GDPR Preparation: Google Analytics
This post was written after receiving an email from Google regarding our Google Analytics (GA) account. The email was received on 4/11/2018 with the subject line: “[Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR).” This post includes a basic overview of the steps to take in your Google Analytics account to review and update your settings. The topic of data collection naturally leads into a discussion of data minimisation to round things out.
Philosophy
Data privacy is one of RustProof Labs’ core values. We believe GDPR is an example of moving the needle in the right direction in preserving and protecting our personal digital rights. Changes outlined in this document are in line with the opening statement in our Terms of Service:
RustProof Labs is a company committed to data, cybersecurity, learning, open source projects and are advocates for the right to privacy and security on the Internet.
This is another preparation for the approaching GDPR implementation on 5/25/2018 for anyone using Google Analytics. Our free Blog @ RustProof Labs, where you're reading this right now, receives hundreds of visitors each month from the EU. So, it is important that all RustProof Labs’ services, freely available blog included, are compliant.
Disclaimers
This is not legal advice, see our terms of service to learn more. Following the steps outlined in this document does not guarantee compliance with GDPR or any other regulations. These steps may not represent the correct action(s) for your organization and its legal, policy and other internal needs. Please consult with trusted legal professionals regarding legal matters.
GDPR overview
GDPR refers to the General Data Protection Regulations as defined at the official website. As far as regulations go, it's quite easy reading. David Poole's GDPR - A guide for the perplexed includes a nice visual overview. Troy Hunt has discussed the topic thoroughly as well.
Update (4/13): CloudAcademy has a new webinar available that provides a great deal of information too. Thanks, Rita, for sharing the link!
What are data processing amendments?
Data processing amendments (DPA) are at the heart of this post's topic. DPAs are required according to Article 28 of the GDPR. I've highlighted two passages from this section to highlight the need for agreements between Controllers and Processors.
Art. 28, para 1)
"the controller shall use only processors providing sufficient guarantees ... and organizational measures ... that processing will meet the requirements ... and ensure the protection of the rights of the data subject."
Art. 28, para 3)
"Processing ... shall be governed by a contract or other legal act ... that is binding on the processor with regard to the controller ..."
Relating to Google Analytics
In the case of a website operator that uses Google Analytics to track website traffic, you, the website owner/operator, are the Controller. Google Analytics is a Processor processing data on behalf of you, the Controller. The visitors of your website are the "data subjects" that the GDPR intends to define and protect.
The DPA is a legal agreement between a controller and processor, providing legal rights for the data subject.
In other words, without the DPA from Google Analytics your website is likely not in compliance with these regulations.
Review Google Analytics settings
The following steps are outlined to provide reference on how to review your Google Analytics (GA) settings. The instructions are intended for Google Analytics administrators/users already familiar with the Google Analytics tool.
The first step is to review Google's data processing amendment (DPA) for your GA accounts. The other step is to review and update the data retention policy for each of your GA properties.
Data processing amendment
If you have multiple GA Accounts, you will need to go through these steps for each individual account through the admin portal.
- Go to Admin of Google Analytics account
- Select Account Settings for an account
- Scroll down to the Data Processing Amendment section, click Review and Acceptance
Don't forget to save
If you do choose to Accept the agreement (that’s between you and Google!), make sure you click “Save”.
Data retention
The data retention setting is done per Property instead of per Account. The data retention setting determines how long Google will retain user level data. This setting does not affect the majority of the reporting available through GA. Unless you can justify the requirement for storing user level data longer than the minimum, you should choose the minimum.
Google has the following steps outlined on their site:
- Sign in to Google Analytics
- Click Admin, and navigate to the property you want to edit
- In the PROPERTY column, click
Tracking Info > Data Retention
- User-data retention: select the retention period you want
- Reset on new activity: turn the switch on or off
The following screenshot shows what this page looks like with the settings to be as privacy-minded as GA allows. Settings:
- 14 months
- Disabled “Reset on new activity”
Don't forget
In Google Analytics, the DPA is handled at the account level; the data retention is at the property level. The steps outlined above will need to be repeated as necessary through your GA domain . This could be cumbersome for GA admins in charge of a large number of properties.
Long-term data retention
If you enable the "Reset on new activity" option, each time a user re-visits this property it “resets the clock” on the retention policy. This means if a user visits your site one time every 12 months for 10 years, GA will retain the user-level data (“personal data” in our privacy policy) for 10 years plus (+) the retention period.
Data minimisation
Data minimisation is an important component of ethical data stewardship. The scenario above illustrated how easy it would be to keep detailed personal data from long periods of time from very occasional users. A good way to illustrate the importance of data minimisation was this statement from Troy Hunt's testimony to Congress last November (2017):
"Organizations view data on their customers as an asset, yet fail to recognize that it may also become a liability"
The more data you store, the more can be breached when something major goes awry. If you don't keep it, you can't let it be stolen.
There's quite a bit to say on the topic in Article 5 of the GDPR. A few excerpts are:
- Art. 5, 1a): ... lawfulness, fairness and transparency ...
- Art. 5, 1b): collected for specified, explicit and legitimate purposes ....
- Art. 5, 1c): ... limited to what is necessary ...
- Art. 5, 1e): kept in a form which permits identification of data subjects for no longer than is necessary ...
Summary
This post reviewed a number of concepts of the GDPR, data minimisation, and steps you can take to reduce your data footprint in Google Analytics. My opinion of the GDPR isn't to say that you can't collect data. Instead, it is more about helping us consider the impact of collecting data and ensure we treat it with the respect it deserves. It's ok to collect personal data if that's the requirement of the business. You do need to be able to justify the need for the data collection (and retention) and prove that you have taken appropriate measures to be transparent and secure.
With great data, comes great responsibility (Art. 32, 2).
"In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed."
If you have questions or feedback you can get in touch via email (support@rustprooflabs.com) or via Twitter.