GDPR and Google Analytics

For a start, it’s relatively straightforward to use:

• you install Javascript code on web pages to track (monitor) website visitors
• that information is processed by Google Analytics’ servers
• you get invaluable reports which you can access, use, store and even share with others giving you some real insight about your website users.

It’s a system that works for many businesses.

So what has GDPR got to do with Google Analytics?

From 25th May 2018 if GDPR applies to you then you need to

• comply with GDPR requirements and
• have proof that you do

We know that GDPR is going to apply to personal data of EU individuals when data controllers and data processors are either

• processing  that personal data because of goods and/or services being offered or
• “monitoring” the behaviour of those individuals within the EU.

But surely Google Analytics doesn’t ever use personal data?

The problem is that the much broader definition of personal data includes data from which you can identify someone “directly or indirectly” using “all means reasonably likely to be used”, so any such information is personal data. It includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.

The Google Analytics process means that both you are Google are sharing data:

• You are allowing Google to access data
• Google is supplying you with data in the form of reports.

It is actually a breach of the Google Analytics agreement to share “personally identifiable” data – but what about

• IP addresses
• user names which identify an individual
• email address required to log-in to your website or at least part of it (e.g. client specific pages)

Yes, exchanging “personally identifiable” is not supposed to happen, but it does.

Remember also that it’s not just about one individual data set or Google Analytics report on its own. What happens if you combine data sets that may appear unrelated such as a Google Analytics report with existing data you hold? If you can identify an individual from that combined data then it’s personal data.

You might even have others involved in your Google Analytics process because you outsource your Google Analytics. Do you outsource? Does another organisation manage your account for you? If so, we then start to get into the realms of who owns the account (often a grey area anyway with agencies)

Will you be able to use the data that you collect from individuals as part of the Google Analytics process?

You can only process personal data if you have a lawful basis for doing so. At the moment, you may be relying on the individuals’ consent, but GDPR stamps all over that because your current consent mechanism is probably not GDPR complaint since the criteria is much tighter.

Google will be taking care of all that

Before you think that somehow Google will look after the GDPR side of things for you – think again. Google is certainly taking steps to be GDPR complaint but remember that using Google doesn’t erase your own GDPR responsibilities.

You must also not forget that, according to your agreement with Google, using Google Analytics is your sole responsibility.  If you commit a breach of that agreement (including not having a GDPR complaint privacy policy when using Google Analytics) and you will find your access to Google Analytics terminated, at the very least.

What can I do if I want to carry on using Google Analytics?

Start by making sure you’re really clear about what data you currently hold, what you intend to collect and how you are going to use it. Most organisations store far too much “just in case” data so now is an excellent time to cleanse that data, including, dare I say it, permanently deleting data that you don’t need or can’t justify retaining.

Next set up some boundaries for using your Google Analytics account including

• how you can stop/monitor the use of personal data
• who will be involved in that data processing activity

Then think, being realistic think about whether you will be able to use Google Analytics – about your lawful basis for that processing activity. If you want to rely on an individuals’ consent to enable you to use their data in this way, make sure that how you obtain and interpret the consent is GDPR complaint.

Finally, are there any data transfer issues? Google currently relies on the EU-US Privacy Shield which means data transfer outside the EU (to approved compliant areas or organisations) is acceptable, but under GDPR it’s your responsibility to make sure that if personal data you control is transferred outside the EU that personal data will be properly protected. That means, at the very least, having some sort of checking mechanism, even if it is only a quick look to see that the EU-US Privacy shield applies and Google’s membership is valid.

By Bob Edwards, GDPR and CyberCrime consultant, Lawhound