How Can Merchants Make GA Cookies GDPR Compliant?

In light of the EU’s GDPR and its recent amendments, Google Analytics (GA) has had to adapt its services to ensure continued compliance. Analytics has always been a touchy area when it comes to data privacy since the data collected is often unique personal information.

GA is one of the web’s most popular analytics tools. Therefore, it’s vital for all merchants to use GA cookies properly. Below we’ve listed some suggestions to help you reach full compliance without sacrificing the benefits the GA suite brings.

Below are the most common types of data collected by GA cookies:

• Browser and device information
• Session statistics
• Approximate geolocation
• Unique advertising identifiers

Bulleted List

» Do non-EU e-commerce stores have to be GDPR compliant? Discover when GDPR applies to US e-commerce stores

Develop a Clear & Comprehensive Privacy Policy

The first step of any compliance efforts is to develop a privacy policy that sets out everything your website does to collect, process, and share user data. Cookies are a big part of this process, and GDPR requires you to list and explain what each cookie you use does, including the GA cookies.

A guide on how to develop effective e-commerce privacy policies is a great place to start. You can use sample privacy policies as well as privacy policy generators to help you start this process. If you’re uncertain, ask a legal expert to help you. Taking a look at competitors’ or partners’ policies to check if you’ve covered everything will also help.

» Are privacy policies and cookie policies the same? Compare the difference between cookie and privacy policies

Implement a Cookie Banner

Because GA cookies are third-party and non-essential, a website must first receive a user’s consent before using them. The easiest way to do that is to have a cookie consent banner that informs the users of cookie use and requests consent.

A cookie notification must fulfill the GDPR cookie consent banner requirements and contain the following elements:

• Present clear cookie information
• Link to privacy and cookie policies
• Offer consent options to opt in or out, with an optional cookie dashboard

Bulleted List

» What does cookie non-compliance mean? Read up on the importance of cookie compliance for e-commerce

Get Cookie Consent From Users

While consent is usually obtained through the cookie banner, it’s important to ensure that this consent is received before any of the GA cookies requiring consent are used. Just a notification of their use is not enough, since the user’s data and privacy are considered sensitive, and any pre-consent data collection will result in non-compliance.

» Are there cookies that don’t require consent? Find out which cookies are considered strictly necessary

Enable IP Anonymization

IP addresses are like the addresses of the internet, almost as sensitive as a person’s real address. Collecting anonymized IP addresses is a good practice and won’t affect metrics and data collection much. IP anonymization involves just collecting a portion of an IP address (162.254.xxx.xxx instead of the whole 162.254.206.227), and GA can be set to do this with its “IP masking” feature.

Develop an Opt In/Out Functionality

As part of GA cookies’ consent settings, they should be disabled by default and also remain off if the user opts out of their use. Websites often assume that users will blindly select “Accept” or “Opt In”, but they should always keep blocking all non-essential cookies if the user chooses to opt out. While this can be done on a website level using GA integration settings and other tools, individual users can also universally opt out of all GA cookies.

Set Data Deletion Parameters

As part of GDPR, every person must have the option of viewing and deleting information collected about them. GA lets you export all information about a specific user. You should enable the “restricted_data_processing” parameter in your global site tag in GA settings for all users from the EU, California, and any other jurisdictions with strict data privacy regulations. GA has a default time limit for deleting data (known as the data retention time limit). It can be updated as below:

1. Sign in to Google Analytics
2. Click Admin and navigate to the property you want to edit.
3. In the Property column, click Tracking Info (for web properties) or Data Settings (for GA4) and then Data Retention.
4. Under User and event data retention select the retention period you want.
5. Click Save.

Numbered List

Audit Your Data & Pseudonymous Identifiers for PII

Finally, you should audit all GA for its collection of personally identifiable information (PII). Google generally does a good job of assisting websites to comply with data regulations, but it’s still a good idea to go through all its settings and your website to ensure everything is compliant. Pay special attention to anything that collects PII and identify ways to anonymize the information.

» Which website cookies should you watch out for? Discover the types of website cookies you should know about

Conclusion

Recent updates in data privacy have caused Google to focus more on aggregated data collection, with a better balance of user privacy and measurement performance. Take note of each of the above suggestions so that you can keep your users safe and avoid any regulation violations.

» Worried about maintaining GDPR compliance? Partner with PieEye for the perfect solution