What Is The GDPR?
The GDPR is a European privacy regulation to give people control over the collection and use of their personal data, like phone number, address, email, and phone GPS location. Corporations that fail to comply with GDPR risk a fine of 4% or 20 million Euro (whichever is higher).
GDPR seeks to allow people more control over their personal data by enforcing regulations that give internet users the following rights:
- The right to be forgotten and have your data deleted on your request
- The right to see or change (rectify) your data
- The right to be notified when a company leaks your data
- The right to object to certain processing of your data
- The right to request your data as something that can be read on a machine/computer, like a .csv file, .xml file, or .json file
With GDPR, anything that is personally identifiable, meaning that it leads back to a specific person, is considered that person’s “data” – like an email address, date of birth, phone number, username, or GPS location. With GDPR in place, website users must give express consent allowing companies to collect and use their personal data; this means users have to agree that they are okay with a company’s privacy statement every time they land on a website that collects information.
With this new data protection regulation, it is important for businesses to keep customers’ personally-identifiable customer data tightly under control and cleanse it from their system after a certain time period.
Does The GDPR Apply To You?
On May 25, 2018, the new data protection law known as GDPR officially went into effect. For many companies, especially those in the United States and other countries outside of Europe, GDPR is still confusing territory, but here’s what you need to know:
- If you’re offering of goods or services to users in the EU, irrespective of whether a payment is required, it applies to you
- If you’re monitoring user behavior that takes place in the EU, it applies to you
Even if you don’t do business in the EU, if users from the EU are able to visit your website and you have Google Analytics installed, you’re at risk of monitoring European user behavior and therefore becoming subject to the rules of the GDPR.
Usage Of Google Analytics Under GDPR
Under the GDPR, if your website uses Google Analytics, then Google is your data processor. With Google as your Data Processor, they have obligations to conform to the EU GDPR by making sure that Google Analytics account owners avoid sending any Personally Identifiable Information (PII). This includes URL Path and parameter URLs that contain PII, personal information entered by website users on lead forms, uploaded/imported data from external sources, and fine-grained location information like zip codes.
We recommend reading the GDPR and ensure that your use of Google Analytics (and any platform for that matter) comply.
- Ensure you’ve read Google’s Privacy & Compliance terms.
- Ensure you’re aware of all Google services that process data, and that you’ve complied with their data processing terms.
- If you use Google Analytics, please review the data retention controls that allow you to manage how long your user and event data is held on Google’s servers. As of May 25, 2018, Google will process data deletions based on these settings.
- Although IP address is never shown in Google Analytics reports, Google does use it to provide geo-location data. It is recommended to turn on the IP Anonymization feature in GA, which requires a small code change to enable.