Google Analytics & GDPR
The UK information Commissioner (ICO) have recently updated guidelines in relation to the use of tracking technologies. The new guidelines are likely to have a significant impact on both analytics and the use of third party marketing tags. Cookie compliance will become an increasing regulatory priority in future.
GDPR reinforces earlier provisions of the Privacy & Electronic Communications Regulations (PECR). As a result IP addresses and cookies are now considered "personal information".
A key change within the latest update is that an explicit opt-in is now required for non-essential cookies. Similar technologies that use device fingerprinting techniques (looking at a combination of factors such as browser type, version etc. to identify a device) are also covered.
To date many companies have either provided a simple cookie banner stating that continued use of the site constitutes consent or have offered a means to opt out. Neither approach will constitute consent under the new guidelines.
Under the new regime:
- Analytics cookies are considered non-essential
- Implied consent for cookies will no longer be valid
- Tick boxes and sliders set to "on" cannot be used
- Cookie walls are unlikely to constitute consent
- Non essential cookies cannot be set on a landing page prior to a user providing consent
- "Legitimate interests" arguments cannot be used for non-essential cookies
How we can help
Whilst the majority of UK websites are currently non-compliant the direction of travel is clear and the new guidelines are unambiguous. Site owners should therefore start to work towards compliance now, documenting decisions taken along the way. Actions to consider include the following:
- Conduct a cookie & tracking technology audit - consider both first party and third party cookies set and any "similar technologies"
- Review when and how cookies are set - check for example whether cookies are set via a tools such as Google Tag Manager or directly from the site
- Check analytics data to ensure no personal information is captured (e.g. in query strings) - this is against Google's policy conditions in any event
- Review your privacy and cookies policy
- Migrate to an explicit opt-in approach for non-essential cookies and consider your technical approach
- Consider ways to mitigate against the likely loss in data. Opt in rates at present appear to be in the range of 20% - 35% based upon our experience to date