit cookie consent banners to your website if your use of
Google Analytics is non-intrusive. To qualify for this, among all the other
things, your Google Analytics account must be configured in such a way that it:
- Has the right anonymization in
place ensuring that the data collected isn’t personally identifiable - Ensures that no data information
about any users is ever passed on to any Google Analytics servers - Doesn’t share the Google Analytics
data with any third-party solution providers
In addition to these, you’d also be expected
to publish an easy-to-understand cookie policy that plainly explains what
Google Analytics cookies you use, what data they collect, and how the data gets
processed.
Also, your users should get the option to easily opt out of your Google Analytics cookie tracking.
Using Google Analytics in More Ways Than as a First-party Analytics Tool
Quite a few marketers use more advanced
implementations of Google Analytics. Such a configuration often slices and
dices the analytics data in a way that tiptoes the privacy lines that laws like
the GDPR draw. For example, if you use your Google Analytics cookies to map the
user id that Google Analytics uses for a visitor to your other marketing solutions,
then you’d need explicit consent of your visitors before using your cookies. If
you’re using the user id feature for cross-device tracking, again, you might
have to seek explicit consent.
Using Google Analytics Advertising Features,
too, will need you to ask for consent from your users before installing your
Google Analytics cookies as Google installs additional cookies in this case.
Likewise, if you use third party tracking
pixels with your Google Analytics, you’ll have to seek explicit consent in most
implementations.
As you can tell, such configurations of Google
Analytics could use and process some personal user data and also end up sharing
it with other service providers.
And so these cases fall under the GDPR and need explicit consent. And because the ePrivacy Regulation is meant to “particularise and complement” how the GDPR approaches personal data processing by “translating its principles into specific rules,” the cookie consent rules it proposes applies to websites using Google Analytics cookies in such non-standard implementations.
The ePrivacy Regulation and Browsers (and the Impact on Your
Google Analytics Cookies and Data)
As you can get, post the ePrivacy Regulation, using
Google Analytics in more advanced ways will need you to seek explicit consent
from your users before installing cookies into their browsers.
But that’s not all. The ePrivacy Regulation also
wants to encourage privacy by design and default in the web browsers and wants
companies that power browsers to help users make better and more informed cookie consent choices via
the browser settings itself:
Currently, the default settings for cookies are set in
most current browsers to ‘accept all cookies’. Therefore providers of software
enabling the retrieval and presentation of information on the internet should
have an obligation to configure the software so that it offers the option to
prevent third parties from storing information on the terminal equipment; this
is often presented as ‘reject
third party cookies’.
End-users should be offered a set of privacy setting options, ranging from
higher (for example, ‘never accept cookies’) to lower (for example, ‘always
accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first
party cookies’). Such privacy settings should be presented in a an easily visible and
intelligible manner.
So if your users choose to go with options
like “never accept cookies” or opt for accepting just “strictly
necessary cookies,” your Google Analytics data will get impacted.
Developments like Apple’s updates to the ITP and others — in line with the growing demands for more private browsing experiences — are also cutting short the cookie duration, including the duration of the first-party cookies that Google Analytics sets.
Based on the type of browser we are talking about, repeat visitor counts may be significantly impacted.
Wrapping it Up…
Depending on how you configure and use Google
Analytics on your website, you can learn a lot about your users. And so even if
your usage doesn’t require you to set up cookie consent walls and banners on
your website, you must still explain your cookies and their use in a neat and
easy-to-understand cookie policy.
In case you happen to need cookie consent for
your Google Analytics cookie usage, make sure to seek it the right way.
And if you think you could cover even your
non-standard Google Analytics cookies without consent under the GDPR’s
Legitimate Interests provision, check out our detailed take on consent versus legitimate interests.
At Convert, we take a privacy-first approach
to everything we do. We consider the GDPR and the upcoming ePrivacy Regulation that
builds on it to be solid initiatives to stop the internet from becoming an
“always on” surveillance system —
guzzling tons of user data every second, mostly without the users’
(specific, informed, active, and freely given) consent.
We don’t just comply with such laws but also help our customers offer memorable digital experiences while still staying compliant with them. In fact, our A/B testing and experiments solution doesn’t use any personal data in the default setting, operates with first party set cookies and is the only enterprise-level experimentation solution to be designed this way. We’re forever committed to empowering our customers run winning experiments while fully respecting their users’ privacy.