Be API WordPress agency | News | GDPR | How to set Google Analytics to conform to GDPR?

How to set Google Analytics to conform to GDPR?

Published on

by

Eric de GERMOND

You use Google Analytics (GA) to measure the audience and analyze your website's traffic.

We suggest you do a point to verify your compliance with the GDPR.

We will first deal with how to set GA to conform. In a second step we suggest you to take a look at how to obtain the consent of internet users to the installation of audience measurement cookies.

Let's start from an installation where you have GA (Google Analytics) and GTM (Google Tag Manager). If not, upgrade your installation by setting GTM.

Let's start by setting GA/GTM to conform to GDPR.

GDPR compliance: four main interventions are to be carried out on your website.

1 โ€“ Upgrade ยซ contract ยป your account

By accepting the terms of Google Analytics called ยซ Data Processing Terms ยป then declaring the data controllers.

2 โ€“ Collection of personal data

Minimizing personal data collected as much as possible. The solution we recommend is to anonymize the IP addresses of the collected data.

3 โ€“ Data retention period

Configuring the data retention period to best meet the maximum 13 months recommended by CNIL.

4 - User consent

By making activation of GA functionality conditional on user consent (cookie).

We will not detail the manipulations that must be performed to perform the four operations described above.
However, very comprehensive articles are already available on this subject, here are two that you can consult:

Analysis Training
Google Tag Manager, Google Analytics and GDPR

Confidentiality rules
Google Check-up Privacy

You can also rely on the SEO hub of your web agency.
Home, at Be API, @Bilal SEBAA is your contact person to help you in this process and control the settings you have made on your side.

Once compliant, can GA cookies be installed without the consent of the Internet users?

This is an important question, because by asking the user for consent before installing GA cookies, I take the risk that this internet user will refuse these cookies.. In this case, this Internet user is not measured โ€“ his visit to the site is not taken into account.

According to a study carried out by Ifop for CNIL (source below), the question: ยซ In practice, how do you react when websites you visit request your consent to use your browsing data via cookies?ยซ , 22% of respondents reported a ยซ Refusal ยป to agree.

In some of our clients, the refusal rate found is already significant, the GDPR compliance of the cookie banner has ยซ lowers ยป the audience of their site because of the netizens who escape the hearing.

This rate could increase further, as the CNIL calls for the setting up of a button ยซ Refuse all ยป to simplify the lives of Internet users.

Not to mention the emergence of solutions such as ยซ Ninja Cookies ยป which allow the Internet user to automatically refuse non-essential cookies on your website:

Can't you get more cookies?
Forget them! Ninja Cookie takes care and says ยซ No ยป For you!

What are the conditions for obtaining exemption from consent?

In other words: under what conditions can I tell an Internet user that the site will install cookies WITHOUT NEED TO CONSENT ?

Because yes, it is possible!

Article 5(3) of Directive 2002/58/EC as amended in 2009 lays down the principle of prior consent of the user... unless These actions are strictly necessary for the provision of an online communication service expressly requested by the user or for the sole purpose of enabling or facilitating electronic communication.

The examples traditionally cited are cookies to manage the performance of the site's resources, the language choice cookie, a cookie to control access to the site's contents, a shopping cart cookie for an e-commerce site, etc.

Can the introduction of audience measurement cookies benefit from the consent exemption?

To argue in this sense, the reasoning is quite simple: as an editor, I need to know the number and provenance of internet users coming to my site. In order for the site to be effective, I must also have information about the display format, the browser... So I consider the installation of audience cookies to be ยซ Strictly necessary ยป the fulfilment of my mission and the proper functioning of the site.

Beyond this argument, the conditions to be met are quite precise. They are described on this page of the CNIL website:

Measuring the use of your websites and applications on the CNIL website

Can GA cookies be installed with the exemption of consent?

Well, no. !

The blocking point is related to the fact that CNIL absolutely does not believe in a Google commitment not to reuse ยซ on his account ยป the data that is collected on your site. The consequence is that if this data is recovered by Google it is also transferred outside the European Union, which poses a new problem of compliance with the GDPR.

Proceedings Intervention by Armand Heslot (CNIL) on the occasion of the #Privacy Summit

In conclusion

You must first configure GA/GTM to comply with the GDPR. You can obviously rely on the experts of your web agency to perform these settings.

You need to measure the ยซ loss of hearing ยป which is generated by these changes and explain to those who use these figures how to interpret them.

Finally, some customers preferred to switch from Google Analytics to Matomo to circumvent this issue and benefit from exemption from consent. We can work together on this possibility and evaluate together the +s and the โ€“ if you are interested.

Source: Study carried out by Ifop for CNIL out of 1005 individuals per self-administered questionnaire in December 2019.

Share this article on networks

Do you have a project?

Contact us

Read more API news articles