GDPR and Webanalytics is a delicate subject. The General Data Protection Regulation (GDPR) came into force on May 25, 2018. While it impacts the vast majority of websites in the way they inform, collect and process data on their users, the field of web analytics is particularly sensitive. Are you in compliance? Some ideas for thinking about this and the initiatives to take, especially under Google Analytics.
RGPD and webanalytics: the main issues
Complying with the GDPR involves much more than a few changes to the cookie acceptance banner or to the existing text on data collection and protection. In fact, all personal data is concerned, which means that the tools and systems deployed internally must also be adapted. How do you get consent? Organize data portability, rights of access, opposition, oblivion, rectification...? How do you secure this data? In many respects, the requirements are not new and are more of a reminder. But the GDPR goes further on many points and it is important to be well prepared for it. In terms of web analytics, remember that Just because a person does not explicitly give their consent does not mean that Google Analytics data cannot be collected (or other). The regulation in fact concerns personal data, that is to say data that can identify a person, including indirectly. The web analytics part must therefore be configured so that the crossing of certain data (forms, dates, various fields) cannot, precisely, Put a name or identification on the profile of an anonymous visitor who has not clearly given their agreement.In general, data processing on websites comes from contact forms, email subscriptions, etc. on the one hand (information requested by the site and then submitted by the user) and, on the other hand, from data obtained through the tracking of visits and cookies placed.
4 steps to compliance with Google Analytics
Although Google Analytics is neither the only web analytics solution available, nor the only device that must be set up to adapt to the GDPR, it is a mandatory step for sites that use it.The data collected around the profile of a unique visitor directly affects the question of personal data, even if this may not be the case when tracking does not ensure precise granularity. If you manage a GA account, by the way, you must have seen the famous message” [Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR) ” .Several actions must be implemented (if not already done):
- Step 1: Accept the changes (DPA)
To validate the Data Processing Amendment (DPA), follow the path Administration > Account Settings > Review the change.What does that change for you? Several things, including the fact that you are responsible for not transmitting personal data considered sensitive to GA.
- Step 2: declare your company's data administrators
At the same level as the screenshot above, simply click on “manage DPA details” to fill in the required legal information. Note that the same person can be indicated several times:
- Step 3: Validate the data retention time
With the GDPR, the retention of data related to a user must be given a maximum period of time. Google sets it to 26 months by default. You can adjust according to your company policy. In concrete terms, this means that a user who does not come to your site during this time will see a large part of the data concerning him be removed from your reports.
The Precise European Commission website That”data should be retained for as soon as possible. This period should of course take into account the reasons why your business/organization should process the data as well as the legal obligations that require you to keep the data for a specific period of time (...) Your business/organization should set timeframes to erase or examine the data stored.”
- Step 4: update the General Terms of Use if advertising is active on the site
In Property settings, if advertising features are activated, it is important to inform visitors well and to specify that they can deactivate this GA tracking via this tool.
The right questions to ask yourself to assess your GDPR compliance
They are of several types:
- Do you have the right to transfer or process data with third party data?
- Have you communicated the right information to Internet users?
- Do you still need user consent?
- Do you really know what you can do with your analytics data? Transfer, import, export, fusion...
- What are your responsibilities?
- What are the responsibilities of your web analytics provider?...
As for the question of consent, consent is mandatory if the data collected is sensitive and/or ancillary, in the sense that it does not meet a need defined as fundamental from the start. cookie material, it is important to respect the national legislation in force (the banners in particular, to obtain explicit consent to deposit the cookie). The cookie should be based on a True choice of the user, who must be easily able to deactivate all the cookies he wants, except for those that are really necessary, while still being able to continue browsing the site.For example, here is what the Marriott Hotels site offers during a first visit (in pop-up form): [caption id="attachment_4256" align="alignnone” width="668"]
(c) Marriott International[/caption] Then, this same user should be able to change cookies and related settings whenever you want, whether to accept or reject them. Again on the same site, simply click on “Tracking Preferences” in the footer menu to access clear and easily manageable information by the visitor: [caption id="attachment_4257" align="alignnone” width="819"]
(c) Marriott International[/caption] Also, don't forget to properly organize the storage of the consent given. You have probably already noticed this by browsing different sites yourself: the information you are given varies from one web actor to another. In the context of webanalytics, it will be necessary in particular to detail to end users What personal data will be collected, what they will be used for, how they will be used, and whether the storage or processing is carried out outside the European Union.With always the same motto: to be clear, simple and understandable, which means that this information must not be embedded in the bottom of the conditions of use of a website. These instructions should also clearly explain how the user can accept or remove the data collected about them.
Conclusion: GDPR and webanalytics go hand in hand
In the end, the RGPD is still in its early stages, which means that developments and details are still to be expected in the coming months. In any case, it is an excellent basis for building trust among Internet users and building new relationships between brands and entities active on the Web and end users.Our solution, Alphalyr SmartScan guarantees the GDPR compliance of your webanalytics data. Request an audit of your account!