Google Analytics, WordPress, and GDPR

Note: this is all subject to change! As we learn more we will be updating this post and correcting/disagreeing with ourselves (probably).

Note 2: this isn’t legal advice (yadda, yadda yadda).

Is Google Analytics GDPR compliant?

The answer appears to be this:

If you only have one tracking solution on your site, and that is a plain vanilla install of Google Analytics, and you do NOT have advertising features enabled (which they are not, by default). Then you do NOT need to ask for consent IF you make one change…

IP ADDRESS

…and the one change is this: by default your website passes the IP address of your website visitors to Google Analytics (GA). GA uses this to help run the demographics reports etc. Rightly or wrongly, GDPR class IP address as ‘personal data‘ so we have a privacy issue.

Solution: to achieve compliance, you will need to stop this IP address being passed to Google Analytics.  This is not a trivial thing to do, and almost certainly will require some developer input (unless you are using a WordPress plugin to embed your Google Analytics code, which makes this easy, more on that towards the bottom on this doc).  Here are some great (though techy) instructions on how to anonymise the IP (in fact, if you understand this article, I’d urge you to read all of that link as well).

So, if you anonymised the IP going to GA, you are in the clear.

Exceptions

Let’s take a step back a step and revisit what we said earlier:

If you only have one tracking solution on your site, and that is a plain vanilla install of Google Analytics (GA), and you do NOT have advertising features enabled (which they are not, by default). Then you do not need to ask for consent if you make one change…

Techy note: I had a thought earlier: you could, by default, anonymise the IP passed to Google Analytics and turn off advertising features via the javascript on your site. And, if/when you have consent; you could remove the anonymised IP and re-enable the advertising features, all via the GA javascript. The benefit here is that you are always outputting your Google Analytics tracking code, but, by default, it will be in the leaner, more GDPR compliant version (until you have explicit consent).

What do we mean by ‘one tracking solution‘?

Well, if you also have the Facebook Pixel installed on your, or any other tracking or analytics system on there, you’re going to need to get explicit consent from the website visitors (more on what ‘explicit content‘ means later) as, from what I can tell, Facebook, and Facebook tracking is all about personal data; please correct me if you think otherwise.

Another example (lifted from this excellent link) is the commenting system Disqus which is used on many websites (note: this issue is not particular to Disqus, is it just one example out of huge array).

Disqus has it’s own Google Analytics tracking code (separate to any GA code your site may use for your reports) which it embeds pretty much without your knowledge. You won’t be able to fiddle with the Disqus FA code to anonymise the IP and, because of that (unless Disqus change how they implement their GA), we have a consent issue which is going to require Explicit Consent (if you are interested in Disqus, read here).

Note: from my reading of it, in the scenario where you have your own basic version of Google Analytics running and a plugin with its own Google Analytics (e.g. Disqus) then your own GA code can run (as it is GDPR compliant) but you maw/will need consent for the other,

What is Explicit Consent?

If you have tracking code on your website (such as the examples listed above) which looks like we need the website visitor to agree to, then you will need the following to happen:

  1. A new website visitor* visits your website
    (*I.e. they have not been there before)
  2. The website recognised they are new, and asks them if they have consent to track* them by displaying some sort of banner.
    (*I’m not sure on the words here, I wouldn’t use ‘track them’ as that sounds a bit Blade Runner. You could just use Cookie Policy type words but, then again, I don’t think most people know what cookies are either. Either way, plain, simple language is required here)
  3. The banner has an option to [accept].button which, if the visitor clicks, does this:
    – hides the banner
    – allows tracking code such as Google Analytics, Facebook Pixel to now showNote: it is vitally important that the tracking code does NOT show before the visitor has clicked [accept]. I’m pretty sure that there is a vast % of cookie banners out there today which don’t operate in the correct way.
  4. You could have a [decline] button on your banner but, given how important tracking is, perhaps don’t have one. Leave the banner there, perhaps anchored to the bottom of the screen, for them to perhaps accept later.If the banner has some sort of ‘why should I do this?’ link which gives greater clarity as to what all this means, great. In my mind this means off to a screen which puts, in plain language, what we are talking about – I’ve not seen very readable cookie policies or privacy policies which is why I have not talked about those explicitly here – though they will need to be linked to at some stage.

A few notes:

  1. Visitors use multiple devices (e.g. desktop, laptop, iPad, smartphone), all the above steps would need to happen for each  & every device.
  2. Many people use cookie blockers and cookie cleaners. These (as they do now) will create problems with the above – i.e. if you clear your cookies, the website will ask for consent again (with the possible exception of the point raised above re ‘login‘)

Until the visitor has clicked [accept], your analytic should not be recording and, therefore, you will have a dip in your data.

How do I enable this ‘explicit consent’ banner?

As of the 17th of May 2018, WordPress are still waiting to release an updated version of WordPress (4.9.6) which will have a swathe of changes related to GDPR. I’m hoping/thinking that there will be some sort of privacy banner in there which can help achieve what we’ve talked about above. If not, we’ll recommend a third party plugin and update this page.

Update: I’m not seeing a consent banner in the latest WordPress so it looks like the best candidates are Cookiebot or Cookie Notice.

MonsterInights

MonsterInsights make a plugin which makes it very easier to embed the Google Analytics tracking code into your website. If you currently use (or can use) this plugin to embed your Google Analytics code, then it will save a lot of heartache with achieving a lot of the steps above as their recently updated plugin automatically handles things like:

  • anonymising the IP address
  • disabling any other personal info which can be passed into GA (there are many ways)
  • Intergrate seemlessly with a cookie/consent banner (the two mentioned above),

Please read their excellent blog post on the fuller features they have released.

Note: this is not a magic bullet solution for everyone as, for many of our clients sites, they use Google Tag Manager (GTM). Don’t worry if that doesn’t mean anything to you but, the up shot is, that you cannot* use the MonsterInsights plugin if you use GTM.

(*Well, theoretically perhaps you can, but it seems a tad messy and daft to me – you don’t have GTM and then bypass it to add your own tracking scripts to the site, that kind of defeats the purpose. Unless, of course, you are making a temporary exception for Google Analytics because of GDPR).

I hope that helps and we will be updating this in the next days and weeks.

Joel

p.s. yes, my brain is fried as well.

Key links:

No Comments

Leave a Reply