Google Analytics and GDPR Information for Australian Businesses

Read about how the General Data Protection Regulation (GDPR) in the European Union will impact the use of Google Analytics by Australian Businesses.

Important note

This article only relates to Google Analytics and AdWords. The GDPR has many additional compliance requirements.

This article contains general information about the requirements of Google’s policy, which has been obtained via online research, from existing articles and from contacts at Google. I’ve written it to provide information to clients and other businesses about their use of Google Analytics and Privacy Policy requirements.

This information does not comprise legal advice and the author does not hold any legal qualifications. You should consult with your legal team to ensure the wording of the Privacy Policy on your website is compliant with all appropriate legislation and understand what impact the GDPR and other relevant legislation may have on your business.

Click-Winning Content can not answer questions about the GDPR or privacy policies in relation to specific businesses. 

What is the General Data Protection Regulation (GDPR)?

The GDPR is a new European data protection law that will enter into force in May 2018. Although it’s a European law, the GDPR requires far reaching changes for businesses that offer goods and services online to users in the EEA (European Economic Area).

On Mar 22, Google shared more about their preparations for the GDPR through an email and a blogpost, including changes to help both you and Google meet the new requirements.

How does GDPR impact businesses that only sell products and services in Australia?

As people located in the EU may still find your website and visit it, or see an AdWords ad if they specifically include an Australian location, it is recommended that Australia focused business comply with the requirements.

If you are specifically targeting sales or obtaining personal data from people in the European Union then you fall under the GDPR.

Also read more in this Australian Government article about Australian businesses and the EU General Data Protection Regulation

and

How GDPR Impacts Marketers (published on Social Media Examiner)

What actions do you need to take?

1.Have a Privacy Policy on your website

2. Ensure that your Privacy Policy provides details about the use of Cookies on your website

3.Include a statement in your Privacy Policy about how you use Google Analytics

Refer to Section 7 in Google Analytics Terms of Service

4.If you run AdWords Remarketing campaigns or use other Google Analytics advertising features, ensure that the required information is added

Refer to the Remarketing Privacy Policy information

and

Policy requirements for Google Analytics advertising features

5.If you have AdWords conversion tracking set up, include the required information

Google recommends letting users know which pages you’re tracking in your site’s privacy policy. Learn more

For example, if you use Website Call Tracking, add this sentence “We use Google AdWords Website Call Tracking to analyse the results from our Google AdWords campaigns.”

Here’s a good article by Search Engine Land which includes more information on the points mentioned above. Read How Many Google Privacy Policies Are You Violating

Note that points 1 to 5 above are requirements for businesses that use Google Analytics, AdWords Remarketing and Conversion Tracking, regardless of GDPR.

GDPR Specific Information

User Consent Policy

Ensure that your Privacy Policy explains what personally identifiable information is collected, and how it is used. Personally identifiable information includes names, addresses, email addresses etc

Data Retention Controls

Review your Data Retention Settings and modify as needed.

The default setting is 26 months. If you take no action this is the length of time that user and event data will be kept for. Or you can adjust the time length.

As per Google’s email to Google Analytics users:

Impact of this setting as of May 25 is the following:

• Any user and event data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in Google Analytics.
• Deletion will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than your retention setting.
• Reports based on aggregated data will not be affected.

A pop up that has been added to Google Analytics provides the additional information below:

EU User Consent Policy

If you sell goods or services to the EU you must comply with the EU User Consent Policy.

For Australian businesses, even if you don’t sell goods or services to the EU, it is recommended that information about use of cookies is included in your privacy policy (as mentioned above), then you will be covered from the standpoint of any potential regulatory audits in the future.

Data Processing Amendment

To review the Data Processing Amendment, log in to your Google Analytics account and go to Admin at the bottom of the left column.

Then select “Account Settings” from the left column.

At the bottom of the page you’ll see “Data Processing Amendment”.

Click “Review Amendment” to review and accept the amendment if you need to.

Select “Manage DPA Details” to add your business name and contact details.

Also read this MOZ article on What Google’s GDPR Compliance Efforts Mean For Your Data: Two Urgent Actions.

What steps are we taking here at Click-Winning Content

While we don’t specifically sell our services to people in the European Union, it is possible that people located there could visit our website.

Therefore:

1. We have a Privacy Policy that includes details about our use of Google Analytics
2. We have accepted the Data Processing Agreement in Google Analytics and added our contact details
3. We are keeping the Data Retention Controls at the default setting of 26 months.