Is Google Analytics GDPR Compliant?
If you follow the latest developments in the world of data regulation, you have likely heard of the General Data Protection Regulation (GDPR), set to take effect on May 25, 2018.
But what is exactly is GDPR, and what does it mean for your business if you use tools like Google Analytics?
In this blog post, we’ll explore the specifics of GDPR, as well as some tips for remaining GDPR compliant.
You don’t want to miss this info!
What is GDPR?
GDPR is new European Union legislation that will take effect on May 25. It is designed to strengthen the rights of EU citizens regarding how their personal data is used and protected. And it will replace the Data Protection Directive.
The legislation applies to any organization both inside and outside the EU who markets goods and services to or tracks the behavior of EU citizens. So, if your business works with Europeans and processes their personal data, GDPR applies to you.
Organizations that do not abide by GDPR regulations can be fined up to 4% of annual global turnover or a cool €20 million, just under $24 million USD. That being said, you will want to make sure you comply with GDPR standards.
Key GDPR changes
What exactly should you expect under GDPR regulation? Here are a few key changes:
- Consent: Companies will no longer be able to use illegible terms and conditions. Instead, request for consent must be given in an easy-to-understand, accessible form.
- Right to access: Data subjects will have the right to obtain confirmation from data controllers about whether they are collecting personal data and for what purpose.
- Right to be forgotten: Data subjects may require data controllers to erase their personal data.
- Data portability: Data subjects will have the right to receive personal data concerning them.
- Privacy by design: Data protection must be included from the onset of designing systems.
- Data protection officers: GDPR will require internal record keeping and mandatory data protection officer appointment for controllers and processors with core activities related to processing operations which require regular monitor of data subjects on a large scale or certain categories of data.
Feel free to check out the GDPR website for more info about these changes.
One of the most frequently asked GDPR questions is if Google Analytics is GDPR compliant. Let’s take a look.
Is Google Analytics GDPR compliant?
Google recently sent an email to prepare Google Analytics users to for GDPR.
The company recently introduced granular data retention controls to allow users to manage how long user and event data is stored on Google’s servers. Beginning on May 25, Google Analytics will automatically delete user and event data older than the retention period you select.
Prior to May 25, Google also plans to unveil a new user deletion tool that allows users to delete all the data associated with an individual user. You can check out Google’s Developers site for the latest info on the update.
Google stated that it will remain dedicated to providing policies to safeguard your data. These measures include:
- Customizable cookie settings
- Privacy controls
- Data sharing settings
- Data deletion on account termination
- IP anonymization
In addition, Google has started rolling out updates to their contractual terms for many products to reflect Google’s status as either data processor or data controller under GDPR. For both Google Analytics and Analytics 360, Google will act as the processor of the personal data that is handled in the service.
These new GDPR terms will supplement your current contract, and they will take effect May 25.
EU user consent policy
Google Analytics and Analytics 360 customers using advertising features are required to comply with Google’s EU user consent policy, which is being updated to reflect GDPR requirements.
Google sent an additional email with two action steps for GA users:
Step 1: Review and accept updated processing terms in each account for every product they manage in the Google Analytics Suite. You can do this by navigating to Admin > Account >Account Settings (scroll to bottom of page).
Step 2: Provide legal entity and contact details for notifications Google many need to send under GDPR. You can provide this information within Suite Home (Organization Settings > Data Processing Amendment – Details).