GDPR “Action Required”

Google Analytics users received email on 04/11/18 with subject “[Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR)” that caused quite a stir.  We are getting hammered with questions from our clients as a result – so it’s time to put our suggestions & thoughts in a post.

Regarding the Google Analytics Data Retention Tool

The Google Analytics Data Retention Tool is per-user, and with the default setting resets on new user activity, meaning with the default 26 month setting that a given user’s data will expire only if they do not visit the site for a little over 2 years.  This still allows for clean year-over-year analysis in Google Analytics.  Google Analytics audiences membership durations already expire after no more than 540 days (18 months), and Google Analytics Client IDs expire after 24 months, so we are telling clients there is no need to adjust this default setting (unless their lawyers think differently – and they trust that their lawyers are issuing a valid legal opinion that is not clouded by a technical misunderstanding).

With the default 26 month setting:  non-aggregated data (data that would be a candidate for sampling) is automatically deleted for a user once they haven’t interacted with the property for 26 months; that clock resets to time zero with each user interaction, and the clock won’t start for any user until 5/25/18; even after a user hasn’t interacted with the property for 26 months, their activity will remain present in aggregate tables (reports that remain un-sampled).

What about my cookie or privacy policy?

An update to your privacy and/or cookie use policy (here’s a link to our privacy policy) related to this matter may be in order before the GDPR 5/25/18 deadline.  Please note we are not lawyers, so we do not offer legal advice, but Google’s EU User Consent Policy has guidance for what to include in your policy page(s).

For US based companies with client websites that are not purposing to serve content to EU based users, determining a GDPR compliance posture is not clear cut – so you’ll definitely want to ask your legal team for their take.   Some such companies are being conservative and gaining explicit consent regardless of whether or not they have meaningful EU based visitors – others are not.

For our client websites that are purposing to to serve content to EU based users, we plan to present a Google Tag Manager (GTM) deployed consent request message (via modal overlay) approved by their respective legal team, as well as using GTM to prevent data recording (for all GTM based tags) ahead of the user granting consent.  More on that below.

Must I get consent before firing Google Analytics?

Arguably we can fire standard Google Analytics tags without opt-in as long as we don’t use display features, audiences, remarketing, advertising features and/or demographics (referencing https://support.google.com/analytics/answer/2700409?hl=en).  But, don’t forget to address IP anonymization if you don’t have consent before firing that first Google Analytics tag.

With GTM, (thank you Simo) we have a means of only turning on those advertising features if consent is given (e.g., clicking the modal overlay to give consent).

Bottom line is that you’ll need to integrate GTM into your GDPR compliance planning so you don’t fire tags from GTM that require consent before consent is given.  And, you’ll want to obtain compliance in a manner such that you can still record in Google Analytics (fired from GTM) the session referral info, including appended URL parameters, on the landing page.

Should I let users decide which cookies to allow?

Some (maybe much) of your website functionality depends on the presence of cookies. Discerning which of these cookies require GDPR consent is something that needs to be determined cookie by cookie. You also have the challenge of being explicit about these cookies & their use in your privacy / cookie policy page. In theory, you also need to address GDPR compliance of 3rd party functionality on your website (either asking the 3rd party to confirm they are GDPR compliant and/or referencing them in your privacy / cookie policy page and noting their independent responsibility to be GDPR compliant). Again – we are not lawyers, so you’ll definitely want to seek the opinion of your legal counsel in this matter.

It would be a big challenge to give users the ability to allow or disable individual cookies (especially given the integration of cookies into basic website functionality, and given that some cookies are controlled by third parties).

For our clients where all cookie setting tags are injected via Google Tag Manager, we can help gain consent ahead of setting any cookies. But – if you have cookies set outside of GTM – those would need to be addressed with a supplemental solution.

More on our suggested approach to gaining consent

Our suggested approach is to present a translucent layer covering the entire landing page, with a footer or header banner legal disclaimer letting users know if they continue their visit that cookies will be set per the privacy / cookie policy page – with a link to that page. Even though the banner is only in the footer or header, if the user clicks anywhere on the page, the tags that would normally load on the landing page then fire. The user then needs to click again to interact with navigation to go to a different page. We do this so we can record in GA the referral info that led the user to the site. We present this consent request as infrequently as possible (i.e., as long as the consent cookie is still present – we do not have to ask again, but some may decide to do so once a month or so).

In essence, we are advocating an approach that doesn’t require us to try to figure out which cookies we can set right away – and which ones require compliance first. We are getting compliance before we set any cookies – and doing so in a manner that maintains session referral data recording integrity.

There is some debate about whether or not it is GDPR compliant to require users to give consent in general to continue their visit (as opposed to just continuing their visit with no cookies being set) – so you’ll want to discuss that with your legal team as well.

This approach eliminates the need to engage IP anonymization since we aren’t firing any tags at all until the users clicks to give consent.

Two more thoughts

If an EU citizen requests the data you’ve been collecting for them, you have to provide it.  This would apply to personal data submitted on a lead form – but it is not clear if it includes Google Analytics data.  Google is working on an admin tool to allow you to purge everything associated with a GA Client ID.

Technically you could decide to only honor the GDPR requirement for users literally visiting from the EU (some confidently propose that a user coming from US soil, whether an EU citizen or not, is under US law, not EU law).  But – if someone physically in the EU is connected to a VPN that hits the internet in the US, they would appear to be coming from the US – but technically GDPR would still apply to their data.

This GDPR article from Moz puts an interesting twist on GDPR considerations for US based companies:

“As long as it’s clear that a company’s goods or services are only available to consumers in the United States (or another country outside the EEA), GDPR does not apply.”

Consider this website – we certainly have a US focus, but we do not specifically preclude serving EEA based customers.  And, we certainly have EEA based users that visit our website.  Ultimately, even if GDPR does not apply to us, Google’s EU user consent policy seems like it does.

For many US based companies like us – especially those that use Google products (Google Analytics, Google Tag Manager, Google Optimize, Google Data StudioGoogle Attribution, Google AdWords, DoubleClick, and so on), an important question becomes, “Will Google enforce it’s EU user consent policy?”  And, could violation of Google’s EU user consent policy invoke negative consequences for your digital content akin to websites that still serve URLs with HTTP vs. HTTPS (users seeing that ugly “Not Secure!” warning in Chrome browsers)?

We’ll just have to wait and see…

Important Notes from Google’s EU User Consent Policy

We’d be remiss to not include a link to Google’s EU user consent policy, and some important excerpts.  Here you go!

EU user consent policy

If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.

Properties under your control

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to: the use of cookies or other local storage where legally required; and the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must: retain records of consent given by end users; and provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

Properties under a third party’s control

If personal data of end users of a third party property is shared with Google due to your use of, or integration with, a Google product, then you must use commercially reasonable efforts to ensure the operator of the third party property complies with the above duties. A third party property is a site, app or other property that is not under your, your affiliate’s or your client’s control and whose operator is not already using a Google product that incorporates this policy.

Help with the EU user consent policy

This page addresses questions you may have about updates we are making to Google’s existing EU User Consent Policy. The new version will go live on May 25, 2018. We will add more content to this page in the weeks leading up to May 25, 2018.

Why does this policy exist and where does it apply?

The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA). The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.

Do I need to follow this policy for all users if I’m an EEA-based publisher or advertiser?

Google’s EU User Consent Policy applies only to EEA-based end users.

What disclosures to end users do I need to make?

Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We will be publishing updated information before May 25 about Google’s uses of information and we are asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.

What if I don’t want to have end users’ personal data used for personalization of ads?

We will be launching new functionality that allows you to disable personalized ads. Please note that the non-personalized ads that we serve on websites still require cookies to operate.

What instructions do I give to end users for revocation of consent?

The policy requires that end users are told how to revoke consent to ads personalization. At a minimum, end users need to have information sufficient to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device.

Does this policy apply just to ads?

No, this policy applies to the use of any Google products and services on your sites and apps that incorporate this policy. In addition to ads products, this policy is referenced in, for example, the Google Maps APIs Terms of Service and the YouTube API Services Terms of Service.

What types of ads are considered “personalized” for purposes of this policy?

Personalized advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. In all our publisher products, we make inferences about a user’s interests based on the sites they visit or the apps they use allowing advertisers to target their campaigns according to these interests, providing an improved experience for users and advertisers alike. You can see our advertiser policies for personalized ads to learn more.

Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user’s previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, targeting audience lists uploaded in DoubleClick Bid Manager or Campaign Manager.

What types of ads are considered “non-personalized” in this policy?

Non-Personalized ads will use only contextual information, including coarse general (city-level) location, and content on the current site or app; targeting is not based on the profile or past behavior of a user.

Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?

Cookies or mobile identifiers are used to support personalized and non-personalized ads served by Google to combat fraud and abuse, frequency capping, and aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.”

What if I’m an advertiser using Google’s products on my site?

If you use tags for advertising products like AdWords or DoubleClick Campaign Manager on your pages, you’ll need to obtain consent from your EEA users to comply with Google’s user consent policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads — for instance if you have remarketing tags on your pages.

What should I say in my consent notice?

While the text of your consent notice will depend on the choices you wish to present to your users and your other uses of data (e.g. for your own purposes, or to support other services that you work with), we provide a suggested notice that might be appropriate at CookieChoices.org, a site run by Google.

What choices do I need to present to my users?

Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalized and non-personalized ads; others may wish to present different choices to their users.

What if I’m writing a consent notice for an app?

Mobile apps generally don’t use cookies. Google’s DFP and AdMob products support in-app advertising using dedicated advertising IDs that are made available by the Android and iOS operating systems. Therefore, you might want your notice to say that you use “an identifier on your device” rather than cookies. This will help you to meet the requirements of Google’s policy where it refers to seeking consent for the use of “other local storage”.

Where can I get a consent solution?

There are features in AdMob and AMP that can be used to build a consent solution. We are also developing a consent solution for DFP and AdSense that will become available more widely soon. However, you may prefer to build your own consent solution or use another vendor’s solution. Cookiechoices.org lists some vendors that offer solutions that we believe can be used to build a consent solution that will meet the requirements of Google’s policy.

If you’re using products like Google AdSense or DFP on your site, you’ll need to take steps to integrate your preferred solution with the advertising tags on your pages to make sure your users’ preferences are respected. Each vendor offers instructions or support services for doing this. If you don’t follow these steps for all the tags on your pages, you risk misleading your users: they will think they’re switching off advertising cookies when in fact advertising cookies will still be used. Therefore, test carefully any implementation of these tools on your own site.

What other parties collect end users’ personal data, and how should I identify these third parties?

Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products. New controls in AdSense, DFP, AdX and AdMob will be available in advance of May 25, 2018 to allow you to choose the vendors permitted to collect data on your site or app.

My site is not based in Europe. Does this policy apply to me?

Yes, if you use Google products that incorporate the policy and have users in the EEA that can access your services.

How do I build a consent mechanism?

If you’re not sure where to start, take a look at cookiechoices.org. It offers resources for putting in place consent mechanisms on websites and apps.

Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?

Google is committed to complying with the GDPR across all of the services we provide in Europe. The changes to our EU User Consent Policy reflect that commitment and guidance from EU data protection authorities. We do however want to work with publishers and partners in the broader industry to support them through these changes. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.

Why do we need consent to ads measurement — isn’t that legitimate interests?

Google uses cookies or mobile ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalization and ads measurement where applicable, even if ads measurement can, for GDPR purposes, be supported under a controller’s legitimate interest.

Do I need the consent before the tags fire or can the consent come afterwards?

Where consent is required, consent should be obtained before Google’s tags are fired on your pages.

What about using click trackers?

Where advertisers choose to use third-party click-tracking technologies (i.e., where an ad click directs the user’s browser to a third- party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.

What records do I need to keep?

Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.

 

GDPR Compliance Musings