What Are the Compliance Aspects of GDPR?

With all the new changes to Google Analytics, it is important to understand the compliance aspects of GDPR, and here is why.

Video transcript:

Bryan: Question time already. I’m sorry if I’m going ahead.

David: No, go ahead.

Bryan: With the conversation that you had about GDPR, I haven’t really read the law, but isn’t the gist of it that it basically gives the impression that you, as an individual, would have more control of the data that you share to the company or on the internet. Right?

David: Yeah. So, first of all, I’m really surprised you’ve not read the law.

Dave: Come on, Brian.

Tricia: Me too.

David: And second of all, full disclosure, this answer implies that I have not read the law, but my understanding is you’re half right.

Bryan: Yeah. It’s like, to add to my first idea here. The idea is that if you want to have your data deleted from a website, then you can do so with GDPR, right?

David: That is one aspect of GDPR. There are other aspects that have to be complied with to comply with GDPR besides that.

Bryan: Yeah. So, my question then would be, the data generated by analytics is basically anonymous. So, if someone wants to have their data deleted from Google Analytics, how would GPDR come into play? Like, that’s very interesting. Right?

David: Right. Because it’s against Google Analytics Terms of Service to have personally identifiable information in it. So, at one point a few years ago, not with Universal Analytics, but the version before, what we’d often do is we’d send, for instance, if someone submitted a form, we’d send that email address into Google Analytics. And then we could see things like the keyword, when Google Analytics still gave us the keyword, in how they convert it. Like it was great, but that became a breach of the TOS for Google Analytics when they tried to anonymize everything there. I don’t know if you have to be able to remove your client if someone requests data deletion as part of GDPR or if you have to lead them from Google Analytics. And I don’t know if you could or if you’d need to because it is anonymized. However, this might be a problem because it’s anonymized for us, but Google knows, right?

Bryan: Right.

David: Google Analytics documentation says they set an ID number when you visit a website. And when you come back, it knows it’s you and that it calculates you as a returning visitor.

Bryan: Right.

David: I might say, oh, this ID has come back. Now, we can’t associate that ID number with a person, but Google can.

Bryan: Right.

David: And that’s not the reason why “Google Analytics is illegal.” From what I understand, the “Google Analytics is illegal” in Europe argument has to do with where the data is stored and the fact that American privacy laws don’t really protect consumer privacy because American intelligence can get into that. And so, that’s why “Google Analytics is illegal” in Europe. So, it’s Austria, Italy, and I think the Netherlands, which are the three European countries that have decided that Google Analytics is illegal, and you can’t opt into Google Analytics to comply. So, you can’t even use Google Analytics in those countries if you want to obey the law.

Bryan: Ouch. How do you measure data, then?

David: Well, you can’t use Google Analytics; you have to use another system. So, now Google is working on a solution. Frankly, Google has a lot of financial interest involved in finding a solution to compromise with this. And as Tricia was saying a moment ago, GA4 does have some degree to which you can allow data to be processed in the European Union. For instance, if you are a European Union resident, my understanding is that’s not all that Google Analytics has to do to comply, but, again, I’m not a lawyer. So, take all this advice for what it’s worth, which is probably not a lot.

Have a question about this process? Ask it here: