Google Analytics & GDPR
The UK information Commissioner (ICO) has updated guidelines in relation to the use of tracking technologies. This is currently a fast moving area within the EU with issues around the use of Google Analytics in general under discussion.
The new guidelines are likely to have a significant impact on both analytics and the use of third party marketing tags and cookie compliance is likely to become an increasing regulatory priority in future.
GDPR reinforces earlier provisions of the Privacy & Electronic Communications Regulations (PECR). As a result IP addresses and cookies are now considered "personal information".
A key change within the latest update is that an explicit opt-in is now required for non-essential cookies. Similar technologies that use device fingerprinting techniques (looking at a combination of factors such as browser type, version etc. to identify a device) are also covered.
To date many companies have either provided a simple cookie banner stating that continued use of the site constitutes consent or have offered a means to opt out. Neither approach will constitute consent under the new guidelines.
Under the new regime:
- Analytics cookies are considered non-essential
- Implied consent for cookies will no longer be valid
- Tick boxes and sliders set to "on" cannot be used
- Cookie walls are unlikely to constitute consent
- Non essential cookies cannot be set on a landing page prior to a user providing consent
- It should be as easy to reject cookies as accept them
- "Legitimate interests" arguments cannot be used for non-essential cookies
- Features such as IP anonymisation are recommended
How we can help
Whilst the majority of UK websites are currently non-compliant the direction of travel is clear and the new guidelines are unambiguous. Site owners should therefore start to work towards compliance now, documenting decisions taken along the way. Actions to consider include the following:
- Conduct a cookie & tracking technology audit - consider both first party and third party cookies set and any "similar technologies"
- Review when and how cookies are set - check for example whether cookies are set via a tools such as Google Tag Manager or directly from the site
- Check analytics data to ensure no personal information is captured (e.g. in query strings) - this is against Google's policy conditions in any event
- Review your privacy and cookies policy
- Migrate to an explicit opt-in approach for non-essential cookies and consider your technical approach
- Consider ways to mitigate against the likely loss in data. Opt-in rates vary by sector but in our experience typically fall in a 70-80% range.
Whilst we are not in a position to offer legal advice we can update you on recent developments, advise on technical approaches and help implement solutions - either bespoke or using third party tools such as OneTrust, CivicCookie Control or Cookiebot. Further change is likely ahead with the ongoing development of the UK GDPR regulations.