Please note that we are not able to advise on the legal implications of GDPR, none of our suggestions below constitute legal advice and we suggest you should seek legal advice before making any changes.
You may have seen recent communications from Google regarding data retention in Google Analytics. If you log-in to your account, you may see a message like the below:
If you have appropriate permissions in your Analytics account you will also see a setting change as below:
Google has not been particularly clear about which data is “at risk”. However, our understanding is that data older than 26 months that is potentially at risk of deletion includes:
- Any custom configuration of Analytics that stores additional data
- Event data
- Segmented data
Do I need to change my Google Analytics settings?
The short answer is "probably".
Our layman’s view is that:
- Your Google Analytics reporting, in and of itself, may not fit the definition of personal data under GDPR. It is even against Google Analytics’ policies to store personal data in the system
- If you combine Google Analytics data with other sources that include personal information, then your use of Google Analytics may be subject to GDPR
- If you are not storing personal information in Analytics, you should strongly consider disabling the deletion of historic data by choosing “Do not automatically expire” in the option shown above
If you are uncertain as to exactly what is stored, or whether your reporting will be affected, then be aware that you could lose data if you do not change this setting prior to May 25th.
Do I need to change how I handle cookies?
The short answer is "you probably don't". This is because most of the regulations about cookies were defined in the EU "cookie law" not in GDPR. You are likely to have made changes related to cookies at that time (noting that there is a proposed change the ePrivacy directive)..
Aside from this option, there has been much discussion of cookies, as they may - or may not - apply to GDPR. There have been some suggestions that you must allow users to click “accept” before setting any cookies. Note that if this is the case, you will inevitably lose a large amount of Analytics data.
As far as we are aware, cookies are not dealt with in GDPR, other than in one statement:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
So, cookies are of concern only to the extent which “when combined with” other information could identify an individual. Then, the cookies themselves could be perceived as holding personal data.
This also applies to IP addresses, which theoretically map to a person if a court order requires an ISP to hand over their subscriber information.
Note that Google Analytics stores IP addresses, and it is likely a good idea to enable their option to “anonymise” this data which is explained at https://support.google.com/analytics/answer/2763052?hl=en.
Our understanding of cookies as they apply to the EU privacy directive and to GDPR are that:
- Cookies are irrelevant to GDPR unless they could be mapped with other information to identify an actual individual
- Consent requirements are based on the EU ePrivacy directive and are not changing in any fundamental way with GDPR
- Some cookies are irrelevant to the EU cookie law (and GDPR)
See below for examples of cookies that are “clearly exempt” from the EU cookie law, and, thus, are likely to have no bearing on GDPR whatsoever:
Then there are cookies for your own tracking, which may or may not require explicit consent. Our view is that in most cases they do not, since aggregate usage is not personal information at all and it would be impossible for most tracking to map back to an individual.
Finally, cookies from companies like Google and Facebook intended to track you across the web (likely the real target of cookie legislation) which should require explicit consent - since those companies can readily map this information to names, addresses, etc.
Control of cookies is always in the browser. Zealous cookie/GDPR readings suggest that you should not set cookies (since it’s your site that does this and could theoretically not do so) before consent. Per-site cookie control is possible in most browsers, but you would need to write/maintain instructions for each of them.
A broader question is the extent to which Google Analytics and similar systems are tracking personal information by default. A zealous reading could suggest that they are (since theoretically Google could identify an individual). However, if you take this reading, then basically you won’t have working analytics at all. You would need to prompt before tracking Google Analytics info, which means the overwhelming majority of it would be lost (most would not hit the consent button unless forced to). You would also need to write additional code to only start tracking as soon as someone consented.
As with the EU cookie law, it seems that web users are "caught in the middle" of these policies, and are likely to continue to be presented with additional confusion options, and with little knowledge of what things like "cookies" actually are.