How GDPR Affects Your Google Tracking and Advertising

May 1, 2018
By   Aisulu Satpayeva
Category   Search

In this blog series, we will cover:

•  Blog 1: What is the GDPR?
•  Blog 2: What Canadian and US Businesses Need To Know
•  Blog 3: How It Affects Your Facebook Tracking and Advertising
•  Current post: How It Affects Your Google Tracking and Advertising

How is GDPR going to affect your Google Analytics & Adwords?

While the new GDPR set of rules will primarily affect businesses in EU or businesses that serve ads or process personal data of the EU users, businesses in Canada and the US are still going to be affected. That’s why it is necessary to make necessary changes and take important steps to become GDPR compliant before the new regulations take place.

In short, the aim of EU GDPR (General Data Protection Regulation) is to protect EU citizens’ data privacy and to adjust the way businesses approach and process user’s personal data. If you want to learn more about GDPR in general, we highly recommend reading our previous posts in this series. This particular post will cover how to update your Google Analytics and Adwords strategy to remain compliant.

A few weeks ago, Google launched a new dedicated site to prepare website owners, clients, and partners for the upcoming GDPR laws. On the site, they provide information about the control that businesses have over data, technical solutions that Google offers to help you become compliant, an overview of changes they made to their products and contracts, privacy and security updates, and resources and training for partners.

Updated Google’s EU User Consent Policy

Google recently updated their EU User Consent Policy to reflect the new legal requirements of the GDPR.

In the policy, they set out responsibilities for publishers using Google products to take extra steps to obtain legally valid consent from their users for the collection of data for personalized ads and for the use of cookies where legally required.

Updated Data Processing Agreements

They also updated their data-processing agreements to reflect the new obligations of data controllers and data processors.  The DPA (data-processing agreement) can be reviewed and accepted within the Google Analytics or Double Click accounts.

New Data Retention Controls

They’ve also updated their Data Retention controls to give Google Analytics users the ability to manage the retention and deletion of stored data. Google Analytics will automatically delete user and event data that is older than the retention period selected.

They also plan to introduce a new user deletion tool that will let Google Analytics users manage the deletion of all data associated with an individual user (e.g. site visitor). Details will be available on the Google Developers site shortly.

Google is also working with industry groups, including IAB Europe, to explore proposed consent solutions for publishers.

Google Adwords GDPR Compliance

While it’s Google’s responsibility to get consent for properties such as search, YouTube and Gmail, it’s website owners’ responsibility to obtain consent to continue to collect information that it needs to target ads with Adwords, AdSense, AdMob, DoubleClick Ad Exchange, and DoubleClick on behalf of a third party.

The GDPR regulations will affect any businesses worldwide that receive website traffic from the EU and use any sort of Google Analytics and targeting advertising products. Even if you are a company based in the US or Canada and aren’t specifically targeting European users, people from the EU may still visit your site and you are not allowed to track or target them without their consent.

Google Adwords provides advanced remarketing advertising capabilities, including customer emails to in-market audience, affinity audience and similar audience remarketing. Because serving remarketing ads require the use of cookies, businesses will have to obtain consent from EU visitors before they can continue using any sort of targeting ads to these people. Again, this regulation applies to companies anywhere in the world – not just the EU.

Geo-location targeting ads and location extensions might be also impacted by these new rules since they are triggered based on the user’s current geo-location proximity. However, at this point in time, it is still not clear whether geo-location targeting ads and location extensions will have to be configured.

In their latest message to partners, Google mentioned that they are working on a solution of providing anonymized, non-personalised ads in cases where consent cannot be obtained. This change could be a great solution for many website owners and advertisers, letting them to continue serve ads without a prior consent.

Google Analytics GDPR Compliance

As for Google Analytics, while GA helps track your website’s performance and analyze user behavior patterns in a very granular level, it also processes users’ IP addresses or collects data via advertising cookies (demographics and interest reporting), which can be considered as the collection and processing of personal data. Therefore, you will now require a user’s consent as well as the disclosure of the following information in the privacy policy.

However, in the current draft of the ePrivacy Regulation (Regulation on Privacy and Electronic Communications, a law that supplements GDPR) they make an exception for personal data used for web analytics purposes. So, if the only purpose of web analytics is to use collected data only for a tracking website’s performance, there is probably no need to acquire users’ consent. However, if any of the collected data from analytics is being used for any sort of user profiling, advertising or any other commercial purposes, then a user’s consent will be required for each of these activities.

Google currently offers a solution that could help to solve the issue with IP addresses via IP anonymization in Analytics. At this point, it’s not clear whether the ePrivacy Regulation cookies exemption is going to be applied only for the first-party tools operated by the website or whether it will cover third-party tools like Google Analytics. This will become clearer as the new e-Privacy regulations are finalized.

A 7-step action plan to become GDPR Compliant with Google Adwords & Google Analytics

  1. In cases when consent has not been obtained, remarketing advertising and use of customer emails in Adwords should be terminated by May 25, 2018.
  2. Implement IP Anonymization in Google Analytics. This can be done via activating the anonymize IP-function on a code level or in Google Tag Manager, by adjusting tag or adding a new field named ‘anonymizeIp’ with a value of ‘true’.
  3. Accept the GA Data Processing Terms (DPA) that we mentioned above. GA customers can accept the updated terms within the account settings.
  4. Make necessary changes to the updated Data Retention Controls in GA (covered above).
  5. Conduct an audit of your website data to see if you collect any Personally Identifiable Information (PII). A common example of PII data collection is when a user information is being captured in a page URL that contains an “email= querystring” parameter. For example, it can happen on a thank-you page. Ensure that no PII is being collected and sent to Google Analytics.
  6. Obtain and record a GDPR-compliant cookie consent. Some of the main requirements for the consent to be compliant include:
  • The consent has to be received prior to placing cookies on the user’s browser
  • All records of the consent have to be recorded and stored by the website owner
  • Provide users with options and clear instructions on what cookies they can reject or accept
  • Each party for which cookies are being used have to be identified as well
  1. Update your privacy policy. Website owners should put in place a comprehensive privacy policy which must include details on how end-user data will be processed, what are the main purposes, and what third-party services and tools have access to it.

As Google continues to roll out new tools and policies to help website owners and advertisers become GDPR-compliant, we will update this blog to keep you informed.

Note: We aren’t lawyers, so please be sure to review your obligations with your legal team. The information we share is based on general marketing best practices and information our team has reviewed from a variety of sources.

This blog post is part of a 4-part series. Keep reading:

•  Blog 1: What is the GDPR?
•  Blog 2: What Canadian and US Businesses Need To Know
•  Blog 3: How It Affects Your Facebook Tracking and Advertising
•  Current post: How It Affects Your Google Tracking and Advertising


GDPR Google AdWords Google Analytics privacy


Aisulu Satpayeva

Write a comment

Your email address will not be published. Required fields are marked *

Comments (3)