How does Google Analytics collect network information

Use Google Analytics in compliance with data protection regulations according to GDPR

With Google Analytics you are not allowed to collect all the data that would be technically possible. In Germany and the EU there are laws and rules for the collection of data in electronic media. In particular, Google Analytics was in focus due to its widespread use. With the General Data Protection Regulation (GDPR), a uniform, binding regulation for the entire EU area was introduced in 2018. In this article you will learn how you can use Google Analytics in compliance with data protection regulations.

Table of Contents

Excursus: What is the GDPR?

The GDPR regulates the processing of personal data in the European Union, both for private and public operators. In Germany, when it was introduced in 2018, it took over the tasks of the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG). As a regulation, the GDPR is binding law in all EU member states and does not have to be converted into a national law.

With the GDPR, every EU citizen has guaranteed rights over their data:

  • Right to transparent information about the processing of his data
  • Right to information about what data was collected and how it was processed
  • Right to data portability allows people to access and transfer all collected data in a (machine) readable form
  • Right to Eligibility when data is incorrect
  • Right to cancellation (or: to be forgotten) guarantees the immediate deletion of all data about a person
  • Right to restriction of processing can be asserted at any time by persons
  • Right to object if processing is rejected

This results in requirements on the one hand for the features of a tool and on the other hand for the data to be collected. There are two main critical components in tracking:

  • the IP address that is automatically available when data is transferred on the Internet
  • the individual ID that a user receives from Analytics and that is stored in a cookie

With these two data you have to take some precautions before using Google Analytics.

Use Google Analytics in compliance with data protection regulations

If you have recorded usage data in Google Analytics without first implementing all the requirements, this data is considered to be incorrectly collected under data protection law. In this case, the data may not be used and must be deleted.

Obtain consent

Since the introduction of the GDPR in May 2018, it has become standard to inform new users about the analysis tools used and the cookies associated with them the first time they are accessed. At the beginning, this was often not very prominent and was still an opt-out variant. In other words, the user had to explicitly deactivate the tracking using the appropriate configuration options.

In the meantime, the data protection officer has established that tracking can only take place after explicit consent. Simply closing a popup or an OK button is not enough. Ulrich Kelber, currently the Federal Commissioner for Data Protection:

Anyone who integrates offers that legally require consent, such as Google Analytics, must ensure that their website users obtain consent in accordance with data protection regulations. Hopefully everyone should now be aware that this does not work with simple information via so-called cookie banners or pre-activated boxes in declarations of consent. Every website operator should therefore deal with exactly which services are integrated with them and, if necessary, deactivate them until they have ensured that data protection-compliant use can be guaranteed.

When obtaining consent, you should make it clear what you need this consent for, and the consent should be clearly marked. In addition, your users should have the option to reject (or object). Here is an example of the consent management platform Usercentrics.

Consent bar from usercentrics.de

The specific structure of the consent bar is just as non-bindingly regulated as the aforementioned refuse function. This can be done via an explicit button, some operators choose a link to further settings. On www.volkswagen.de a user can agree or under View Details select individual functions and reject them completely.

Example consent bar on volkswagen.de

So you have a certain amount of leeway in designing these banners. It is important that you only start tracking after active consent and not after clicking to the next page or scrolling. You should also continue to offer users who object to tracking access to all functions of your website. You can, however, request an explicit selection in the consent bar before a user can continue surfing on your website. This can be done using overlays, for example, in which the consent query is placed over the entire website and blocks it until the user has selected an option. The lufthansa.de website can only be used after the user has decided for or against cookies and tracking.

Consent overlay on lufthansa.de

In the Lufthansa example you can see another difference to the first bar of Usercentrics: The user can select four categories here - Necessary, statistics, Comfort and personalization (Strictly speaking, the user can only choose from three categories because necessary cookies are mandatory).

The different cookies and the associated functions and tools have been subdivided; the user can allow or block individual categories of tools. The idea behind this is that some users are willing to allow statistical tools, for example, but do not want personalization for them and thus the approval of the statistics is slightly higher.

The distinction between analysis and marketing cookies is more common than the breakdown shown here. Analysis cookies are created to improve and optimize the website. Marketing cookies, on the other hand, are used to evaluate and control advertising. It is not yet possible to say whether such a selection will significantly change approval.

In the long run, many users will probably experience a learning or dulling effect, as they are confronted with a consent decision on virtually every website. Therefore, you should make the use of your query as clear and simple as possible for the user.

Don't forget apps!

If you offer your users apps, you must also obtain consent for tracking in them. This usually happens the first time an app is called through a corresponding popup.

Opposition possibility

You have to give the visitors of your website the possibility to object to the tracking, that is, the visitors have to be able to use the website without being tracked by you. With a consent management service or a corresponding plug-in for your CMS, you can offer your users both the information about the use of cookies and the option to object. Most of these tools also offer the option of changing the settings at a later point in time and thus implementing an objection.

There is always the option to activate or deactivate services (Usercentrics)

However, the use of such a tool initially only offers your users the setting options. The actual implementation, so that the Google Analytics tracking does not occur, you have to do in your programming or the Google Tag Manager. The consent tools usually offer a query option with which one can check which selection a user has made and then either call up a tracking code or not. Depending on which tool or service you choose, you have to inform yourself about these queries. With the widespread use of Google Analytics, there will certainly be an example for this case.

In addition, you should always offer the option in your data protection declaration to deactivate the tracking of Google Analytics by clicking on a link or button.

1. You give the tracking code the information that it should not record anything. To do this, insert the following JavaScript on all pages of your website in front of the Google Analytics tracking code:

<script>     var gaProperty = 'UA-XXXXXXX-X';       var disableStr = 'ga-disable-' + gaProperty;   if (document.cookie.indexOf(disableStr + '=true') > -1) {      window[disableStr] = true;    }   function gaOptout() {      document.cookie = disableStr + '=true;           expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';       window[disableStr] = true;   } </script>

in The Field gaProperty you enter the UA number of your analytics property. The advantage of this variant is that it works in all browsers that support JavaScript, including smartphones, for example.

2. You refer to the browser plug-in that Google provides for Firefox, Safari, Opera and Chrome for this purpose. You can find it at https://tools.google.com/dlpage/gaoptout?hl=de. Make sure that the link is actually clickable.

3. You use the Google Tag Manager to generally block the execution of Google Analytics codes if, for example, a certain cookie is present.

In your data protection declaration, explicitly indicates the possibility of objection, either via a link or a button. The appropriate link for the example above would be:

<a href="javascript:gaOptout()"> Google Analytics deaktivieren </a>

Data protection

You have to inform your visitors that you are collecting usage data with Google Analytics. This should be done on a separate data protection page. This page must be as easy to find and reach as possible everywhere on your website.

Google makes this a condition in its Terms of Use for Analytics:

You are also obliged to hold an appropriate data protection declaration in prominent places (and to adhere to it). You are obliged to disclose the use of Google Analytics and to specify how data is collected and processed with it. To do this, you can use a clearly visible link to the page »Use of data by Google when you use our partners' websites or apps« (accessible at www.google.com/policies/privacy/partners/ or any other URL that Google uses below for this purpose names). You are obliged to take economically reasonable steps to ensure that a user receives transparent, comprehensive information about the storage of and access to cookies or other information on the user's device and that the user agrees to this this takes place in connection with the services and the provision of such information and the obtaining of such consent is provided for by law.

So you have to create a text for it. In the past, Google provided a corresponding text template in its terms of use, but has now discontinued this practice. An explanation should (for analytics) cover at least the following points:

  • Scope of data collection
  • Anonymization of the IP address
  • Storage period
  • Right of withdrawal
  • Notice of the possibility of objection
  • Legal basis

If you use the advertising functions of Google Analytics, you must also point them out. This includes:

You can find various templates on the Internet on the websites of data protection activists or lawyers, which you can often use free of charge. Examples are the Datenschutz-Generator.de of the law firm Dr. Schwenke and the data protection generator from lawyers Wilde Beuger Solmecke on wbs-law.de.

Both generators use selection questions to lead you to an extensive data protection declaration, which not only covers analysis tools, but also many online services such as newsletters, forums, e-commerce or CMS, for which you have to include a note.

Shorten the IP address (anonymize)

In Germany, data protectionists agreed on the assessment of classifying IP addresses as personal data well before the GDPR. This means that all accesses that you can record are relevant under data protection law, because on the Internet always transmit an IP address, without it the data transmission does not work. This results in a basic requirement for all web analysis systems, namely to dispense with the full IP address when collecting data. Literally:

The analysis of usage behavior using complete IP addresses (including geolocation) is therefore only permitted with conscious, unambiguous consent due to the fact that this data can be related to individuals. If there is no such consent, the IP address must be shortened before any evaluation so that it cannot be linked to a person.

Google has introduced a special function for this shortening: anonymizeIp. This function must be transferred each time the tracking code is loaded so that the IP address is shortened. Unfortunately, the function is not automatically added to the tracking code of a new property or to a new tag in the Tag Manager. So when installing a tracking code on a new website, you have to remember to include the function yourself.

With the current gtag.js code, enter an additional parameter in the code:

gtag ('config', 'UA-6859XXXX-6', {'anonymize_ip': true});

Do you still use the code with analytics.js, you have to use the command

ga ('set', 'anonymizeIp', true);

have recorded.

A note in the data protection declaration on IP abbreviation is not mandatory, but should also be included for the sake of completeness.

Define the retention period for the data

In the property management you can set the time period for which Google user and event data are stored, which are linked to cookies, user IDs or advertising IDs. Specifically, this means that after the time has elapsed you lose the opportunity to access individual users, which is necessary, for example, for more complex segmentation. Aggregated data are not affected by this setting, i.e. the normal reports such as pages or sources remain available as usual.

Configure retention periods for user and event data

The default setting is 26 months after the last measured event. Some blog posts recommend a duration of 14 months and turning off the reset. However, there is no really definitive statement.

Contract for order data processing

The supervisory authorities in Germany require the conclusion of an order processing contract when using Google Analytics. In this case, the GDPR has made the whole process easier for once: You no longer have to print out this contract, sign it and have it countersigned by Google, you can do everything digitally.

To do this, go to the account settings of the account. At the end of the page you will find the addition on data processing. Then click on Show addition, and agrees to this.

Addition to data processing

Name contact person

In the addition on data processing you will also find the link to manage the additions. Click on it and switch to the page Contact persons Marketing Platform Administration. Now create a new entry with the contact details of your data protection officer.

Contact persons in the administration of the Google Marketing Platform

Deletion of legacy data

User data that was recorded even though the data protection requirements were not implemented have been collected illegally and should be deleted. You have two options for this

  1. You can find the menu item in the property management Deletion requests for data. There you can send a request to Google to delete data from a property in certain periods of time.
  2. You delete the complete data view and / or property that contains this critical data. To do this, go to the settings of the property (or data view) and click on Move to trash.

Conclusion

The use of Google Analytics is viewed critically by many data protection officers in Germany in particular. In the course of time, a number of specifications and requirements have arisen that you have to consider before and during installation. However, if these are implemented and explained, many of the concerns of a data protection officer can often be dispelled.

Photo credits: Cover picture © tom / fotolia.com

Markus Vollmert

Markus Vollmert has been involved in online marketing for a long time and is at home with numbers and data. As the founder and managing director of lunapark, he deals with tracking and data for websites and campaigns. Markus is also the author of Google Analytics - The comprehensive manual from Rheinwerk Verlag.

Integrate Google Analytics: create an account & implement tracking code

by Mareike Doll | May 5, 2021

The web analysis tool Google Analytics gives you the opportunity to track and analyze traffic and user movements on your website and to optimize your website, content and marketing measures based on this. All you have to do to get the data ...

The end of Google cookies, welcome first party tracking!

by Markus Vollmert | Mar 15, 2021

At the beginning of March 2021, Google announced the end of personalized advertising as we knew it before. From 2022 onwards, the Chrome browser will no longer support third-party cookies and Google will not enter any alternative technology into the race to ...