Google Analytics GDPR Checklist. Become GDPR compliant using GA

This article is in conjunction with the article Beginners guide to GDPR for marketers and web analysts where I introduced GDPR and explained in great detail about its compliance and implications.

I have written present article under the assumption that you are already familiar with GDPR.

I won’t be explaining the ABC of GDPR in this article.

DISCLAIMER: I am not a lawyer and this blog post is based on my own extensive research and interpretation of GDPR. This article is for informational purpose only and is not a substitute of a professional legal advice. Use your discretion.

 


Practice Data Minimization


In the context of GDPR, ‘data minimization’ is a practice of collecting, storing and using only that personal data, which you absolutely need, for the purpose you have specified.

Data minimization discourages processing of ‘Big Data’, where a business, gather as much information as possible, about their target audience.

In order to comply with GDPR, you need to get into the habit of, collecting as little personal data, as reasonably possible.

Because more personal data you process, more systems and processes, you would need to create and manage, in order to comply with GDPR.

Without implementing data minimisation, you could unknowingly and unnecessarily, make GDPR compliance harder for your business.

Following are some methods through which you can practice ‘data minimization’ in real life:

#1 Ask for bare minimum personal information from your website users and/or customers.

For example, many businesses ask for ‘first name’ and ‘last name’ in addition to email address, of their newsletter subscribers.

But the ‘first name’ and ‘last name’ are not absolutely necessary for subscribing to a newsletter.

So you can, and you should, avoid asking for such personal information.

Many businesses ask for information related to ‘gender’ or marital status (like Mr, Ms, Mrs) which I think is absolutely not required, unless you are in the health / fitness industry or deal with law enforcement.

Similarly, ask for a phone number on your contact / checkout pages, only when you absolutely need it.

Otherwise do not even provide the option for leaving a phone number on your website forms.

#2 Do a full audit of your website and analytics setup.

You are likely to find many instances, where you are collecting unnecessary personal data about your website visitors and/or sending unnecessary personal information about your website visitors, to third parties (like Google Analytics, Google Adwords, Facebook etc).

The likely culprits are third party plugins you use on your website, and the forms embedded on the ‘contact us’ or checkout pages of your website.

Minimize form fields.

Ask only that information which you absolutely need, to fulfill an order.

#3 Do not ask/process sensitive personal information from your website visitors /customers

Sensitive personal information includes (but is not limited to): political opinion, religious beliefs, race, health etc.

A business can ask for sensitive personal information unknowingly /accidentally via online surveys, sweepstakes, feedback forms or via contact forms or social media.

Under GDPR, processing of sensitive personal data is prohibited.

Only in specific cases the processing is allowed.

For example, you can choose to ask your audience, on your Facebook Fan page, “Do you think Donald Trump will win the next election?

But as soon as someone from EU, participated in your survey, you will immediately come under non-compliance of GDPR.

In theory, by asking the political opinion of a EU citizen, you have processed the sensitive personal data, and such type of data processing is prohibited under GDPR.

Now, how running such a poll, will really impact your business, will depend upon, how big of a deal, you are.

If you are a famous public authority and someone file a complaint against you, then you could end up getting a warning or fine from a supervisory authority.

#4 Do not hold personal data, on the off chance, that it might be useful in the future.

Under GDPR, you should not hold personal data, you don’t really need.

Scan the data layers hard coded on your website and make a note of all the unnecessary personal data, you are currently tracking through them.

The data could be IP address, gender, name, email address, browsing history etc.

Scan your databases, CRMs and shopping carts.

Make a note of all the unnecessary personal data, you have already got.

Delete all such data ASAP.

#5 Do not enable ‘Google Analytics Advertising Features’, if you don’t need it.

Google Analytics advertising reporting features are collection of features which allow you to:

#1 Create remarketing audiences in your GA property.

#2 Share your remarketing audiences with your linked advertising accounts (Google Adwords, DoubleClick Bid Manager) and Google Optimize.

#3 Collect demographic and interest data in your property.

#4 Create custom segments based on demographic and interest data.

#5 See DoubleClick campaign manager data in your reports (available only for analytics 360 users).

#6 Share remarketing audiences with DoubleClick bid manager. (available only for analytics 360 users).

#7 See GDN impression data in the multi channel funnel reports.

The ‘Data Collection’ is one of the settings you see in the section named ‘Tracking Info’ under the ‘Property’ column in your GA admin:

When you click on the ‘Data Collection’ link, you get the option to enable Advertising Reporting Features’:

When you enable ‘Advertising Reporting Features’, your GA property can collect data about your users from the ‘Google Advertising Cookies’ in addition to the data collected through a standard GA implementation.

In order to enable Advertising Reporting Features for a GA property, you would need:

#1 Edit permission at the account/property level.

#2 You must adhere to the Google Analytics Advertising Feature Policy and Google Analytics Terms of Service.

According to GA Advertising feature policy, if you’ve enabled any Google Analytics Advertising features, you are required to notify your visitors by disclosing the following information in your privacy policy:

#1 The Google Analytics Advertising Features you’ve implemented.

#2 How you and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together.

#3 How visitors can opt-out of the Google Analytics Advertising Features you use, including through Ads Settings, Ad Settings for mobile apps, or any other available means (for example, the NAI’s consumer opt-out).

Source: https://support.google.com/analytics/answer/2700409?hl=en&utm_id=ad

According to GA Advertising feature policy, you must get your website visitors prior affirmative consent, if you are identifying them by merging personally identifiable information with non-personally identifiable information, collected through any Google advertising product or feature

For example, if you are using ‘user id’ to personally identify a person in a CRM then you would first need, prior affirmative consent of your website visitors.

#6 Do not enable ‘Remarketing’ in Google Analytics property, if you don’t need it.

When you click on the ‘Data Collection’ link (in the section named ‘Tracking Info’ under the ‘Property’ column in your GA admin), you also get the option to enable ‘Remarketing’:

If you want to create Remarketing Audiences in your GA property and share them with your advertising accounts (like Google Adwords, DoubleClick Bid Manager) then you would need to turn on the toggle button for ‘Remarketing’.

Whenever you enable ‘Remarketing’, the ‘Advertising Reporting feature’ will automatically get enabled (if it is not already enabled) for your GA property.

In other words, you can not enable ‘Remarketing’ setting for your GA property, if you do not want to enable the ‘Advertising Reporting feature’ for your GA property.

#7 Do not link your Google Adwords account to your Google Analytics property, if you don’t actively use Adwords

In order to use and benefit from Advertising Reporting Features for a GA property, you would need at least one active Google Adwords account or DoubleClick Bid Manager account and this account must be linked to your GA property.

I have seen countless GA setups, where a business is not actively using Google Adwords but the Adwords account is still linked to GA property.

If you are not actively using Google Adwords or DoubleClick Bid Manager account then unlink it from your GA property.

#8 Use the ‘User and event data retention’ feature in Google Analytics

The ‘Data Retention’ is one of the settings you see in the section named ‘Tracking Info’ under the ‘Property’ column in your GA admin:

‘User and event data retention’

Through ‘User and event data retention’ feature, you can set the amount of time for which Google Analytics retains user specific data (i.e. data that is associated with cookies, user identifiers, or advertising identifiers) for an inactive website user, before automatically deleting it.

You can set the amount of time setting to: 14 months, 26 months, 38 months, 50 months or ‘Do not automatically expire’:

The period of time, for which Google Analytics retains user specific data for an inactive website users is called the ‘Retention Period’.

The user specific data is automatically deleted on a monthly basis i.e. (once a month), unless your retention period is set to ‘do not automatically expire’.

For example, if you set the ‘User and event data retention’ to ‘50 months’ then any user specific data older than 50 months will be automatically deleted, during the next monthly deletion process.

Note: It is important to remember that not all GA data older than 50 months will be deleted. Only user specific data (i.e. data that is associated with cookies, user identifiers, or advertising identifiers) older than 50 months will be automatically deleted. In other words you won’t see empty GA reports for data older than 50 months.

‘Reset on new activity’

‘Reset on new activity’ – Turn this setting to ‘on’, if you want the retention period of your website users’ data to be renewed (i.e extended) with each new event from that user.

For example, if you set the ‘User and event data retention’ to ‘50 months’ and turn the ‘Reset on new activity’ to ‘ON’ then every time a user’s visit your website, the data retention period associated with the user, will be extended for another 50 months and thus never reaches the 50 months expiration date.

Turn the ‘Reset on new activity’ to ‘OFF’, if you do not want the retention period of your website users’ data to be renewed (i.e extended) with each new event from that user.

Through GA data retention features, you can easily practice, data minimization within GA.

Impact of the ‘Data Retention’ setting as of May 25, 2018 is the following:

#1 Any user specific data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in GA.

#2 The ‘User and event data retention’ feature in GA will not affect most standard reporting, which is based on aggregated data. And since majority of reports in GA are based on aggregated data, the use of ‘User and event data retention’ feature won’t have any noticeable impact on your historical data.

#3 Deletion of user specific data will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than your retention setting.

Note: The data retention settings are also available via management API.

#9 Use only the ‘Data Sharing Settings’, you really need in GA

You can see all of the ‘data sharing settings’ under ‘Account Settings’ in your admin area:

Google products & services – Turn off this setting, if you are not actively using Google products (other than GA) like: Google Adwords, Google Optimize etc.

Benchmarking – Turn off this setting, if you do not want to share your analytics data with third parties. The data is shared in aggregate and anonymous form.

Technical support – Turn off this setting, if you do not want Google support representatives, access your Google Analytics data to fix technical issues. Unless you are using Analytics 360, you won’t be getting any personal technical support from Google, anyways. So keeping this setting to ‘OFF’ is not going to harm you.

Give all Google sales experts access to your data and account – Turn off this setting, unless you are analytics 360 user.

#10 Block the EU member states from accessing your website which are not your target market

If you are processing large volume of personal data, of EU member states, which are not your target market and there is big business liability associated with holding unnecessary personal data, then the most powerful method of practising data minimization, is to create a list of all EU member states, you actively do business with and then block all other member states from accessing your website.

For example, if your target market is only ‘Germany’, then collecting personal data of other EU member states, after GDPR comes into force, could be an unnecessary business liability esp. if you operate in Germany.

If history is any judge, Germany will most likely be the toughest on data protection laws followed by Spain.

If you choose not to block member states, then there will always be high possibility, that you, unknowingly/accidentally process personal information of EU citizens, who are not your target market.

You may then end up, holding and managing lot / tons of personal data, which you don’t really need.

However, consider taking this extreme step only when you are processing large volume of unnecessary personal data, of EU member states and there is considerable business liability associated with holding such data.

Blocking entire countries from accessing your website, can have a negative impact on:

  1. your organic search engine traffic (googlebot may not be able to crawl your website)
  2. user experience and
  3. brand image.

I never thought, i would be giving such recommendations, as it absolutely goes against ‘net neutrality’ and promote internet censorship of some sort.

But the draconian fines imposed under GDPR, their regulatory overreach and ambiguous & hard to implement guidelines, are just too much of a risk, for any big business, to ignore processing of unnecessary personal data of EU member states.

 


Implement ‘Privacy by design’


GDPR recommends that you build/update your website and/or mobile app in such a way, that the users’ personal data is protected by default.

This approach of promoting privacy and data protection compliance from the very start is called ‘privacy by design’.

By implementing ‘privacy by design’, you can minimize or even completely eliminate the possibility of sending Personally Identifiable Information (PII) to Google Analytics.

PII includes (but is not limited to) information such as:

  • Users’ name
  • email address
  • phone number
  • IP address
  • social security number
  • zip code (mainly in the UK)
  • Geolocation data which is GPS or fine-grained location information
  • any piece of data that permanently identifies a particular user
  • any piece of data that permanently identifies a particular device
  • any piece of data that is deemed to be ‘Protected Health Information’ (as defined under HIPAA)
  • any piece of data that is deemed to be “PII”, according to your country’s law.

It is against Google Analytics terms of service, to send PII data to Google Analytics server. If you are found to collect PII in GA, then you may end up losing your GA account for good.

Video on PII from google

 

Following are some methods through which you can implement ‘privacy by design’ in real life:

#1 Do not collect any PII on your website, which you don’t really need.

Do not collect any PII on your website (via a form, comment panel etc) which you don’t really need.

For example, remove all the unnecessary fields from your contact page form or checkout pages forms.

#2 Use POST method for form submission

Make sure that the forms embedded on your ‘contact us’ page, ‘signup/login’ pages, ‘checkout’ pages etc use POST method instead of GET method.

If you use the GET method, the parameters of the form will end up as part of the URL in the address bar.

This could result in PII (like username and email address) appearing in the URLs of your web pages.

Now Google Analytics track and report the URL of each web page which is viewed.

So if the URL path contains PII then this would end up in your GA reports.

If you are running Google ads on your website (via Google Adsense), the PII data may end up going to Google, as part of the ad request.

That’s how you could accidentally end up, sending PII data to GA.

#3 Do not track any form field which contains PII.

If you are tracking form fields in GA then make sure that you do not track any field which contains PII.

#4 Use a POST based search engine on your website.

When you use a POST based search engine, the search-results URL will not contain the query parameter.

So instead of a search page URL, like the one below:

Your search page URL may look like the one below:

Your website users could enter PII into your search box and if you use the GET based search engine on your website, the ‘search query’ parameter will end up as part of the URL in the address bar.

This could result in PII (like username and email address) appearing in the URLs of your web pages.

#5 Do not track any search term/campaign which contains PII.

If you have implemented site search tracking on your website then make sure that any PII data is not sent to Google Analytics server.

#6 Use the IP Anonymization feature in Google Analytics

Under GDPR an, IP address is considered as personal data.

Google Analytics track IP addresses of your website users, in order to report on geolocation data.

Enable the IP Anonymization feature in Google Analytics.

When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network.

The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network.

The full IP address is never written to disk in this case.

Source: https://support.google.com/analytics/answer/2763052?hl=en

You can enable the ‘IP Anonymization’ feature in GA by adding a new field named ‘anonymizeIp’ with a value of ‘true’ in your Google Analytics Settings variable.

To learn more about IP anonymization in Google Analytics and Google Tag Manager, read this article: How to turn on IP Anonymization in Google Analytics and Google Tag Manager

Note: You can make a case of ‘legitimate business interest’ for tracking IP addresses (more about that later).  So you don’t have to anonymize IPs.

#7 Do the website Audit to find and remove PII data

Scan your entire website, page by page, or by using a website crawler (like Screaming Frog SEO Spider) and make sure that the URLs, URL parameters and Page Titles do not contain any PII data.

If you find such data then you have got two options:

#1 Remove it completely.

#2 Replace the PII with a unique site-specific identifier (UUID)

If the PII keep popping up, in page URLs, URL parameters and Page Titles then find the source of such PII data leak.

Ask your developer to fix this issue either from the front end or back end or both.

#8 Do not upload/send any data to Google Analytics which contains PII.

Do not upload/send any data to Google Analytics which contains PII. This apply to uploading PII data to GA via:

It is important to note that, just filtering out PII data from Google Analytics is not sufficient.

Since collecting PII data in GA is against the ‘Google Analytics Terms of service’, you should actively stop PII data from being sent to the GA servers from your website.

#9 Develop a robust GDPR compliant privacy policy

In order to implement ‘privacy by design’, you would need to have a GDPR compliant privacy policy on your website.

This policy should clearly outline (but not limited to):

  • Definitions used in policy. Like if you are referring to ‘we’ in the policy then who exactly is ‘we’.
  • Information your website users voluntarily provide to you.
  • Information you collect automatically
  • Details of various technologies you use (like cookies, web beacons) to collect and store information when a user/customers use your Website, Products or Services
  • Details of the information you obtain from third party sources (public databases, social media platforms, third party data providers)
  • How and when you may use and disclose Personal Information
  • How you protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
  • How do you keep your data accurate and up to date.
  • How you use cookies and similar technologies in the course of your business
  • Details of all the first and third party cookies served through your Websites.

Optimize Smart has got very robust ‘GDPR compliant privacy policy’. Take a look: https://www.optimizesmart.com/terms/

#10 Ask for GDPR compliant privacy policies and GDPR compliant data service agreement from your data processors

In order to implement ‘privacy by design’, all of your service providers (aka data processors) must also have GDPR compliant privacy policies and should ideally have GDPR compliant data service agreement (also called the ‘Controller-Processor Agreement’) with you.

Following is an example of ‘controller-processor agreement’ from GetResponse:

Note: Make sure, that you ask for controller-processor agreement from your web host.

#11 Provide all important rights to ‘data subjects’

Finally your ‘privacy by design’ approach is not considered complete, unless you, as a business entity, provide following rights to ‘data subjects’,

  1. The right of notification of data breach
  2. The right to access
  3. Right to be forgotten
  4. The right to object
  5. The right to rectification

I have explained all of these rights in great detail in this article: Beginners guide to GDPR for marketers and web analysts

 


Make ‘Legitimate Interest’ your best friend


According to Article 6(1)(f) of GDPR:

1.Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate business interests is not focused on any particular purpose and therefore gives you more scope to potentially rely on it and use it to your advantage.

You would then don’t need to bombard your users with consent requests for each and everything you do on your website, when they are unlikely to object to the processing.

GDPR does not clearly define all the factors that should be taken into account when deciding, if your purpose is a legitimate business interest.

But under GDPR, following purposes do clearly constitute a legitimate business interest:

  • direct marketing
  • fraud prevention
  • ensuring network and information security.
  • indicating possible criminal acts or threats to public security.
  • processing employee or client data.
  • administrative transfers within a group of companies.

The ICO recommends carrying out three part test to determine, whether or not your purpose constitute a legitimate interest:

It makes most sense to apply this as a test in the following order:

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

This concept of a three-part test for legitimate interests is not new.

In fact the Court of Justice of the European Union confirmed this approach to legitimate interests in the Rigas case (C-13/16, 4 May 2017) in the context of the Data Protection Directive 95/46/EC, which contained a very similar provision.

This is a good news because you can use ‘legitimate interest’ to your advantage, simply by passing the ‘three part test’.

Let’s make a case for using Google Analytics Tracking on your website without asking for users’ consent by using the ‘three part’ test:

Purpose test – is there a legitimate interest behind the processing?

Yes. We have a legitimate interest in tracking website usage data via Google Analytics because ……. It helps us in providing better user experience and effectively market our products to our target audience.” << add more reasoning>>

Necessity test – is the processing necessary for that purpose?

The processing is absolutely necessary because without using ‘Google Analytics’, we can not track website usage data and we need to track website usage data in order to do effective marketing and not lose money on advertisement. Also there is no less intrusive alternative, available.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

We are not collecting and/or sending any PII data to Google Analytics. The IP addresses that we are tracking has been anonymized. So our legitimate interest does not override individual’s interests, rights or freedoms.

According to GDPR,

the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect.

Again what constitutes as ‘reasonable’ is vague and can be used to your advantage.

What you as a business consider as ‘reasonable’, may not be ‘reasonable’ for me and vice versa.

Outline all possible way, you use and process data in your privacy policy and then inform your website users about the changes.

That way, your website users should reasonably expect you, to use their data in that way.

 


GDPR-Google Analytics FAQs


Q. Do I need user consent for using Google Analytics on the website?

In general, ‘No’.  

I already made a case for ‘legitimate business interest’ for using Google Analytics.

However, if you are collecting PII data via GA (which you should not be, in the first place) and/or merging personally identifiable information with non-personally identifiable information, collected through any Google advertising product or feature then you would need prior affirmative consent of your website users.

Q. Do I need user consent, if i am using ‘Google Analytics Advertising Features’ on the website?

In general, ‘No’.

If you are using the ‘Google Analytics Advertising Features’ then just update your privacy policy, as mentioned above.

However, if you are identifying website users by merging personally identifiable information with non-personally identifiable information, collected through any Google advertising product or feature then you would need prior affirmative consent of your website user.

For example, if you are using ‘user id’ to personally identify a person in a CRM then you would first need, prior affirmative consent of your website visitors.

Q. Do I need user consent, for re-marketing?

In general, “No”.

You can carry out re-marketing, as a legitimate business interest.

Just make sure, your remarketing has minimal impact on your website users as individual (watch out for ad frequency cap) and it follows the policies for Personalised advertising.

Q Do I need user consent, for using ‘user id’?

Unfortunately, “Yes”.

It is not possible to make a case of ‘legitimate business interest’ for using ‘user id’ as it will fail the ‘balancing test’. 

If you are using the ‘user-id’ feature of GA then at the time of signup, you should get a prior affirmative consent from your website users that you are going to track there activities across devices and browsers.

Q. Do I need user consent, for using ‘client id’?

In general, “No”.

You can make a case of ‘legitimate business interest’ for using ‘client id’.

Purpose test – is there a legitimate interest behind the processing?

Yes. We have a legitimate interest in tracking ‘client id’ via Google Analytics because …….GA won’t work without first setting  up ‘client id’. And we need Google Analytics, to track website usage data, so that we can provide better user experience and effectively market our products to our target audience.” << add more reasoning>>

Necessity test – is the processing necessary for that purpose?

The processing of client ID is absolutely necessary because without ‘client id’, ‘Google Analytics’, won’t work. Without ‘client id’, we can not track website usage data and we need to track website usage data in order to do effective marketing and not lose money on advertisement. Also there is no less intrusive alternative, available.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

GA uses client ID to identify a unique browser/device and that too in anonymous way. It does not really track individual users. Though that is implied in GA developers documentation.

For Google Analytics, a user is a unique web browser/device and not necessarily an individual. 

As such it has minimal impact on your website users as individual, when it comes to privacy. 

Some people cite Recital 30 in GDPR as a reasoning for asking for consent for using ‘client id”

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

If you go around, asking for consent for each and every online identifiers, you realistically, can not operate a website, let alone run an online business.

Your website then should not load into a user’s web browser, without prior consent.

Because your web server can not communicate with users’ web browser, if it does not know where the request came from (i.e. IP address).

Your Google Analytics will not work, without setting up a cookie on users’ hard disk.

Your advertising won’t work, without setting up advertising cookie on users’ hard disk.

So there is a strong case of ‘legitimate business interest’ for using online identifiers.

Q. Do I need prior consent, for placing cookies on the users’ hard disk?

In general, “No”.

I know there are lot of websites out there, which ask for users’ consent before placing a cookie.

But cookies are required for maintaining certain website functionality (like web sessions), protecting users’ data from unauthorized access and for tracking website usage data.

As such you can make a good case for ‘legitimate business interest’ for using cookies on your website.

Just make sure that you clearly outline all the first and third party cookies, you used on the website, in your privacy policy,

Q. Do I need prior consent, for tracking IP addresses?

It is important to note that GDPR does not prohibit processing of personal data.

Under GDPR, IP address is a personal data.

You can make a good case for ‘legitimate business interest’ for tracking IP addresses.

For example, you need to track IP addresses to protect website users from malware, adware, spyware, viruses and other malicious software.

That makes your case for tracking IP addresses, legitimate.

Google Analytics track IP addresses for providing geolocation data.

You can also make a good case for ‘legitimate business interest’ for tracking IP addresses by Google Analytics by using the three part test:

Purpose test – is there a legitimate interest behind the processing?

Yes. We have a legitimate interest in tracking IP addresses via GA because ……. It helps us in providing better user experience and effectively market our products to our target audience. If we can’t track where our users are coming from, we can not effectively, market to them and loose money in advertising. 

Necessity test – is the processing necessary for that purpose?

The processing is absolutely necessary because GA can accurately track geolocation data, only if it can track IP addresses.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

GA does not report IP addresses in its reports. As such, our use of IP addresses in the context of GA has minimal impact on our website users as individual and it does not override their individual’s interests, rights or freedoms.

Q How do I decide, when I should ask for consent?

Carry out the three part test to determine whether or not your purpose constitute a legitimate business interest and use your own discretion. 

GDPR guidelines are ambiguous and are drafted by people who know little, about how internet works.

That’s why they have labelled ”IP address’ as personal data even when IP address can not be used to uniquely identify a person, even if you are using static IP. And most internet users are using dynamic IPs.

Multiple court rulings in the US that have stated categorically that IP addresses do not identify a person, with one ruling going so far as saying it can’t even be tied to a state, let alone an individual.

For any case you make citing GDPR guidelines, I can effectively make a counter case, citing some other GDPR guidelines.

And I am sure, people more knowledgeable than me in GDPR (lawyers, data protection experts), can easily do the same and probably much better.

So use your discretion.

Related Articles:

Learn about the Google Analytics Usage Trends Tool

The Google Analytics usage trend is a new tool which is used to visualise trends in your Google Analytics data and to perform trend analysis.


Do you want to Learn Web Analytics in 8 Weeks?

  • Learn and Master Web Analytics, Conversion Optimization & Google Analytics from Industry Expert in 8 weeks.
  • Lifetime access to the course + Lifelong FREE course updates.
  • New study material added every few months (lifelong learning).
  • Up to date training material.
  • Most exhaustive course on Google Analytics on the internet.
  • Hundreds of Assessments to test your learning.
  • Your 24/7, 365 days a year reference source.
  • Learn at your own pace and from any place.

Take your Analytics knowledge to the next level. Checkout my Best Selling Books on Amazon

Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.

Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.

Attribution Modelling in Google Analytics and Beyond
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.

Himanshu Sharma

Certified web analyst and founder of OptimizeSmart.com

My name is Himanshu Sharma and I help businesses find and fix their Google Analytics and conversion issues. If you have any questions or comments please contact me.

  • Over eleven years' experience in SEO, PPC and web analytics
  • Google Analytics certified
  • Google AdWords certified
  • Nominated for Digital Analytics Association Award for Excellence
  • Bachelors degree in Internet Science
  • Founder of OptimizeSmart.com and EventEducation.com

I am also the author of three books:

error: Alert: Content is protected !!