May 14, 2020 –
Developments like Apple’s updates to the ITP and others — in line with the growing demands for more private browsing experiences — are also cutting short the cookie duration, including the duration of the first-party cookies that Google Analytics sets.
Depending on how you configure and use Google Analytics on your website, you can learn a lot about your users. And so even if your usage doesn’t require you to set up cookie consent walls and banners on your website, you must still explain your cookies and their use in a neat and easy-to-understand cookie policy.
And so these cases fall under the GDPR and need explicit consent. And because the ePrivacy Regulation is meant to “particularise and complement” how the GDPR approaches personal data processing by “translating its principles into specific rules,” the cookie consent rules it proposes applies to websites using Google Analytics cookies in such non-standard implementations.
In addition to these, you’d also be expected to publish an easy-to-understand cookie policy that plainly explains what Google Analytics cookies you use, what data they collect, and how the data gets processed.
Google Analytics is a staple for most optimizers and marketers.
However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.
Also, in its Cookie Consent Exemption paper, the Working Party — an independent European advisory body on data protection and privacy constituted by the European Parliament — made a special case for such first party analytics cookies to be exempted under the revised ePrivacy Regulation proposal:
Also, your users should get the option to easily opt out of your Google Analytics cookie tracking.
If you only use Google Analytics as a simple first-party data analytics tool to learn about your website audience in a non-invasive way, you might not need to seek explicit cookie consent. In fact, the European Commission’s ePrivacy Regulation proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes:
Non-Intrusive and Privacy-Friendly Use of Google Analytics
So will the ePrivacy Regulation need every website that uses Google Analytics (and caters to European audiences) to seek explicit cookie consent?
Let’s take a closer look.
But the GDPR was a substantial nudge for testers to scrutinize their Google Analytics data storage and processing.
In case you happen to need cookie consent for your Google Analytics cookie usage, make sure to seek it the right way.
As you can get, post the ePrivacy Regulation, using Google Analytics in more advanced ways will need you to seek explicit consent from your users before installing cookies into their browsers.
As you can tell, such configurations of Google Analytics could use and process some personal user data and also end up sharing it with other service providers.
- Has the right anonymization in place ensuring that the data collected isn’t personally identifiable
- Ensures that no data information about any users is ever passed on to any Google Analytics servers
- Doesn’t share the Google Analytics data with any third-party solution providers
Quite a few marketers use more advanced implementations of Google Analytics. Such a configuration often slices and dices the analytics data in a way that tiptoes the privacy lines that laws like the GDPR draw. For example, if you use your Google Analytics cookies to map the user id that Google Analytics uses for a visitor to your other marketing solutions, then you’d need explicit consent of your visitors before using your cookies. If you’re using the user id feature for cross-device tracking, again, you might have to seek explicit consent.
Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.
Using Google Analytics in More Ways Than as a First-party Analytics Tool
At Convert, we take a privacy-first approach to everything we do. We consider the GDPR and the upcoming ePrivacy Regulation that builds on it to be solid initiatives to stop the internet from becoming an “always on” surveillance system — guzzling tons of user data every second, mostly without the users’ (specific, informed, active, and freely given) consent.
Based on the type of browser we are talking about, repeat visitor counts may be significantly impacted.
But that’s not all. The ePrivacy Regulation also wants to encourage privacy by design and default in the web browsers and wants companies that power browsers to help users make better and more informed cookie consent choices via the browser settings itself:
Well, the answer is subjective.
Using Google Analytics Advertising Features, too, will need you to ask for consent from your users before installing your Google Analytics cookies as Google installs additional cookies in this case.
The ePrivacy Regulation and Browsers (and the Impact on Your Google Analytics Cookies and Data)
Originally meant to release on the same day as the GDPR, the ePrivacy Regulation is set to change how cookie consent works. It will redefine how websites seek consent from their users for installing cookies into their browsers. And because web analytics solutions like Google Analytics use cookies to collect, store, and track their analytics data, they naturally fall under its purview.
The ubiquity of this solution makes it innocuous to the point where we tend to overlook the settings of our Google Analytics account when privacy regulations roll out.
“The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”
Likewise, if you use third party tracking pixels with your Google Analytics, you’ll have to seek explicit consent in most implementations.
Following from this, you might not necessarily need to add explicit cookie consent banners to your website if your use of Google Analytics is non-intrusive. To qualify for this, among all the other things, your Google Analytics account must be configured in such a way that it:
Wrapping it Up…
And it depends largely on how a Google Analytics account is set up and configured.
We don’t just comply with such laws but also help our customers offer memorable digital experiences while still staying compliant with them. In fact, our A/B testing and experiments solution doesn’t use any personal data in the default setting, operates with first party set cookies and is the only enterprise-level experimentation solution to be designed this way. We’re forever committed to empowering our customers run winning experiments while fully respecting their users’ privacy.
Dubbed as the “cookie provision,” this consent exemption allows webmasters who have configured their Google Analytics in a privacy-friendly way to install their cookies without seeking explicit consent.
And if you think you could cover even your non-standard Google Analytics cookies without consent under the GDPR’s Legitimate Interests provision, check out our detailed take on consent versus legitimate interests.
And now with the ePrivacy Regulation, another layer of consideration – around how to gain visitor consent for the use of the analytics suite – will be added to the plate of optimizers.
