Google Analytics GDPR Checklist. Become GDPR compliant using GA

DISCLAIMER: I am not a lawyer and this article is based on my own extensive research and interpretation of GDPR. This article is for informational purposes only and is not a substitute for professional legal advice. Use your own discretion.

In order to fully understand this article, you may need to read it from start to finish at least 2 times.

Because they are a lot of jargon, which you may encounter earlier in this article but which I have explained later. 

Without understanding this jargon, you are going to have a very hard time implementing GDPR.

 

What is GDPR?

GDPR stands for General Data Protection Regulation.

It is Europe’s new privacy law. This new law came into force on May 25, 2018

GDPR gives data subjects more rights and control over their personal data and how it is used.

 

Why should you, as a marketer, care about GDPR?

If you are processing personal data of ‘data subjects’ then you have to comply with GDPR regardless of where you live on this planet.

There are two levels of administrative fines that can be levied (on a case by case basis) for not complying with GDPR:

1) Up to €10 million ($12.5 million), or 2% annual global turnover (whichever is higher).

2) Up to €20 million ($24.73 million), or 4% annual global turnover (whichever is higher).

Besides the power to impose fines, a supervisory authority like ‘Information Commissioner’s Office (ICO) can:

  • Issue warnings and reprimands.
  • Impose a temporary or permanent ban on your data processing.
  • Order the rectification, restriction or erasure of your data
  • Suspend data transfers to third countries.

If you are a business entity (corporation, partnership, limited liability company, sole proprietor) based in the EU then you should not ignore GDPR compliance, as your business is going to be directly and heavily affected by it.

Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.

The individual is entitled to bring a compensation claim in the courts.

This could open the floodgates for compensation claims to both data controllers and data processors.

In order to understand GDPR and enforce it across your organization, you would first need to understand the meaning of key terms used in GDPR.

 

What is considered as personal data in the context of GDPR?

In the context of GDPR, personal data is any information that relates to you and/or that can be used to uniquely identify you either directly or indirectly.

It can include (but is not limited to): your name, email address, IP address, house address, phone number, credit card information, ZIP/PIN code, your photos, videos, recorded voice, genetic data, biometric data, etc.

 

What is considered as sensitive personal data in the context of GDPR?

Sensitive Personal Data includes genetic data and biometric data.

What that means, if you are processing data related to a person’s skin color (black, white, brown, etc), race (Asian, caucasian), sexual orientation (gay, lesbian, transexual, etc), data related to health, etc then that is all considered as sensitive personal data.

Political opinion and religious beliefs are also considered as sensitive personal data.

Under GDPR, processing of sensitive personal data is prohibited.

Only in specific cases, the processing is allowed.

 

What is data processing?

Any operation or set of operations (whether manual or automatic) which is performed on personal data is data processing.

Anything that you do with personal data is data processing.

Data processing can include (but is not limited to):

  • Collecting data
  • Storing data
  • Modifying data
  • Structuring data
  • Sending data
  • Using data
  • Accessing data
  • Deleting data

Note: The GDPR does not apply to data processing carried out by law enforcement agencies or data processing carried out by individuals purely for personal/household activities.

 

Who is the data controller?

If you decide, why and how personal data is processed then you are a data controller.

If you determine the purposes and means of processing personal data then you are a data controller.

Any individual or business entity (corporation, partnership, limited liability company) can be a data controller.

For example, if you use email addresses to send newsletters to your subscribers/customers then you are a data controller.

If you use cookies to re-market to your website visitors or customers then you are a data controller.

Similarly, if you use your website users’ behavioral data or browsing history to provide personalized user experience then you are a data controller.

Long story short, if you own a website and/or mobile app then under GDPR, you are most likely a ‘data controller’.

 

Who is the data processor?

If you process personal data on behalf of a controller then you are a data processor.

Any individual or business entity (corporation, partnership, limited liability company, sole proprietor) can be a data processor.

For example, if you process personal data on behalf of your client(s) then you are a data processor.

What that means, under GDPR, all consultants, agencies, and freelancers are most likely a data processor, as they process personal data, on behalf of their clients, in some shape or form,

When you use an analytics tool like ‘Google Analytics’ to track & manage website usage data then Google Analytics becomes your data processor, as it processes website usage data on your behalf.

When you use an advertising platform like ‘Google Adwords’ or ‘Facebook’ to market or re-market to your website visitors/customers then ‘Google Adwords’ & ‘Facebook become your data processor as they process marketing data on your behalf.

When you use an A/B testing tool to show different variations of a page to your website visitors then your A/B testing tool becomes your data processor, as it processes website usage data on your behalf.

Similarly, when you use an email marketing and automation tool like ‘Get Response’, it becomes your data processor, as it processes email addresses on your behalf.

Most data processors, if not all, can also be considered as data controllers in their own right, for the processing they do, for their own administrative purposes.

 

GDPR can apply to both data controllers and data processors

Under GDPR, both data controllers and data processors must make a greater effort to process personal data, must make it clear how data will be processed and ask for users’ consent wherever applicable.  

Under GDPR, whenever there is a personal data breach, the data processors must notify the data controllers and the data controllers must notify supervisory authorities and data subjects as soon as possible.

You as a data controller has a legal obligation to ensure that your data processors comply with GDPR.

 

What is the EU (European Union)?

GDPR is an EU privacy law.

The European Union (or EU) is a political and economic union of 28 member states that are located primarily in Europe.

The members states are: United Kingdom, Germany, Poland, Italy, Sweden, Romania, Netherlands, Bulgaria, Greece, Hungary, Czech Republic, Croatia, Republic of Ireland, Austria, Finland, Kingdom of Denmark, Belgium…

Source: https://en.m.wikipedia.org/wiki/European_Union

 

What are third countries under GDPR?

If your country is not a member state of the European Union then you are referred to as ‘third country’ under GDPR.

GDPR imposes restrictions on the transfer of personal data to third countries or international organizations.

UK will no longer be part of the EU if Brexit happens. As such, she will become a third country.

 

Who are data subjects?

In the context of GDPR, a data subject is a person, whom personal data is about.

A data subject can be any person within the border of the EU (European Union) at the time of processing of their personal data.

Though Data subjects are primarily EU citizens you don’t have to be an EU citizen in order to be considered a data subject.

The citizens of the countries, which are member of the European Union are called EU citizens.

What that means, non-EU citizens of any nationality (including but not limited to: temporary residents, tourists, international students, migrant workers, refugees, etc) who are within the border of EU (European Union) at the time of processing of their personal data are considered as data subjects.

So if you are an American and you go to any EU member state (like Germany), say for travel, then under GDPR, you automatically become a data subject.

Once you move out of the EU border, you are no longer considered a data subject (unless your personal data is still processed by an organization “established” in the EU).

The same goes for EU citizens.

If you are an EU citizen and you move out of the EU border, say for travel or business purpose or temporary/permanent stay, you are no longer considered a data subject (unless your personal data is still processed by an organization “established” in the EU).

In other words, if a Data Subject, moves out of the EU border then his personal data processed under these circumstances is not covered by the GDPR and he is no longer a Data Subject in the context of the GDPR (unless his data is still processed by an organization “established” in the EU).

GDPR gives data subjects more rights and control over their personal data and how it is used.

It is important to remember that GDPR does not give more rights and control over your personal data if you are not a data subject.

 

What does the GDPR mean for marketers?

GDPR has taken users’ consent to a whole new level.

GDPR expects that you ask for ‘explicit consent’ from ‘data subjects’ instead of ‘implicit consent’ wherever possible.

Explicit consent needs to be a very clear, concise and specific statement.

It should clearly specify, why you want the consent and what you are going to do with it.

The consent needs to be in plain English (or whatever language you use).

It should not be vague, full of jargon, which a regular person can not understand.

Following is an example of ‘explicit consent’:

“When you sign up on our website, we assign you, a unique ID. Through this ID we track your usage of our website, across different devices and browsers. This help us in maintaining certain website functionality and providing you better user experience. Please click the checkbox below, if you are fine with this”

Following is not an ‘explicit consent’, as it is not clear, and it does not tell, why you are asking for the consent and what you are going to do with it:

“We do User ID tracking. Please click the checkbox below, if you are fine with this”

 

Default consent is not a ‘valid consent’.

A default consent can be in the form of pre-ticked boxes on a form, or consents mentioned somewhere in terms and conditions.

So under GDPR, you should not use pre-ticked boxes as a form of user consent.

All consent requests must be clearly presented to data subjects, regardless of them, being mentioned in your terms and conditions.

For example, if a user is automatically subscribed to your newsletter, as soon as he made a purchase on your website, even when he did not explicitly opt-in, for your newsletter then that is not ‘valid consent’.

Under GDPR, you should make it easy for ‘data subjects’ to withdraw consent and tell them how.

For example, if you are sending out newsletters to ‘data subjects’, there needs to be an ‘unsubscribe’ link somewhere in the email, which is clearly visible and which works, in just one click.

Under GDPR, you should avoid making consent to a precondition of a service. 

You should avoid penalizing ‘data subjects’ for withdrawing consent.

So if a data subject refuses to give you a particular consent, you should not kick him/her out of the website (by redirecting him to say ‘Google Home page).

GDPR also requires you to record each consent (like what, when and how the consent was given) and maintain records of them.

You may need to obtain fresh consent from ‘data subjects’ if your consent requests have always been buried in your terms and conditions and data subjects’ are not aware of them.

 

Rights of data subjects under GDPR

Under GDPR, a data subject has got certain rights. 

When you as a business entity, provide the following rights to ‘data subjects’, you are considered to comply with GDPR:

#1 The right of notification of data breach

Under GDPR, whenever there is a personal data breach, the data processors must notify the data controllers and the data controllers must notify supervisory authorities and data subjects as soon as possible.

This must be done within 72 hours of first having become aware of the breach.

 

#2 The right to access

All data subjects have the right to know:

  • If their personal data is being used
  • How they can access it
  • How they can change or delete it
  • Why it’s being used or who it’s shared with
  • How long it will be stored

 

#3 Right to be forgotten

If a data subject asks you to erase his personal data, you must comply ASAP (provided you have no legal grounds to keep processing it).

You should delete data subjects’ data, in the following events: you no longer need it, the data was used unlawfully, or if a data subject exercised their right to object.

 

#4 The right to object

A data subject has the right to object at any time about using their personal data for direct marketing purposes or for any other legitimate purpose.

For example, if a data subject asks you, to stop retargeting them then you must do so.

Although, how this can be technically implemented, remains a question.

 

#5 The right to rectification

A data subject has the right to ask you to update their personal data if it’s incorrect or incomplete.

And you should do it ASAP.

 

#6 Privacy by design

Privacy by design is an approach to designing projects, processes, products or systems that promotes privacy and data protection compliance from the start.

Article 23 of GDPR expects data controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.

Basically, if you have got a website, you may need to redesign/redevelop it, in such a way that it collects personally identifiable information of data subjects, to the bare minimum.

‘Privacy by design’ is a huge topic on its own and explaining it further, is beyond the scope of this article.

 

What is the supervisory authority?

A supervisory authority is a governing body that is going to enforce GDPR.

Each EU member state will appoint a ‘Supervisory authority’ which will work with other member states ‘Supervisory authorities’.

Supervisory authorities have power to:

  • conduct audits
  • order a data controller/processor to comply with GDPR
  • Issue warnings, fines or ban on data processing.

In the case of the UK, the ’Information Commissioner’s Office’ (ICO) act as a supervisory authority.

 

Who is a data protection officer?

Under GDPR, certain organizations (usually the one which do large scale processing of personal data) are required to appoint ‘Data Protection Officer (DPO).

The organization that instantly comes to my mind is ‘Facebook’.

But if you are ‘Apple’, ‘Amazon’, ‘Netflix’, ‘Uber’ or some other big company, then most likely you would be required to appoint a DPO and not just one but most likely a whole team of DPO.

A DPO is basically a ‘data privacy and protection’ expert and thanks to GDPR, they are suddenly in great demand. as companies esp. big ones, want to avoid lawsuits as much as possible.

A job of a DPO is to enforce, maintain and monitor GDPR compliance in your organization.  

He is in charge of all personal data processing activities in your company.

A DPO is the first point of contact for supervisory authorities and/or data subjects.

You as a business can and should appoint a DPO, even when it is not required by law, just to be on the safe side.

 

Do you have to comply with GDPR?

You would have to comply with GDPR, if you’re a data controller and/or data processor, who is:

#1 based in a country that is a member of the European Union, even if you only process data outside the EU.

#2 You are based outside the EU, but process personal data of EU citizens.

Following is a short video on GDPR compliance:

How do you know if you are processing personal data of EU citizens?

In the following cases (but not limited to) you are knowingly, unknowingly or accidentally processing personal data of data subjects esp. EU citizens:

#1 You sell products/services to EU citizens.

#2 EU citizens buy products/services from your website even when they are not your target market and/or you are not specifically targeting them.

#3  A EU citizen attempt to buy a product/service from your website even when you do not sell to them.

For example, if you are a business based in the US and you get an order from a person in the EU, you won’t fulfill the order because you don’t sell outside of the US. But you are now required to comply with GDPR. Why?… Because you now hold personal details (billing and shipping address) of an EU citizen in your database.

#4 You ask for personal data from EU citizens like ’email address’ in exchange for anything like a free ebook.

#5 An EU citizen uses the contact form embedded on your website. As soon the form is submitted, you are now required to comply with GDPR. This is because your website has processed personal data (name, email address) of an EU citizen.

 

#6 You track online activities of your website users via analytics tools like ‘Google Analytics’, ‘Google Tag Manager’, ‘Kissmetrics’, ‘Hotjar’, ‘Optimizely’ etc. As soon as EU citizen lands on your website, you will immediately come under the GDPR rule. You now must comply with GDPR as you have tracked the online activities of EU citizens.

#7 You directly market or re-market to EU citizens.

#8 An EU citizen is exposed to your marketing campaign which uses personalization of some sort (like dynamic remarketing). Since personalization is not possible without tracking the online activities of EU citizens, you are knowingly/unknowingly processing personal data of EU citizens and as such much comply with GDPR.

#9 You collect users’ feedback via online surveys and someone from EU participated in the survey. Since you now hold personal data of EU citizens, you must comply with GDPR.

 

#10 You provide personalised user experience to your website users. Since providing personalized user experience (like geo-targeting) is not possible without tracking the online activities of EU citizens, you are knowingly/unknowingly processing personal data of EU citizens and as such much comply with GDPR.

#11 If someone sends an email to your company mail server from the EU, all the information in the header of that email would put your company under GDPR, whether you solicited the email or not. So as soon as you get an email from EU citizen, you are immediately under GDPR rule.

In theory, any person in the EU can go to a website hosted/operated in any country, order something or subscribe to a newsletter or use the contact form and suddenly that company is now under GDPR rule.

Long story short, if your website is accessible to EU citizens then there is always a high possibility that you are knowingly, unknowingly or accidentally processing personal data of EU citizens in some shape or form and therefore must comply with GDPR.

 

Can GDPR be realistically enforced?

Not all the guidelines set in GDPR are easy to understand, some of them are pretty vague and open to interpretation.

Understanding GDPR is one thing but enforcing it, is a whole new game.

Enforcing GDPR can become very technically challenging and nobody (including me) knows exactly, how you can become 100% GDPR compliant and/or what 100% GDPR compliance looks like.

Since there is no official definition of, what a full GDPR compliance looks like, so in theory, your company can always be fined, no matter what you do, to become compliant.

There is no step by step guide out there, which you can just download, easily follow and become 100% GDPR compliant overnight.

In addition to that, supervisory authorities have got limited resources.

So they can not realistically monitor data protection and privacy practices of millions of businesses all over the world.

So most small and medium-size businesses are safe unless they are exposed by media, for GDPR non-compliance.

What Supervisory authorities can realistically do and will most likely do, is target big companies esp the one based in the US, yes those cash cows they are always after: ‘Facebook’, ‘Google’, ‘Apple’ etc.

 

Ramifications of GDPR

In extreme cases, a hospital may refuse to take care of an EU citizen, if it is not GDPR compliant.

In order to take an EU citizen, as a patient, the hospital would need to process their sensitive personal data.

And a supervisory authority can fine the hospital, for holding sensitive personal data of an EU citizen, in the event, there wasn’t a data protection officer listed for the hospital.

Many companies may just stop doing business with the EU, as they can’t afford GDPR compliance and/or can’t risk the hefty fines which come with non-compliance.

And since nobody knows, what a full GDPR compliance looks like, the possibility of paying a hefty fine is always hanging over the head, like a sword of Damocles.

We have got ‘privacy by design‘ (one of the data subject rights and which is going to bite business of any size) which will push businesses to build/modify systems that promote privacy and data protection by default.

Systems that are proactive, not reactive, preventative not remedial, when it comes to privacy.

Building and maintaining such systems will cost money.

Data protection offices won’t work for free.

So organizations who have to appoint them will have to bear the cost. 

GDPR can increase the cost of all imported & exported goods & services throughout the EU.

I can already foresee the rise in the premium of business insurance.

24/7 compliance of GDPR is a significant expense & businesses will most likely pass this cost to consumers.

In addition to that, GDPR can severely restrict your ability to track users’ behavior and carry out day to day conversion optimization and online marketing activities (like remarketing).

Without effective tracking, your cost of acquiring customers is going to increase over time.

So as an EU based business, you could become less profitable over time.

 

Is there a way to avoid or minimize GDPR compliance?

As long as your website is accessible to EU citizens, there is always a good chance that you are knowingly or unknowingly or accidentally tracking their online activities via analytics tools like ‘Google Analytics’.

What I have discovered through my own extensive research on GDPR is that, if EU is not your target market, you are not based in EU, your data processors are not based in EU and you do not want the headache of GDPR compliance, then simply block all EU countries from accessing your website.

That way your website will never be able to process any data from EU citizens and you have little to worry about GDPR compliance.

GDPR considers IP addresses as personal data but not IP blocks.

So you can block an entire country from accessing your website by blocking all the IP blocks used by that country.

There are many tools available (like Wordfence) through which you can block the entire country from accessing your website.

My understanding is that, by blocking all EU member countries from accessing a website, it will greatly reduce the chance of even accidentally processing personal data of data subjects.

There is no directive under GDPR which prohibits blocking EU member states from accessing a website.

Eventually ‘enhanced privacy’ can come with a heavy price for data subjects, with many companies blocking all of Europe, just to be on the safe side.

 

But what about EU citizens accessing your website from outside the EU?

Once EU citizen leaves the EU border, he/she is no longer considered a data subject (unless his personal data is still being processed by an organization “established” in the EU).

So it is safe to conclude that, as long you are not based in the EU, your data processors are not based in the EU and you block your website from being accessed by any EU member country, you have little to worry about GDPR compliance.

 

What if you want to retain EU customers?

If you are a business based outside of EU and you don’t want to lose EU customers, and at the same time, you don’t want GDPR compliance to negatively impact your online tracking and internet marketing activities, across all international markets, then consider creating a separate ‘EU business unit’, the one which is GDPR compliant, with its own separate website and data controllers and processors, which are all EU based.

 

Quick recap of the scope of GDPR compliance

#1 If your company/business is based in the EU then you have to comply with GDPR. Period.

#2 If your company/business is based in the EU but you do not process personal data of data subjects then also you have to comply with GDPR. Why? Because you are based in the EU and GDPR is EU law.

#3 If your company/business is based outside of EU but you process personal data of data subjects then you have to comply with GDPR.

#4 If your company/business is based outside of the EU and your data processors are also based outside of the EU, and you do not process personal data of data subjects then you do not need to comply with GDPR.

#5 If your company/business is based outside of EU but some/all of your data processors are based in EU then you should comply with GDPR even when you are not actively processing personal data of data subjects.

This is because, if an EU citizen/resident access your website from outside the EU and uses the service of one of your data processors, which is based in the EU then he/she is automatically considered as a data subject, under GDPR.

Finally, get legal advice and use your own discretion.

This article is for information purposes only.

Following are the actionable Steps to Become GDPR Compliant with Google Analytics:

#1 Practice Data Minimization
#2 Implement ‘Privacy by design’
#3 Make ‘Legitimate Interest’ your best friend

 


Practice data minimization


In the context of GDPR, ‘data minimization’ is a practice of collecting, storing and using only that personal data, which you absolutely need, for the purpose you have specified.

Data minimization discourages processing of ‘Big Data’, where a business, gather as much information as possible, about their target audience.

In order to comply with GDPR, you need to get into the habit of, collecting as little personal data, as reasonably possible.

Because more personal data you process, more systems, and processes, you would need to create and manage, in order to comply with GDPR.

Without implementing data minimization, you could unknowingly and unnecessarily, make GDPR compliance harder for your business.

 

Following are some methods through which you can practice ‘data minimization’ in real life:

#1 Ask for bare minimum personal information from your website users and/or customers.

For example, many businesses ask for ‘first name’ and ‘last name’ in addition to the email addresses, of their newsletter subscribers.

But the ‘first name’ and ‘last name’ are not absolutely necessary for subscribing to a newsletter.

So you can, and you should avoid asking for such personal information.

Many businesses ask for information related to ‘gender’ or marital status (like Mr, Ms, Mrs) which I think is absolutely not required unless you are in the health/fitness industry or dealing with law enforcement.

Similarly, ask for a phone number on your contact/checkout pages, only when you absolutely need it.

Otherwise, do not even provide the option for leaving a phone number on your website forms.

 

#2 Do a full audit of your website and analytics setup.

You are likely to find many instances, where you are collecting unnecessary personal data about your website visitors and/or sending unnecessary personal information about your website visitors, to third parties (like Google Analytics, Google Adwords, Facebook, etc).

The likely culprits are third party plugins you use on your website, and the forms embedded on the ‘contact us’ or checkout pages of your website.

Minimize form fields.

Ask only that information which you absolutely need, to fulfill an order.

 

#3 Do not ask/process sensitive personal information from your website visitors /customers

Sensitive personal information includes (but is not limited to): political opinion, religious beliefs, race, health, etc.

A business can ask for sensitive personal information unknowingly /accidentally via online surveys, sweepstakes, feedback forms or via contact forms or social media.

Under GDPR, processing of sensitive personal data is prohibited.

Only in specific cases, the processing is allowed.

For example, you can choose to ask your audience, on your Facebook Fan page, “Do you think Donald Trump will win the next election?

But as soon as someone from the EU, participated in your survey, you will immediately come under non-compliance of GDPR.

In theory, by asking the political opinion of EU citizen, you have processed the sensitive personal data, and such type of data processing is prohibited under GDPR.

Now, how running such a poll, will really impact your business, will depend upon, how big of a deal, you are.

If you are a famous public authority and someone files a complaint against you, then you could end up getting a warning or fine from a supervisory authority.

 

#4 Do not hold personal data, on the off chance, that it might be useful in the future.

Under GDPR, you should not hold personal data, you don’t really need it.

Scan the data layers hardcoded on your website and make a note of all the unnecessary personal data, you are currently tracking through them.

The data could be IP address, gender, name, email address, browsing history, etc.

Scan your databases, CRMs, and shopping carts.

Make a note of all the unnecessary personal data, you have already got.

Delete all such data ASAP.

 

#5 Do not enable ‘Google Analytics Advertising Features’ if you don’t need it.

Google Analytics advertising reporting features are a collection of features which allow you to:

#1 Create remarketing audiences in your GA property.

#2 Share your remarketing audiences with your linked advertising accounts (Google Adwords, DoubleClick Bid Manager) and Google Optimize.

#3 Collect demographic and interest data in your property.

#4 Create custom segments based on demographic and interest data.

#5 See DoubleClick campaign manager data in your reports (available only for analytics 360 users).

#6 Share remarketing audiences with DoubleClick bid manager. (available only for analytics 360 users).

#7 See GDN impression data in the multi-channel funnel reports.

The ‘Data Collection’ is one of the settings you see in the section named ‘Tracking Info’ under the ‘Property’ column in your GA admin:

When you click on the ‘Data Collection’ link, you get the option to enable Advertising Reporting Features’:

When you enable ‘Advertising Reporting Features’, your GA property can collect data about your users from the ‘Google Advertising Cookies’ in addition to the data collected through a standard GA implementation.

In order to enable Advertising Reporting Features for a GA property, you would need:

#1 Edit permission at the account/property level.

#2 You must adhere to the Google Analytics Advertising Feature Policy and Google Analytics Terms of Service.

According to GA Advertising feature policy, if you’ve enabled any Google Analytics Advertising Features, you are required to notify your visitors by disclosing the following information in your privacy policy:

#1 The Google Analytics Advertising Features you’ve implemented.

#2 How you and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together.

#3 How visitors can opt-out of the Google Analytics Advertising Features you use, including through Ads Settings, Ad Settings for mobile apps, or any other available means (for example, the NAI’s consumer opt-out).

Source: https://support.google.com/analytics/answer/2700409?hl=en&utm_id=ad

According to GA Advertising feature policy, you must get your website visitors prior affirmative consent, if you are identifying them by merging personally identifiable information with non-personally identifiable information, collected through any Google advertising product or feature

For example, if you are using ‘user-id’ to personally identify a person in a CRM then you would first need, prior affirmative consent of your website visitors.

 

#6 Do not enable ‘Remarketing’ in Google Analytics property if you don’t need it.

When you click on the ‘Data Collection’ link (in the section named ‘Tracking Info’ under the ‘Property’ column in your GA admin), you also get the option to enable ‘Remarketing’:

If you want to create Remarketing Audiences in your GA property and share them with your advertising accounts (like Google Adwords, DoubleClick Bid Manager) then you would need to turn on the toggle button for ‘Remarketing’.

Whenever you enable ‘Remarketing’, the ‘Advertising Reporting feature’ will automatically get enabled (if it is not already enabled) for your GA property.

In other words, you can not enable the ‘Remarketing’ setting for your GA property, if you do not want to enable the ‘Advertising Reporting feature’ for your GA property.

 

#7 Do not link your Google Adwords account to your Google Analytics property if you don’t actively use Adwords

In order to use and benefit from Advertising Reporting Features for a GA property, you would need at least one active Google Adwords account or DoubleClick Bid Manager account and this account must be linked to your GA property.

I have seen countless GA setups, where a business is not actively using Google Adwords but the Adwords account is still linked to GA property.

If you are not actively using Google Adwords or DoubleClick Bid Manager account then unlink it from your GA property.

 

#8 Use the ‘User and event data retention’ feature in Google Analytics

The ‘Data Retention’ is one of the settings you see in the section named ‘Tracking Info’ under the ‘Property’ column in your GA admin:

‘User and event data retention’

Through the ‘User and event data retention’ feature, you can set the amount of time for which Google Analytics retains user-specific data (i.e. data that is associated with cookies, user identifiers, or advertising identifiers) for an inactive website user, before automatically deleting it.

You can set the amount of time setting to 14 months, 26 months, 38 months, 50 months or ‘Do not automatically expire’:

The period of time, for which Google Analytics retains user-specific data for an inactive website user is called the ‘Retention Period’.

The user-specific data is automatically deleted on a monthly basis i.e. (once a month) unless your retention period is set to ‘do not automatically expire’.

For example, if you set the ‘User and event data retention’ to ‘50 months’ then any user-specific data older than 50 months will be automatically deleted, during the next monthly deletion process.

Note: It is important to remember that not all GA data older than 50 months will be deleted. Only user-specific data (i.e. data that is associated with cookies, user identifiers, or advertising identifiers) older than 50 months will be automatically deleted. In other words, you won’t see empty GA reports for data older than 50 months.

‘Reset on new activity’

‘Reset on new activity’ – Turn this setting to ‘on’, if you want the retention period of your website users’ data to be renewed (i.e extended) with each new event from that user.

For example, if you set the ‘User and event data retention’ to ‘50 months’ and turn the ‘Reset on new activity’ to ‘ON’ then every time a user’s visit your website, the data retention period associated with the user, will be extended for another 50 months and thus never reaches the 50 months expiration date.

Turn the ‘Reset on new activity’ to ‘OFF’ if you do not want the retention period of your website users’ data to be renewed (i.e extended) with each new event from that user.

Through GA data retention features, you can easily practice, data minimization within GA.

 

Impact of the ‘Data Retention’ setting as of May 25, 2018, is the following:

#1 Any user-specific data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in GA.

#2 The ‘User and event data retention’ feature in GA will not affect most standard reporting, which is based on aggregated data. And since the majority of reports in GA are based on aggregated data, the use of ‘User and event data retention’ features won’t have any noticeable impact on your historical data.

#3 Deletion of user-specific data will affect the use of segmentation, some custom reports, and secondary dimensions when applied in date ranges older than your retention setting.

Note: The data retention settings are also available via management API.

 

#9 Use only the ‘Data Sharing Settings’, you really need in GA

You can see all of the ‘data sharing settings’ under ‘Account Settings’ in your admin area:

Google products & services – Turn off this setting, if you are not actively using Google products (other than GA) like Google Adwords, Google Optimize, etc.

Benchmarking – Turn off this setting, if you do not want to share your analytics data with third parties. The data is shared in an aggregate and anonymous form.

Technical support – Turn off this setting, if you do not want Google support representatives, access your Google Analytics data to fix technical issues. Unless you are using Analytics 360, you won’t be getting any personal technical support from Google, anyways. So keeping this setting to ‘OFF’ is not going to harm you.

Give all Google sales experts access to your data and account – Turn off this setting unless you are analytics 360 user.

 

#10 Block the EU member states from accessing your website which is not your target market

If you are processing large volume of personal data, of EU member states, which are not your target market and there is big business liability associated with holding unnecessary personal data, then the most powerful method of practicing data minimization, is to create a list of all EU member states, you actively do business with and then block all other member states from accessing your website.

For example, if your target market is only ‘Germany’, then collecting personal data of other EU member states, after GDPR comes into force, could be an unnecessary business liability esp. if you operate in Germany.

If history is any judge, Germany will most likely be the toughest on data protection laws followed by Spain.

If you choose not to block member states, then there will always be a high possibility, that you, unknowingly/accidentally process personal information of EU citizens, who are not your target market.

You may then end up, holding and managing lot/tons of personal data, which you don’t really need.

However, consider taking this extreme step only when you are processing a large volume of unnecessary personal data, of EU member states and there is considerable business liability associated with holding such data.

Blocking entire countries from accessing your website, can have a negative impact on:

  1. your organic search engine traffic (Googlebot may not be able to crawl your website)
  2. user experience and
  3. brand image.

I never thought, I would be giving such recommendations, as it absolutely goes against ‘net neutrality’ and promotes internet censorship of some sort.

But the draconian fines imposed under GDPR, their regulatory overreach and ambiguous & hard to implement guidelines, are just too much of a risk, for any big business, to ignore the processing of unnecessary personal data of EU member states.

 


Implement ‘privacy by design’


GDPR recommends that you build/update your website and/or mobile app in such a way, that the users’ personal data is protected by default.

This approach of promoting privacy and data protection compliance from the very start is called ‘privacy by design’.

By implementing ‘privacy by design’, you can minimize or even completely eliminate the possibility of sending Personally Identifiable Information (PII) to Google Analytics.

PII includes (but is not limited to) information such as:

  • Users’ name
  • email address
  • phone number
  • IP address
  • social security number
  • zip code (mainly in the UK)
  • Geolocation data which is GPS or fine-grained location information
  • any piece of data that permanently identifies a particular user
  • any piece of data that permanently identifies a particular device
  • any piece of data that is deemed to be ‘Protected Health Information’ (as defined under HIPAA)
  • any piece of data that is deemed to be “PII”, according to your country’s law.

It is against Google Analytics terms of service, to send PII data to Google Analytics server.

If you are found to collect PII in GA, then you may end up losing your GA account for good.

Video on PII from google

 

How to implement privacy by design in real life

Following are some methods through which you can implement ‘privacy by design’ in real life:

#1 Do not collect any PII on your website, which you don’t really need.

Do not collect any PII on your website (via a form, comment panel, etc) which you don’t really need.

For example, remove all the unnecessary fields from your contact page form or checkout pages forms.

 

#2 Use the POST method for form submission

Make sure that the forms embedded on your ‘contact us’ page, ‘signup/login’ pages, ‘checkout’ pages, etc use the POST method instead of the GET method.

If you use the GET method, the parameters of the form will end up as part of the URL in the address bar.

This could result in PII (like username and email address) appearing in the URLs of your web pages.

Now Google Analytics track and report the URL of each web page which is viewed.

So if the URL path contains PII then this would end up in your GA reports.

If you are running Google ads on your website (via Google Adsense), the PII data may end up going to Google, as part of the ad request.

That’s how you could accidentally end up, sending PII data to GA.

 

#3 Do not track any form field which contains PII.

If you are tracking form fields in GA then make sure that you do not track any field which contains PII.

 

#4 Use a POST based search engine on your website.

When you use a POST based search engine, the search-results URL will not contain the query parameter.

So instead of a search page URL, like the one below:

Your search page URL may look like the one below:

Your website users could enter PII into your search box and if you use the GET based search engine on your website, the ‘search query’ parameter will end up as part of the URL in the address bar.

This could result in PII (like username and email address) appearing in the URLs of your web pages.

 

#5 Do not track any search term/campaign which contains PII.

If you have implemented site search tracking on your website then make sure that any PII data is not sent to the Google Analytics server.

 

#6 Use the IP Anonymization feature in Google Analytics

Under GDPR an, IP address is considered as personal data.

Google Analytics tracks IP addresses of your website users, in order to report on geolocation data.

Enable the IP Anonymization feature in Google Analytics.

When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network.

The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network.

The full IP address is never written to disk in this case.

Source: https://support.google.com/analytics/answer/2763052?hl=en

You can enable the ‘IP Anonymization’ feature in GA by adding a new field named ‘anonymizeIp’ with a value of ‘true’ in your Google Analytics Settings variable.

To learn more about IP anonymization in Google Analytics and Google Tag Manager, read this article: How to turn on IP Anonymization in Google Analytics and Google Tag Manager

Note: You can make a case of ‘legitimate business interest’ for tracking IP addresses (more about that later).  So you don’t have to anonymize IPs.

 

#7 Do the website Audit to find and remove PII data

Scan your entire website, page by page, or by using a website crawler (like Screaming Frog SEO Spider) and make sure that the URLs, URL parameters and Page Titles do not contain any PII data.

If you find such data then you have got two options:

#1 Remove it completely.

#2 Replace the PII with a unique site-specific identifier (UUID)

If the PII keeps popping up, in page URLs, URL parameters and Page Titles then find the source of such PII data leak.

Ask your developer to fix this issue either from the front end or back end or both.

 

#8 Do not upload/send any data to Google Analytics which contains PII.

Do not upload/send any data to Google Analytics which contains PII. This applies to uploading PII data to GA via:

It is important to note that, just filtering out PII data from Google Analytics is not sufficient.

Since collecting PII data in GA is against the ‘Google Analytics Terms of Service’, you should actively stop PII data from being sent to the GA servers from your website.

 

#9 Develop a robust GDPR compliant privacy policy

In order to implement ‘privacy by design’, you would need to have a GDPR compliant privacy policy on your website.

This policy should clearly outline (but not limited to):

# Definitions used in the policy. Like if you are referring to ‘we’ in the policy then who exactly is ‘we’.

# Information your website users voluntarily provide to you.

# Information you collect automatically

# Details of various technologies you use (like cookies, web beacons) to collect and store information when a user/customers use your Website, Products or Services

# Details of the information you obtain from third party sources (public databases, social media platforms, third-party data providers)

# How and when you may use and disclose Personal Information

# How you protect Personal Information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

# How do you keep your data accurate and up to date.

# How you use cookies and similar technologies in the course of your business

# Details of all the first and third-party cookies served through your Websites.

Optimize Smart has got a very robust ‘GDPR compliant privacy policy’. Take a look: https://www.optimizesmart.com/terms/

 

#10 Ask for GDPR compliant privacy policies and GDPR compliant data service agreement from your data processors

In order to implement ‘privacy by design’, all of your service providers (aka data processors) must also have GDPR compliant privacy policies and should ideally have GDPR compliant data service agreement (also called the ‘Controller-Processor Agreement’) with you.

Following is an example of ‘controller-processor agreement’ from GetResponse:

Note: Make sure, that you ask for a controller-processor agreement from your web host.

 

#11 Provide all-important rights to ‘data subjects’

Finally, your ‘privacy by design’ approach is not considered complete, unless you, as a business entity, provide following rights to ‘data subjects’,

  1. The right of notification of data breach
  2. The right to access
  3. Right to be forgotten
  4. The right to object
  5. The right to rectification

 


Make ‘legitimate interest’ your best friend


According to Article 6(1)(f) of GDPR:

1.Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate business interests are not focused on any particular purpose and therefore give you more scope to potentially rely on it and use it to your advantage.

You would then don’t need to bombard your users with consent requests for each and everything you do on your website when they are unlikely to object to the processing.

GDPR does not clearly define all the factors that should be taken into account when deciding if your purpose is a legitimate business interest.

But under GDPR, following purposes do clearly constitute a legitimate business interest:

  • direct marketing
  • fraud prevention
  • ensuring network and information security.
  • indicating possible criminal acts or threats to public security.
  • processing employee or client data.
  • administrative transfers within a group of companies.

 

The ICO recommends carrying out three-part test to determine, whether or not your purpose constitutes a legitimate interest:

It makes most sense to apply this as a test in the following order:

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

This concept of a three-part test for legitimate interests is not new.

In fact the Court of Justice of the European Union confirmed this approach to legitimate interests in the Rigas case (C-13/16, 4 May 2017) in the context of the Data Protection Directive 95/46/EC, which contained a very similar provision.

This is a piece of good news because you can use ‘legitimate interest’ to your advantage, simply by passing the ‘three-part test’.

 

Let’s make a case for using Google Analytics Tracking on your website without asking for users’ consent by using the ‘three-part’ test:

Purpose test – is there a legitimate interest behind the processing?

Yes. We have a legitimate interest in tracking website usage data via Google Analytics because ……. It helps us in providing better user experience and effectively markets our products to our target audience.” << add more reasoning>>

Necessity test – is the processing necessary for that purpose?

The processing is absolutely necessary because without using ‘Google Analytics’, we can not track website usage data and we need to track website usage data in order to do effective marketing and not lose money on advertisement. Also, there is a no less intrusive alternative, available.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

We are not collecting and/or sending any PII data to Google Analytics. The IP addresses that we are tracking have been anonymized. So our legitimate interest does not override an individual’s interests, rights or freedoms.

According to GDPR,

the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect.

Again what constitutes as ‘reasonable’ is vague and can be used to your advantage.

What you as a business consider as ‘reasonable’, may not be ‘reasonable’ for me and vice versa.

Outline all possible ways, you use and process data in your privacy policy and then inform your website users about the changes.

That way, your website users should reasonably expect you, to use their data in that way.

 


GDPR-Google Analytics FAQs


Q. Do I need user consent for using Google Analytics on the website?

In general, ‘No’.  

I already made a case for ‘legitimate business interest’ for using Google Analytics.

However, if you are collecting PII data via GA (which you should not be, in the first place) and/or merging personally identifiable information with non-personally identifiable information, collected through any Google advertising product or feature then you would need prior affirmative consent of your website users.

 

Q. Do I need user consent if I am using ‘Google Analytics Advertising Features’ on the website?

In general, ‘No’.

If you are using the ‘Google Analytics Advertising Features’ then just update your privacy policy, as mentioned above.

However, if you are identifying website users by merging personally identifiable information with non-personally identifiable information, collected through any Google advertising product or feature then you would need prior affirmative consent of your website user.

For example, if you are using ‘user-id’ to personally identify a person in a CRM then you would first need, prior affirmative consent of your website visitors.

 

Q. Do I need user consent, for re-marketing?

In general, “No”.

You can carry out re-marketing, as a legitimate business interest.

Just make sure, your remarketing has minimal impact on your website users as an individual (watch out for ad frequency cap) and it follows the policies for Personalised advertising.

 

Q Do I need user consent, for using ‘user-id’?

Unfortunately, “Yes”.

It is not possible to make a case of ‘legitimate business interest’ for using ‘user-id’ as it will fail the ‘balancing test’. 

If you are using the ‘user-id’ feature of GA then at the time of signup, you should get prior affirmative consent from your website users that you are going to track their activities across devices and browsers.

 

Q. Do I need user consent, for using ‘client id’?

In general, “No”.

You can make a case of ‘legitimate business interest’ for using ‘client id’.

Purpose test – is there a legitimate interest behind the processing?

Yes. We have a legitimate interest in tracking ‘client id’ via Google Analytics because …….GA won’t work without first setting up ‘client id’. And we need Google Analytics, to track website usage data so that we can provide better user experience and effectively market our products to our target audience.” << add more reasoning>>

Necessity test – is the processing necessary for that purpose?

The processing of client ID is absolutely necessary because without ‘client id’, ‘Google Analytics’, won’t work. Without ‘client id’, we can not track website usage data and we need to track website usage data in order to do effective marketing and not lose money on advertisement. Also, there is a no less intrusive alternative, available.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

GA uses client ID to identify a unique browser/device and that too in an anonymous way. It does not really track individual users. Though that is implied in GA developers’ documentation.

For Google Analytics, a user is a unique web browser/device and not necessarily an individual. 

As such it has minimal impact on your website users as an individual, when it comes to privacy. 

Some people cite Recital 30 in GDPR as reasoning for asking for consent for using ‘client id”

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

If you go around, asking for consent for each and every online identifier, you realistically, can not operate a website, let alone run an online business.

Your website then should not load into a user’s web browser, without prior consent.

Because your web server can not communicate with users’ web browser if it does not know where the request came from (i.e. IP address).

Your Google Analytics will not work, without setting up a cookie on users’ hard disk.

Your advertising won’t work, without setting up an advertising cookie on users’ hard disk.

So there is a strong case of ‘legitimate business interest’ for using online identifiers.

 

Q. Do I need prior consent, for placing cookies on the users’ hard disk?

In general, “No”.

I know there are a lot of websites out there, which ask for users’ consent before placing a cookie.

But cookies are required for maintaining certain website functionality (like web sessions), protecting users’ data from unauthorized access and for tracking website usage data.

As such you can make a good case for ‘legitimate business interest’ for using cookies on your website.

Just make sure that you clearly outline all the first and third-party cookies, you used on the website, in your privacy policy,

 

Q. Do I need prior consent, for tracking IP addresses?

It is important to note that GDPR does not prohibit the processing of personal data.

Under GDPR, IP address is a personal data.

You can make a good case for ‘legitimate business interest’ for tracking IP addresses.

For example, you need to track IP addresses to protect website users from malware, adware, spyware, viruses and other malicious software.

That makes your case for tracking IP addresses, legitimate.

Google Analytics tracks IP addresses for providing geolocation data.

You can also make a good case for ‘legitimate business interest’ for tracking IP addresses by Google Analytics by using the three-part test:

Purpose test – is there a legitimate interest behind the processing?

Yes. We have a legitimate interest in tracking IP addresses via GA because ……. It helps us in providing better user experience and effectively markets our products to our target audience. If we can’t track where our users are coming from, we can not effectively, market to them and lose money in advertising. 

Necessity test – is the processing necessary for that purpose?

The processing is absolutely necessary because GA can accurately track geolocation data, only if it can track IP addresses.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

GA does not report IP addresses in its reports. As such, our use of IP addresses in the context of GA has minimal impact on our website users as individual and it does not override their individual’s interests, rights or freedoms.

 

Q How do I decide, when I should ask for consent?

Carry out the three-part test to determine whether or not your purpose constitutes a legitimate business interest and use your own discretion. 

GDPR guidelines are ambiguous and are drafted by people who know little, about how the internet works.

That’s why they have labeled ”IP address’ as personal data even when IP address can not be used to uniquely identify a person, even if you are using static IP. And most internet users are using dynamic IPs.

Multiple court rulings in the US that have stated categorically that IP addresses do not identify a person, with one ruling going so far as saying it can’t even be tied to a state, let alone an individual.

For any case you make citing GDPR guidelines, I can effectively make a counter case, citing some other GDPR guidelines.

And I am sure, people more knowledgeable than me in GDPR (lawyers, data protection experts), can easily do the same and probably much better.

So use your discretion.

 

Most frequently asked questions on GDPR

What is GDPR?

GDPR stands for General Data Protection Regulation. It is Europe’s new privacy law. This new law came into force on May 25, 2018. GDPR gives data subjects more rights and control over their personal data and how it is used.

Why you as a marketer should care about GDPR?

If you are processing personal data of ‘data subjects’ then you have to comply with GDPR regardless of where you live on this planet. There are two levels of administrative fines that can be levied (on a case by case basis) for not complying with GDPR:
1) Up to €10 million ($12.5 million), or 2% annual global turnover (whichever is higher).
2) Up to €20 million ($24.73 million), or 4% annual global turnover (whichever is higher).

What is considered personal data in the context of GDPR?

In the context of GDPR, personal data is any information that relates to you and/or that can be used to uniquely identify you either directly or indirectly. It can include (but is not limited to): your name, email address, IP address, house address, phone number, credit card information, ZIP/PIN code, your photos, videos, recorded voice, genetic data, biometric data, etc.

What is Data Minimization?

In the context of GDPR, ‘data minimization’ is a practice of collecting, storing and using only that personal data, which you absolutely need, for the purpose you have specified.

Data minimization discourages processing of ‘Big Data’, where a business, gather as much information as possible, about their target audience. In order to comply with GDPR, you need to get into the habit of, collecting as little personal data, as reasonably possible.

What is considered as Sensitive Personal Data in the context of GDPR?

Sensitive Personal Data includes genetic data and biometric data.
What that means, if you are processing data related to a person’s skin color (black, white, brown, etc), race (Asian, caucasian), sexual orientation (gay, lesbian, transexual, etc), data related to health, etc then that is all considered as sensitive personal data.

Political opinion and religious beliefs are also considered as sensitive personal data. Under GDPR, processing of sensitive personal data is prohibited. Only in specific cases, the processing is allowed.

 

Related articles

 

Resources for further reading

 

Do you know the difference between Web Analytics and Google Analytics?


99.99% of course creators themselves don’t know the difference between Web analytics, Google Analytics (GA) and Google Tag Manager (GTM).

So they are teaching GA and GTM in the name of teaching Web analytics.

They just copy each other. Monkey see, monkey do.

But Web analytics is not about GA, GTM.

It is about analyzing and interpreting data, setting up goals, strategies and KPIs.

It’s about creating strategic roadmap for your business.


Web Analytics is the core skill. Google Analytics is just a tool used to implement ‘Web Analytics’.

You can also implement ‘Web analytics’ via other tools like ‘adobe analytics’, ‘kissmetrics’ etc.

Using Google Analytics without the good understanding of ‘Web analytics’ is like driving around in a car, in a big city without understanding the traffic rules and road signs.

You are either likely to end up somewhere other than your destination or you get involved in an accident.


You learn data analysis and interpretation from Web analytics and not from Google Analytics.

The direction in which your analysis will move, will determine the direction in which your marketing campaigns and eventually your company will move to get the highest possible return on investment.

You get that direction from ‘Web analytics’ and not from ‘Google Analytics’.


You learn to set up KPIs, strategies and measurement framework for your business from ‘Web analytics’ and not from ‘Google Analytics’.

So if you are taking a course only on 'Google Analytics’, you are learning to use one of the tools of ‘Web analytics’. You are not learning the ‘Web analytics’ itself.

Since any person can learn to use Google Analytics in couple of weeks, you do no get any competitive advantage in the marketplace just by knowing GA.

You need to know lot more than GA in order to work in Web analytics and marketing field.


So what I have done, if you are interested, is I have put together a completely free training that will teach you exactly how I have been able to leverage web/digital analytics to generate floods of news sales and customers and how you can literally copy what I have done to get similar results.

Here what You'll Learn On This FREE Web Class!


1) Why digital analytics is the key to online business success

2) The number 1 reason why most marketers are not able to scale their advertising and maximize sales.

3) Why Google and Facebook ads don’t work for most businesses & how to make them work.

4) Why you won’t get any competitive advantage in the marketplace just by knowing Google Analytics.


5) The number 1 reason why conversion optimization is not working for your business.

6) How to advertise on any marketing platform for FREE with an unlimited budget.

7) How to learn and master digital analytics and conversion optimization in record time.

 
 

My best selling books on Digital Analytics and Conversion Optimization

Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.

Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.

Attribution Modelling in Google Analytics and Beyond
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.

Attribution Modelling in Google Ads and Facebook
This book has been written to help you implement attribution modelling in Google Ads (Google AdWords) and Facebook. It will teach you, how to leverage the knowledge of attribution modelling in order to understand the customer purchasing journey and determine the most effective marketing channels for investment.

Himanshu Sharma

Digital Marketing Consultant and Founder of Optimizesmart.com

Himanshu helps business owners and marketing professionals in generating more sales and ROI by fixing their website tracking issues, helping them understand their true customers' purchase journey and helping them determine the most effective marketing channels for investment.

He has over 12 years of experience in digital analytics and digital marketing.

He was nominated for the Digital Analytics Association's Awards for Excellence. The Digital Analytics Association is a world-renowned not-for-profit association that helps organisations overcome the challenges of data acquisition and application.

He is the author of four best-selling books on analytics and conversion optimization:

error: Alert: Content is protected !!