Google Analytics and GDPR: Do I Need User Consent?
After posting how to quickly check cookies for GDPR compliance , the most debated issue was the need to obtain user consent when using Google Analytics.
In this article we will get acquainted with the positions of some European regulators (DPA) and try to clarify the situation.
Using Google Analytics involves the installation of tracking cookies, and this, in accordance with the general provisions of the GDPR and ePrivacy, already requires the prior consent of the user.
However, there is an opinion that when using anonymization from Google, which hides the last octet of the users IP address, analytics can still be used without obtaining permission. This position is based on the inapplicability of GDPR to anonymized data. The only question is whether the mask / 24 is the criterion for such anonymization.
Most supervisors do not provide any specific recommendations for using Google Analytics. But there are some exceptions.
Last year, the Dutch DPA published detailed instructions on how to use analytics from Google without the need for user consent.
According to the document, the site owner must accept the agreement (amendment) on the processing of Google data as a processor, enable anonymization of the user's IP address, disable the exchange of data with Google and the collection of data for advertising. However, you still need to inform the site visitor about the use of Google Analytics. It is also recommended that you configure the option to opt out of the analytics tool.
This year, the leadership of the supervisory authorities was presented, which defines the requirements for obtaining consent. Later, the State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg, responding to frequently asked questions , noted that analytics systems can be used without user consent only if they are not tools of third parties - such as Google Analytics.
As an alternative, it is proposed to analyze your own logs or install an analytics system locally.
The sufficiently active DPA Misty Albion, called ICO, could not find any instructions for using Google Analytics. However, the official website currently has Google’s analytics code, which in some ways can be considered an exemplary way of using it.
Using Google Analytics, the ICO claims to process user data anonymously. In this case, the corresponding cookies are set only after the user gives his active consent by clicking on the special switch.
There is a mixed approach to the requirements for using Google Analytics. Most EU supervisors have recently adhered to a general rule that requires consent. Although, as you can see, for an exclusively Dutch audience anonymization and a simple notification about the use of Google Analytics will obviously be enough.
In the end, the site administrator must independently study the geography of his users and decide on the use of the consent banner. In any controversial situation, it is no doubt correct to put a banner. There are enough ready-made solutions on the net for this: an example for Google Analytics .
As for fines for the lack of consent, information in the media, fortunately, was not found. There is news related to reputational risks due to tracking users without permission and a separate case of a civil dispute.
In this article we will get acquainted with the positions of some European regulators (DPA) and try to clarify the situation.
Using Google Analytics involves the installation of tracking cookies, and this, in accordance with the general provisions of the GDPR and ePrivacy, already requires the prior consent of the user.
However, there is an opinion that when using anonymization from Google, which hides the last octet of the users IP address, analytics can still be used without obtaining permission. This position is based on the inapplicability of GDPR to anonymized data. The only question is whether the mask / 24 is the criterion for such anonymization.
Most supervisors do not provide any specific recommendations for using Google Analytics. But there are some exceptions.
Netherlands
Last year, the Dutch DPA published detailed instructions on how to use analytics from Google without the need for user consent.
According to the document, the site owner must accept the agreement (amendment) on the processing of Google data as a processor, enable anonymization of the user's IP address, disable the exchange of data with Google and the collection of data for advertising. However, you still need to inform the site visitor about the use of Google Analytics. It is also recommended that you configure the option to opt out of the analytics tool.
Germany
This year, the leadership of the supervisory authorities was presented, which defines the requirements for obtaining consent. Later, the State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg, responding to frequently asked questions , noted that analytics systems can be used without user consent only if they are not tools of third parties - such as Google Analytics.
As an alternative, it is proposed to analyze your own logs or install an analytics system locally.
United Kingdom
The sufficiently active DPA Misty Albion, called ICO, could not find any instructions for using Google Analytics. However, the official website currently has Google’s analytics code, which in some ways can be considered an exemplary way of using it.
Using Google Analytics, the ICO claims to process user data anonymously. In this case, the corresponding cookies are set only after the user gives his active consent by clicking on the special switch.
Output
There is a mixed approach to the requirements for using Google Analytics. Most EU supervisors have recently adhered to a general rule that requires consent. Although, as you can see, for an exclusively Dutch audience anonymization and a simple notification about the use of Google Analytics will obviously be enough.
In the end, the site administrator must independently study the geography of his users and decide on the use of the consent banner. In any controversial situation, it is no doubt correct to put a banner. There are enough ready-made solutions on the net for this: an example for Google Analytics .
As for fines for the lack of consent, information in the media, fortunately, was not found. There is news related to reputational risks due to tracking users without permission and a separate case of a civil dispute.
All Articles