At its core, Google Analytics is a free website analytics tool aimed at website managers to better understand the behavior of their customers. But for this, the functionality goes beyond protecting the personal data collected to achieve these results. Therefore compliance with the new GDPR rules is necessary to prevent the restrictions from coming into force from 2018.
What is GDPR?
GDPR or General Data Protection Regulation deals with the protection of personal data of a natural person. Identification includes many elements, such as his surname and first name, or other more personal information (Social Security number, address, bank account, origin, etc.). Other factors are also taken into account such as her taste, the area of ​​the sites she pays the most attention to.
These elements, linked together, help in getting more or less accurate information about a visitor. These are then used for the processing of personal data. This includes analyzing information related to an Internet user and determining their centers of interest, possibly determining their purchasing behaviour.
Thereafter, it is easy to better adjust the offers to their expectations. Note that if they belong to a company (name, address, email address, etc.), they are not included in the category of personal data.
Who is affected by GDPR?
GDPR essentially deals with the processing of personal data of individuals residing in the European Economic Area. Its implementation since 2018 takes into account the development of new technologies and purchasing behavior. These developments reinforce the French Data Protection Act of 1978, allowing each individual user to control how any type of organization can create data related to them.
Step 1: Data Processing Agreement
According to the GDPR, website managers have an obligation to request authorization of users for the use of cookies and to inform them of what they will be used for later. For CNIL, data transfer into the United States by sites that use Google Analytics represents an illegal act. In fact, this operation has flaws because it is difficult to control its use and the protection of personal data later. The latter can only be guaranteed if all parties enter into a data processing agreement, the first step to be GDPR compliance.
DPA is a legal obligation that the signatories of the agreement must respect, otherwise they will be heavily fined. This is required to process any company or personal data, whether within the EU or from the EU. This agreement is valid between a website host.
This is also necessary when a company outsources e-mailing. Note that the operation itself is not malleable, but it must obtain the free and explicit consent of the persons registered on the mailing list. The same is true for salary. The only data that may be collected in this case will be limited to surnames, first names, addresses, dates of birth and Social Security numbers, as determined by Article L444-5 of the Labor Code. Data processing is done by a responsible person who then uses the services of a processor.
According to Article 28-36 of the GDPR, the latter must comply with specific clauses. This includes providing all relevant information, such as the range of personal data on which it will operate, but also of the persons to whom they relate. In addition, the data collected must be used for very specific purposes and may only be kept for a period that must be clearly specified. The Processor is also required to return or delete the Personal Data at the end of a previously defined period.
Step 2: Set the retention period for personal data
As stated above, data retention is not unlimited. It must be consistent with that which is in conformity with the stated purposes, in so far as it is not prescribed by law. To allow Google Analytics users to be GDPR compliant, it is now possible to delete all profiles that have not responded to the site during the 36-month period.
In addition, the use of cookies requires requesting the consent of each of them every 13 months. According to Google Analytics, the retention of personal data will be between 14 and 50 months. Without an explicit agreement, they will be removed during the next month. If, in the meantime, the owner returns to the site on which their data is listed, the deletion will actually be postponed to a later period.
Step 3: Declare the organizations or natural persons in charge of data processing
A section titled “Manage DPA Details” located on the Administration page is available to data processing administrators. They have an obligation to provide three key pieces of information as outlined by the GDPR, namely the name of the key contact (an organization, a company or an individual), information about the data protection officer whose mission is to conduct compliance operations in the organization. It should optimize the protection of users’ personal data and restrict access by third parties.
It is also necessary to inquire about the representative of the European Economic Area. For small data processors three contacts may be the same, whereas people with multiple accounts need not provide multiple contacts.
Step 4: Proximity
CNIL recommends that compliance requires the use of a proxy server, a bridge between an Internet user’s computer and the servers used by websites. This solution helps to maintain the security of exchanges between the two parties. Thus the links contained in the URL can be followed from the referring site. The proxy also makes it possible to anonymize the user’s identifier and all other possible identifiers, such as an IP address or CRM.
When leaving the proxy, the data is provided with a pseudonym, thus reducing the chances of the user being re-identified. However, this option is not accessible for small structures, since its implementation is quite expensive, while being quite restrictive. CNIL provides Google Analytics with other options to deal with this, including Matomo, which is meant to not only measure the audience on the website, but also better understand the browsing behavior of Internet users to achieve conversion optimization. makes it possible. ,
Step 5: Update Google Analytics
For its part, Google has upgraded Google Universal Analytics (the one currently in use) to 1. Google Analytics 4 is announced to be replaced byer July 2023. The purpose of this new version is to better protect the personal data collected.
conclusion
Compliance with GDPR is a complex process that needs to be applied without receiving formal notice. It is therefore necessary to begin with the configuration of Google Analytics so that data processing can restrict access to users’ personal data. Among the available technical tools, IP anonymization, which is used to anonymize IP addresses, eg. Please note that it is currently practically impossible for Google Analytics to comply with the regulation, as it cannot ignore the collection of personal data and their transfer to the United States.