GDPR AND THE CHAIN OF RESPONSIBILITY – GOOGLE ANALYTICS AND YOU
What’s the problem?
GDPR (effective 25th May 2018) applies to any data controller and/or processor who will
- process personal data of data subjects (individuals) who are in the EU because of goods/services offered to them or
- “monitor” the behaviour of data subjects within the EU.
So, if you meet those criteria you will be responsible for complying with GDPR and crucially, must be able to prove that you do so comply.
Surely Google Analytics is about pseudonymous data not personal data?
GDPR broadens the definition of “personal data” to the extent that if you could identify a natural person “directly or indirectly” using “all means reasonably likely to be used” then the information is personal data. This means that personal data could include pseudonymous data, online identifiers and cookies because, as GDPR explicitly tells us, they can be combined “with unique identifiers and other information received by the servers” and used to create “profiles of the natural persons and identify them”.
Data to and from Google
Consider what data you are allowing Google Analytics to access. Although you shouldn’t (it’s a breach of your agreement with Google) are you, for example, collecting users’ names in page URLs (such as, for example https://www.ABC.org/user/jsmith where the user name J Smith forms part of the url) or collecting email addresses as part of the log-in process.
What about the data you access from Google? You may argue that you don’t access IP addresses from Google Analytics (this is possible but not advisable because it breaches your agreement with Google) if you download any report/information it could still pose a problem. You need to ask yourself whether you can identify any individual from all the data you hold. Remember it’s not just about the data in one report – it’s whether, if you were to combine all the data you hold (including data from Google Analytics) “using reasonable means” you could identify an individual.
So the data which forms part of your Google Analytics account could be personal data and, therefore, subject to GDPR compliance. It depends on how Google Analytics is set up for your web site. Member specific page visits, for example, will need to be addressed as a risk area under GDPR.
Remember that you need a lawful basis for processing any personal data so you need to consider whether you are relying on the consent of the individual to process their data (most businesses do). If so, under GDPR consent is much more rigid so, even if your consent meets current requirements, it may not be GDPR compliant. Time to check out your terms and conditions.
GDPR will apply to Google and we know that the company is “working hard” to prepare for GDPR. For example, website users have the option to “install the Google Analytics opt-out browser add-on”.
Whilst there are likely to be more changes before May 2018, at the moment we know from Google Analytics’ user terms that you give Google permission to collect data from your website visitors and are “solely responsible” for your use of Google Analytics and for
- not passing any “personally identifiable information” to Google
- making sure that no “personally identifiable information” is collected
So if you breach your agreement with Google you will be liable to Google and that is likely to continue to apply after May 2018. However, irrespective of your relationship with Google, by processing personal data (through Google Analytics or otherwise) you will have to comply with GDPR and be able to prove that you do so.
In our next blog we’ll look at some of the steps you need to take to ensure that you can use Google Analytics and still be GDPR compliant.
GOOGLE ANALYTICS – WHAT YOU NEED TO DO TO BE GDPR COMPLIANT
We know from our previous blog that using Google Analytics can potentially cause a conflict with your GDPR obligations. So, if you rely on Google Analytics for your web visitor analysis it’s time to make sure that, once GDPR becomes effective (25th of May 2018), your use of the tool will comply with GDPR. After all, GDPR demands that all data controllers and data processors processing personal data comply with GDPR and can prove that they do so. Google is rapidly rewriting all its terms and policies so you can be certain that much of the responsibility will lie with you.
What should you do?
(1) Examine and cleanse your existing data
Many organisations have developed a habit of grabbing and retaining data, including downloading data from Google Analytics. We know that under GDPR personal data will include anonymised/pseudomised data if you could identify an individual from it (whether it’s from that data alone or when it’s combined with other data you hold). That means that your Google Analytics data could be defined as personal data. It all depends on how you use it combined with the information from your web site.
On that basis undertake a data ‘spring clean’ (you need to do this well before Spring) of all your data by examining:
- what data you currently hold and
- what data you are continuing to collect and
- why and how you are using that data
- what you need and should retain
This should also include analysing how you use Google Analytics and examining what personal data could or does form part of your use. Ecommerce data and membership sites are very likely to contain personal data.
If you can’t justify why you have or need the data then it’s time for a data cleanse. Remember that under GDPR if you no longer use or require your data you should delete it or at least ensure that it is completely incapable of identifying an individual which, considering all the data you hold, may be more difficult and a longer process than you first anticipate.
(2) Check how you are using and sharing Google Analytics data
Once you’ve completed your data cleanse you need to set parameters for how you are going to use Google Analytics in the future.
This will mean looking at what data you will capture and taking care that you don’t breach your obligations under your agreement with Google. Remember that you have agreed that no “personally identifiable information” will be passed to Google or be collected by you.
Part of this will also include thinking about who will have access to your Google Analytics account so that you can be careful about not capturing personal data and how you can monitor use and GDPR compliance.
As an aside, where agencies are involved, it’s common for the ownership of a Google Analytics account to become blurred so make sure that this (and responsibility for it) is clarified. Similarly, you might have allowed admin or read only access to freelancers and others over time, look at all the permissions and remove those no longer needed immediately.
(3) Data transfer compliance
Using Google Analytics moving forward you’ll also need to check Google’s GDPR compliance on transferring data outside the EU to confirm which of the approved transfer mechanisms are used. Currently Google are relying on the EU-US Privacy shield, this may change – it’s your responsibility to be aware of this. A simple checklist showing that you have considered these types of issues will help provide you with evidence of your own compliance. This means including reviewing Google’s rapidly changing legal policies and agreements on a regular basis and making required changes and proving you have done so.
(4) Data subject rights
Don’t forget that you will also need to:
- Enable visitors to opt-out as easily as they opt in, and at any time they choose.
Are you using client specific pages on your web site, in a membership or secure area? If you are then you will find our next blog useful as we will be tackling Google Analytics and Client Specific Pages.
GOOGLE ANALYTICS AND PERSONALLY IDENTIFIABLE INFORMATION –
WHAT GOOGLE ANALYTICS KNOWS ABOUT YOUR CLIENT SPECIFIC PAGES
In our previous blogs we’ve looked at the GDPR chain of responsibility when you use Google Analytics and some of the steps you need to take to ensure that you can use Google Analytics and still be GDPR compliant. This time we’re going to examine the impact of GDPR when you use Google Analytics on client specific pages.
Client specific pages are a great way to host content that you want to be available only to either one individual client or a specific group of clients (such as with a membership site, eCommerce accounts functions and private pages) when they are logged onto your website. You may want the content to only be visible to that client(s) or to enable them to download information for their eyes only.
There is no doubt that Google Analytics is a great web analytics tool to help analyse visitor traffic to your website, including those accessing client-specific pages. As Google says, the information it provides helps you “paint a complete picture of your audience and their needs”.
By choosing to use Google Analytics you are opting to include code on pages in your website
to find out more about your website users. Google collects the information, organises and processes it and then makes it available on your account to access. Using the various options/filters/goals you can obtain as simple or as sophisticated information/data that you choose, including data about client specific pages.
That all sounds good so far except that GDPR, in force from 25th May 2018, means that you need consider the implications of using Google Analytics, including for client specific pages :
(1) Is Google Analytics processing personal data?
There is an assumption that Google Analytics is about anonymised or pseudomised data (it’s not but that’s for another day) so is outside the scope of data protection.
However, GDPR is about protecting personal data or data which is personally identifiable, which means data from which you can identify a natural person “directly or indirectly” using “all means reasonably likely to be used”. It’s not just about one source of data either, it’s about whether you can identify someone by putting together all the information which you hold.
You need to examine what information Google collects in relation to client specific data and ask yourself whether a client be identified from that, either by itself, or when combined with other data you hold?
So, for example, if Google has access to personally identifiable information such as user log-in information, IP addresses, emails etc then that is personal information. This is common information held on member pages and member user profiles within the client areas of many web sites.
(2) Are you breaching your agreement with Google?
If Google has access to personally identifiable information you may also have another problem. This is because when you sign up and use Google Analytics you are legally bound by their user agreement(s). Part of that agreement says that you agree that you are “prohibited from sending personally identifiable information to Google Analytics”.
(3) Are you lawfully able to process client/personal data in this way?
You need a lawful basis for processing personal data which could be your need to process data so that you can provide services that clients/users have asked for. However, many businesses rely on the individual user, or in this case client, consent to process data.
This means taking the time to be clear
- about your lawful basis for processing personal data and
- whether the data you are processing is only used for this lawful purpose.
For example, whilst access to client-specific pages may be part of your contractual obligation to provide them with a service – directly marketing to that client is unlikely to fall into the same category so you’ll need the client’s consent to do so.
If you are relying on consent you will need to make sure that you are obtaining GDPR compliant consent meaning that you need to
- let your clients know (providing a clear and sufficient explanation) that you are analysing data in this way AND
- obtain their specific consent to enable you to do this. Relying on a “capture all” consent won’t do. Neither will persuading yourself that you can do this as part of the “service” you offer to clients, unless you can prove that this is the case.