GDPR and Google Analytics

Enforcement of the European Union’s General Data Protection Regulation is coming very, very soon. Look busy. This regulation is not limited to companies based in the EU—it applies to any service anywhere in the world that can be used by citizens of the EU.

It’s less about data protection and more like a user’s bill of rights. That’s good. Cennydd has written a techie’s rough guide to GDPR.

The Open Data Institute’s Jeni Tennison wrote down her thoughts on how it could change data portability in particular. While she welcomes GDPR, she has some misgivings.

Blaine—who really needs to get a blog—shared his concerns in the form of the online equivalent of interpretive dance …a twitter thread (it’s called a thread because it inevitably gets all tangled, and it’s easy to break.)

The interesting thing about the so-called “cookie law” is that it makes no mention of cookies whatsoever. It doesn’t list any specific technology. Instead it states that any means of tracking or identifying users across websites requires disclosure. So if you’re setting a cookie just to manage state—so that users can log in, or keep items in a shopping basket—the legislation doesn’t apply. But as soon as your site allows a third-party to set a cookie, it’s banner time.

Google Analytics is a classic example of a third-party service that uses cookies to track people across domains. That’s pretty much why it exists. We, as site owners, get to use this incredibly powerful tool, and all we have to do in return is add one little snippet of JavaScript to our pages. In doing so, we’re allowing a third party to read or write a cookie from their domain.

Before Google Analytics, Google—the search engine business—was able to identify and track what users were searching for, and which search results they clicked on. But as soon as the user left google.com, the trail went cold. By creating an enormously useful analytics product that only required site owners to add a single line of JavaScript, Google—the online advertising business—gained the ability to keep track of users across most of the web, whether they were on a site owned by Google or not.

Under the old “cookie law”, using a third-party cookie-setting service like that meant you had to inform any of your users who were citizens of the EU. With GDPR, that changes. Now you have to get consent. A dismissible little overlay isn’t going to cut it any more. Implied consent isn’t enough.

Now this situation raises an interesting question. Who’s responsible for getting consent? Is it the site owner or the third party whose script is the conduit for the tracking?

In the first scenario, you’d need to wait for an explicit agreement from a visitor to your site before triggering the Google Analytics functionality. Suddenly it’s not as simple as adding a single line of JavaScript to your site.

In the second scenario, you don’t do anything differently than before—you just add that single line of JavaScript. But now that script would need to launch the interface for getting consent before doing any tracking. Google Analytics would go from being something invisible to something that directly impacts the user experience of your site.

I’m just using Google Analytics as an example here because it’s so widespread. This also applies to third-party sharing buttons—Twitter, Facebook, etc.—and of course, advertising.

In the case of advertising, it gets even thornier because quite often, the site owner has no idea which third party is about to do the tracking. Many, many sites use intermediary services (y’know, ‘cause bloated ad scripts aren’t slowing down sites enough so let’s throw some just-in-time bidding into the mix too). You could get consent for the intermediary service, but not for the final advert—neither you nor your site’s user would have any idea what they were consenting to.

Interesting times. One way or another, a massive amount of the web—every website using Google Analytics, embedded YouTube videos, Facebook comments, embedded tweets, or third-party advertisements—will be liable under GDPR.

It’s almost as if the ubiquitous surveillance of people’s every move on the web wasn’t a very good idea in the first place.

Have you published a response to this? :

Responses

john holt ripley

“Under the old “cookie law”, using a third-party cookie-setting service like that meant you had to inform any of your users. With GDPR, that changes. A dismissible little overlay isn’t going to cut it any more. Implied consent isn’t enough.” adactio.com/journal/13364

Martin D Marriott

GDPR and Google Analytics - “…now the script would need to launch the interface for getting consent before doing any tracking. Google Analytics would go from being something invisible to directly impacting the user experience” adactio.com/journal/13364 @adactio

caztcha

EU一般データ保護規則 (GDPR) とクッキーの話。利用者の同意を得る主体はサイトオーナーか Google か? >> Adactio: Journal—GDPR and Google Analytics adactio.com/journal/13364

# Posted by caztcha on Tuesday, January 30th, 2018 at 3:04am

cn

@jeremycherfas humanity the only species to wrap itself in red tape?

# Posted by cn on Tuesday, January 30th, 2018 at 8:49am

jeremycherfas

@cn Given half a chance many birds and all housemice will gladly furnish their nests with the stuff. (The ex-husband of a lawyer speaks.)

cn

@jeremycherfas at least they’ve got a good reason to…

# Posted by cn on Tuesday, January 30th, 2018 at 12:56pm

getify

the great @adactio calls out a huge issue we should all be thinking a lot more about: adactio.com/journal/13364 the coming apocalypse of the battle against unwanted web tracking. chilling.

# Posted by getify on Wednesday, January 31st, 2018 at 5:57am

Mike - eCommerce PM

If IP ranges and cookies are “user data” then Google Analytics and all other pixels must have consent. The future - giant popups on websites “ARE YOU AN EU CITIZEN? YES OR NO? IF YES, READ THIS 100 PAGE PRIVACY POLICY AND OPT-IN TO USE OUR SITE”.adactio.com/journal/13364

tvn

“It’s almost as if the ubiquitous surveillance of people’s every move on the web wasn’t a very good idea in the first place.”

# Posted by tvn on Sunday, February 4th, 2018 at 10:53am

Davide M.

“It’s almost as if the ubiquitous surveillance of people’s every move on the web wasn’t a very good idea in the first place.”

# Posted by Davide M. on Wednesday, October 3rd, 2018 at 11:56am

10 Shares

# Shared by Chris Taylor on Monday, January 29th, 2018 at 6:44pm

# Shared by Joe Pettit on Tuesday, January 30th, 2018 at 10:04am

# Shared by Louis Maddox on Tuesday, January 30th, 2018 at 10:43am

# Shared by Pelle Wessman on Tuesday, January 30th, 2018 at 12:52pm

# Shared by Roger Nyman on Sunday, February 4th, 2018 at 12:32pm

# Shared by Chris Panza on Sunday, February 4th, 2018 at 5:59pm

# Shared by Jeff Geerling on Sunday, February 4th, 2018 at 6:15pm

# Shared by Fab:// on Sunday, February 4th, 2018 at 6:27pm

# Shared by Chris Johnson on Sunday, February 4th, 2018 at 6:34pm

# Monday, February 5th, 2018 at 2:49pm

8 Likes

# Liked by Armands Dziļums on Tuesday, January 30th, 2018 at 12:01am

# Liked by litenjacob on Tuesday, January 30th, 2018 at 1:13pm

# Liked by Matthias Pfefferle on Tuesday, January 30th, 2018 at 5:31pm

# Liked by Craig Hyatt on Sunday, February 4th, 2018 at 3:28pm

# Liked by John Pantlind on Sunday, February 4th, 2018 at 3:53pm

# Liked by Chris Johnson on Sunday, February 4th, 2018 at 6:37pm

# Liked by Jenny Wong 🐝 on Sunday, February 4th, 2018 at 7:11pm

# Liked by George Papadongonas on Sunday, February 4th, 2018 at 8:38pm