All the internet can seem to focus on lately is the General Data Protection Regulation (GDPR), a strict policy imposed by the European Union (EU) that aims to change the way businesses use and process its citizens’ data (as well as protect its citizens’ rights to data privacy).
What is GDPR?
Officially implemented as of May 25, 2018, the GDPR is primarily aimed at websites and businesses that serve targeted ads and process data of EU citizens that currently reside in EU borders. Thanks to the internet’s global nature, this also means that most international websites (including those outside EU borders, that serve EU citizens) will be affected.
Here’s what you need to know about GDPR and how it will affect tools like Google Analytics and Adwords.
Key Concepts to Understand About the GDPR
The GDPR, which is over 200 pages, focuses on two key areas:
- Your personal data
- The way companies process your data
In terms of policies, there are a few key points to consider:
- Explicit consent.
The GDPR requires websites to explicitly ask its users if they are allowing the company to process their data. This means no more sneaky practices for collecting data.
- Right to data.
This has three facets:
- Users have the right to know where a company uses their data and how it is processed and stored.
- Users can request for access to their data: to download it and give this data to other data controllers of their choosing.
- Users have the right to be ‘forgotten’, especially when they don’t want other companies to have access to their data.
You can see how this can be a cause for panic: especially for those who work in marketing/advertising fields, who rely heavily on targeted advertising (where information comes in from various data sources).
What Does GDPR Mean for Google?
Google is the world’s largest search engine, and it didn’t become the best without having done its due diligence. Google collects data through search engine spiders, which crawl websites all over the internet. The information it gleans, it returns to the Index, which collects all webpage information to be made sense of.
Besides your name, age, birthday, email address and other details that Google collects when you initially sign up for an account, you may be surprised to learn that there are still so many other things that Google knows about you (like when you’re graduating and getting married!). Google collects data pertaining to your activities while signed in to Google, your Youtube video watch history, and even location data about where you’ve been! Using all this data, they are able to create a multi-faceted profile to offer up to their advertisers to improve the accuracy of their targeting efforts.
In a sense, Google (and consequently, its subsidiaries, clients and partners) is one of those most affected by the GDPR since they process so much data. Although Google says that they practice asking for consent from customers, the GDPR will “further refine these requirements”. But regardless of their past and continued efforts to protect data privacy, both Facebook and Google were hit with $8.8 billion in lawsuits for noncompliance on the first day GDPR went into effect.
Although Google is made up of many different products and tools, people are perhaps most concerned with GDPR and it’s impact on Google Adwords and Analytics.
How GDPR Affects Adwords and Analytics
Google Adwords and Analytics are used by a majority of website owners.
On March 22, Google published an article informing its advertisers and publishing partners of the changes it will be implementing for the GDPR, including:
- Updates to its EU consent policy, which requires publishers using Google products to explicitly obtain consent from users, especially when using their data for targeted advertising purposes (as in Adwords).
- Revisions to its existing data-processing agreements, which informs existing data processors and controllers of their new requirements and obligations. The data-processing agreement (DPA) can be accessed in Google Analytics or Double Click.
- Updates to its Data Retention controls, which allows Google Analytics users to manage the storage and deletion of data. With this, users can choose how long companies can keep their data. Data that is past the set retention period is automatically deleted.
Google has also launched a dedicated website that will help its clients and partners comply with the new GDPR laws.
GDPR: Google Adwords
Google Adwords lets advertisers bid on keywords, such that when users search for these specific keywords, an ad leading to their website will be prominently displayed in Google search. Adwords also allows banner ads to be displayed on websites they think your target customer will visit, which works exceptionally well when it comes to retargeting efforts.
In terms of the GDPR, here are some aspects of Google Adwords that will be affected:
- Targeted ads that require knowing a user’s location may also be affected, though it isn’t completely clear how and isn’t confirmed at time of publication.
Google claims that they’re currently working on a solution that delivers non-personalized ads for sitautions where consent cannot be obtained.
GDPR: Google Analytics
Google Analytics tracks website traffic and reports it so website owners can analyze behavior patterns from website visitors. However, to do this, Google Analytics collects IP addresses and behavioral data via advertising cookies.
As with Adwords, thanks to GDPR, Google Analytics must obtain consent from website visitors and clients regarding the usage of cookies. In the most recent draft of the ePrivacy regulation (a supplemental law to the GDPR), they recommend making an exception [to asking for consent in personal data collection] when used solely for tracking website performance.
To address the IP address issue with GDPR, Google Analytics offers IP Anonymization as an option.
Final Thoughts: GDPR: Google Analytics & Google Adwords Website Audit
Despite being an EU policy, the GDPR requires so many changes to websites all over the world. Google is one of those most largely affected.
Luckily, Google has already anticipated GDPR and has made changes to their policies, especially for Adwords and Analytics—tools that many marketing and advertising websites rely on.
To be GDPR compliant when using Google Adwords and Analytics, you need to:
- Audit your website to determine if you’re using personally identifiable information (PII). Using PII is against Google Analytics’ Terms of Service.
- Accept the new terms and policies of Google (they are already GDPR-compliant) and make necessary changes to your website.
- Record or store user data records and give users access to these when asked for/delete data when asked.