GDPR and Google Analytics

Enforcement of the European Union’s General Data Protection Regulation is coming very, very soon. Look busy. This regulation is not limited to companies based in the EU—it applies to any service anywhere in the world that can be used by citizens of the EU.

It’s less about data protection and more like a user’s bill of rights. That’s good. Cennydd has written a techie’s rough guide to GDPR.

The Open Data Institute’s Jeni Tennison wrote down her thoughts on how it could change data portability in particular. While she welcomes GDPR, she has some misgivings.

Blaine—who really needs to get a blog—shared his concerns in the form of the online equivalent of interpretive dance …a twitter thread (it’s called a thread because it inevitably gets all tangled, and it’s easy to break.)

The interesting thing about the so-called “cookie law” is that it makes no mention of cookies whatsoever. It doesn’t list any specific technology. Instead it states that any means of tracking or identifying users across websites requires disclosure. So if you’re setting a cookie just to manage state—so that users can log in, or keep items in a shopping basket—the legislation doesn’t apply. But as soon as your site allows a third-party to set a cookie, it’s banner time.

Google Analytics is a classic example of a third-party service that uses cookies to track people across domains. That’s pretty much why it exists. We, as site owners, get to use this incredibly powerful tool, and all we have to do in return is add one little snippet of JavaScript to our pages. In doing so, we’re allowing a third party to read or write a cookie from their domain.

Before Google Analytics, Google—the search engine business—was able to identify and track what users were searching for, and which search results they clicked on. But as soon as the user left google.com, the trail went cold. By creating an enormously useful analytics product that only required site owners to add a single line of JavaScript, Google—the online advertising business—gained the ability to keep track of users across most of the web, whether they were on a site owned by Google or not.

Under the old “cookie law”, using a third-party cookie-setting service like that meant you had to inform any of your users who were citizens of the EU. With GDPR, that changes. Now you have to get consent. A dismissible little overlay isn’t going to cut it any more. Implied consent isn’t enough.

Now this situation raises an interesting question. Who’s responsible for getting consent? Is it the site owner or the third party whose script is the conduit for the tracking?

In the first scenario, you’d need to wait for an explicit agreement from a visitor to your site before triggering the Google Analytics functionality. Suddenly it’s not as simple as adding a single line of JavaScript to your site.

In the second scenario, you don’t do anything differently than before—you just add that single line of JavaScript. But now that script would need to launch the interface for getting consent before doing any tracking. Google Analytics would go from being something invisible to something that directly impacts the user experience of your site.

I’m just using Google Analytics as an example here because it’s so widespread. This also applies to third-party sharing buttons—Twitter, Facebook, etc.—and of course, advertising.

In the case of advertising, it gets even thornier because quite often, the site owner has no idea which third party is about to do the tracking. Many, many sites use intermediary services (y’know, ‘cause bloated ad scripts aren’t slowing down sites enough so let’s throw some just-in-time bidding into the mix too). You could get consent for the intermediary service, but not for the final advert—neither you nor your site’s user would have any idea what they were consenting to.

Interesting times. One way or another, a massive amount of the web—every website using Google Analytics, embedded YouTube videos, Facebook comments, embedded tweets, or third-party advertisements—will be liable under GDPR.

It’s almost as if the ubiquitous surveillance of people’s every move on the web wasn’t a very good idea in the first place.

Have you published a response to this? :

Responses

john holt ripley

“Under the old “cookie law”, using a third-party cookie-setting service like that meant you had to inform any of your users. With GDPR, that changes. A dismissible little overlay isn’t going to cut it any more. Implied consent isn’t enough.” adactio.com/journal/13364

Martin D Marriott

GDPR and Google Analytics - “…now the script would need to launch the interface for getting consent before doing any tracking. Google Analytics would go from being something invisible to directly impacting the user experience” adactio.com/journal/13364 @adactio

caztcha

EU一般データ保護規則 (GDPR) とクッキーの話。利用者の同意を得る主体はサイトオーナーか Google か? >> Adactio: Journal—GDPR and Google Analytics adactio.com/journal/13364

# Posted by caztcha on Tuesday, January 30th, 2018 at 3:04am

cn

@jeremycherfas humanity the only species to wrap itself in red tape?

# Posted by cn on Tuesday, January 30th, 2018 at 8:49am

jeremycherfas

@cn Given half a chance many birds and all housemice will gladly furnish their nests with the stuff. (The ex-husband of a lawyer speaks.)

cn

@jeremycherfas at least they’ve got a good reason to…

# Posted by cn on Tuesday, January 30th, 2018 at 12:56pm

getify

the great @adactio calls out a huge issue we should all be thinking a lot more about: adactio.com/journal/13364 the coming apocalypse of the battle against unwanted web tracking. chilling.

# Posted by getify on Wednesday, January 31st, 2018 at 5:57am

Mike - eCommerce PM

If IP ranges and cookies are “user data” then Google Analytics and all other pixels must have consent. The future - giant popups on websites “ARE YOU AN EU CITIZEN? YES OR NO? IF YES, READ THIS 100 PAGE PRIVACY POLICY AND OPT-IN TO USE OUR SITE”.adactio.com/journal/13364

tvn

“It’s almost as if the ubiquitous surveillance of people’s every move on the web wasn’t a very good idea in the first place.”

# Posted by tvn on Sunday, February 4th, 2018 at 10:53am

Davide M.

“It’s almost as if the ubiquitous surveillance of people’s every move on the web wasn’t a very good idea in the first place.”

# Posted by Davide M. on Wednesday, October 3rd, 2018 at 11:56am

10 Shares

# Shared by Chris Taylor on Monday, January 29th, 2018 at 6:44pm

# Shared by Joe Pettit on Tuesday, January 30th, 2018 at 10:04am

# Shared by Louis Maddox on Tuesday, January 30th, 2018 at 10:43am

# Shared by Pelle Wessman on Tuesday, January 30th, 2018 at 12:52pm

# Shared by Roger Nyman on Sunday, February 4th, 2018 at 12:32pm

# Shared by Chris Panza on Sunday, February 4th, 2018 at 5:59pm

# Shared by Jeff Geerling on Sunday, February 4th, 2018 at 6:15pm

# Shared by Fab:// on Sunday, February 4th, 2018 at 6:27pm

# Shared by Chris Johnson on Sunday, February 4th, 2018 at 6:34pm

# Monday, February 5th, 2018 at 2:49pm

8 Likes

# Liked by Armands Dziļums on Tuesday, January 30th, 2018 at 12:01am

# Liked by litenjacob on Tuesday, January 30th, 2018 at 1:13pm

# Liked by Matthias Pfefferle on Tuesday, January 30th, 2018 at 5:31pm

# Liked by Craig Hyatt on Sunday, February 4th, 2018 at 3:28pm

# Liked by John Pantlind on Sunday, February 4th, 2018 at 3:53pm

# Liked by Chris Johnson on Sunday, February 4th, 2018 at 6:37pm

# Liked by Jenny Wong 🐝 on Sunday, February 4th, 2018 at 7:11pm

# Liked by George Papadongonas on Sunday, February 4th, 2018 at 8:38pm

2 Bookmarks

# Bookmarked by https://aaronparecki.com/ on Monday, January 29th, 2018 at 8:25pm

# Bookmarked by Jeremy Cherfas on Tuesday, January 30th, 2018 at 8:29am

Related posts

Tracking

It’s time to have the conversation. You’re old enough to know where stats come from.

Third party

Imagine a web where cookies and JavaScript had to be self-hosted.

Heisenberg

JavaScript and the observer effect.

Related links

Bunny Fonts | Explore Faster & GDPR friendly Fonts

A drop-in replacement for Google Fonts without the tracking …but really, you should be self-hosting your font files.

Tagged with

Is Momentum Shifting Toward a Ban on Behavioral Advertising? – The Markup

I really hope that Betteridge’s Law doesn’t apply to this headline.

Tagged with

Tagged with

UK ICO: surveillance advertising is dead

Behavioral ads are only more profitable than context ads if all the costs of surveillance – the emotional burden of being watched; the risk of breach, identity-theft and fraud; the potential for government seizure of surveillance data – is pushed onto internet users. If companies have to bear those costs, behavioral ads are a total failure, because no one in the history of the human race would actually grant consent to all the things that gets done with our data.

Tagged with

Tagged with

Previously on this day

12 years ago I wrote Eighteen

Pausing to give thanks.

13 years ago I wrote A dark star is born

We are dark stardust, we are golden, we are puppets.

15 years ago I wrote Creative Commons Q&A

15 questions on Creative Commons.

16 years ago I wrote Outbound

I’m off to San Francisco. Again.

16 years ago I wrote Regional

You can’t play that here.

19 years ago I wrote Best. News story. Ever.

In his seminal 1946 essay, Politics and the English Language, George Orwell outlined some simple guidelines for writing. These include:

20 years ago I wrote Just plain wrong

Seeing windows apps running on OS X kind of freaks me out but not nearly as much as seeing what this guy did to a G5:

20 years ago I wrote Airport

An iChat transcript with my friend Diarmaid who I am supposed to be meeting in Dublin right about now:

22 years ago I wrote Please don't let me be misunderstood

There’s a magazine called "Cre@teOnline" which bills itself as "The Web Designer’s Bible".