GDPR and Google Analytics
Since Google is the undisputed king of data tracking, they’ve had to make some dramatic changes for GDPR compliance. If you use Google Analytics, you need to log into your account and add new information about how long Google stores Personally Identifiable Information (PII). Please note that these expirations will not affect your average traffic reports. If you’ve been using Google Analytics for five years, you’ll still be able to see how much your traffic has grown (or not) in that time. However, if you choose to let Google collect data about the age and demographics of your visitors, that data will go away after 25 months unless you override the PII expiration.
Personally, I’m thrilled that Google has now set a default time limit on information storage. I’ve always been reluctant to enable the demographic tracking features because they seemed so intrusive. Having the option to clear out that information after a certain time makes it feel safer to use.
A couple steps you might want to take regarding GDPR compliance on your own website:
Make sure your visitors know that you’re sharing information with Google, and any other third parties with whom you share information about your online visitors.
Review your website forms.
If I fill out a form on your website and it comes to you with my email address in the From field, then you’re automatically sharing that email address with any third parties tracking your website statistics. GDPR standards suggest that you not use actual email addresses in the From field; use a standard Form email address instead. (This is a hassle because so many people confuse formmail for email and hit the Reply button – it might involve some retraining.)
Consider using IP anonymization.
By default, Google Analytics tracks IP addresses. This allows you to zoom in on reports and see the city where your visitors came from. With IP anonymization turned on, the last three digits of the IP address are blacked out. Google will still be able to tell you the general locale (e.g., Twin Cities), but it will be harder to detect whether a particular visitor was from West St. Paul or Inver Grove Heights.
Consider adding a “confidential visit?” option.
I visited a government-run healthcare website recently and a pop-up message asked if I wanted to surf their website anonymously. You might start seeing this option on other websites in the coming months as new tools to protect visitor privacy come on the market.
Just to recap, the new privacy regulations only affect companies doing business in Europe. There’s no guarantee that the United States will follow suit. However, these new guidelines have birthed a lot of useful tools to protect your visitor information. Please consider using them.