The Age of Data Privacy – Google Analytics, CCPA and GDPR

What is data privacy?

Data privacy relates to how data is handled based on its importance. In the digital age, the concept of data privacy applies to critical personal information, personally identifiable information (PII), as well as personal health information (PHI).

Data privacy is very important because, when data that should be kept private gets in hands of someone who can misuse it, bad things can happen.

What are GDPR and CCPA laws?

Both GDPR and CCPA are data privacy laws that aim to give control to individuals over their personal data and how they share it online.

The GDPR (General Data Protection Regulation) is a regulation in the EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR took effect on May 25, 2018. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. The CCPA is a state statute that enhances privacy rights and consumer protection for residents of California, US.

Google Analytics and consent management platforms

Both GDPR and CCPA are very complex regulations and require the full attention of every company’s legal term.

In this post, I want to talk about how these regulations are affecting website performance analysis, analysis of website users and how they engage with a website’s content. To be compliant with these laws, anyone that runs a website and collects data about the users that visit their website must put technical implementations in place to ensure that every user has the option to “opt out” of sharing their data with website content publishers.

A consent management platform (CMP) is a tool that enables these technical measures to be implemented on a website or app to be GDPR or CCPA compliant. CMPs enable this by prompting users for consent by accepting the website cookie settings or make adjustments to these cookie settings.

The implementation of a CMP requires modifications through installing a CMP code on the website and adjusting settings to tags and triggers in Google Tag Manager. Every tag in your Google Tag Manager, including the Google Analytics tag, must be triggered only when users have specifically given consent for their data to be collected. If users have opted out from their data being collected then your tags should not fire.

I have seen companies approach this in several ways:

• The default settings of the CMP will prevent data from being collected when users that land on the website. Users need to specifically accept and give consent for this or their behavior will not get recorded in Google Analytics.
• Another way is to implement settings where data starts getting recorded as soon as a user lands on the website but give the user the option to “opt out”.  If users opt out of sharing their data it will not be recorded.
• Website visitors from California and the EU: Since these specific regulations only apply to California and EU area residents, CMPs can be implemented to only serve visitors from these specific locations. What this means is when a user from California or the EU lands on the website tags will be affected by the CMP and the user’s choice of sharing or not their data. But if a user from another area lands on the website tags will fire as normal.

How is Google Analytics data affected by complying with CCPA and GDPR?

Regardless of how you implement the CMP default settings, data that Google Analytics is reporting will be affected and certain reports will be skewed.

If, by default, data for website users is not collected and your CMP settings require consent from users before the Google Analytics tag fires, you might be missing a lot of user data. This is simply because some users are not aware of this, and even if they do not object to sharing their data with you, they simply will continue browsing without clicking the Accept all cookies button.

If, by default, the CMP settings begin collecting data for any user who lands on the website but these users then decide to adjust the cookie settings and stop sharing their data with you, this could result in bounce rate increases and poor user engagement metrics.

How to analyze and make informed decisions

Test before launching a CMP Platform

I cannot stress high enough the importance of testing all your tags and tracking processes prior to pushing the CMP implementation live on your website. Whatever tags you have already implemented in Google Tag Manager, make sure you understand how they are affected and how they fire, or not, as a result of the CMP implementation. In many scenarios companies are facing tracking issues because the CMP is not implemented correctly and the implementation has not been tested prior.

Make annotations

In Google Analytics you can insert annotations on specific dates and make comments on what has occured on this day in time so you can monitor how your data is affected after this. Insert annotations for any changes that are happening on your website as a result of the CMP implementation process and spend the necessary time to analyze how, if at all, your data is affected.

Analyze users from specific locations

GDPR and CCPA apply to users in specific geographic locations, EU and California. After you implement a consent management platform on your website spend some time analyzing traffic from these specific locations. Have sessions decreased? Have conversions decreased? How are the user engagement metrics performing? If you don’t see any drastic changes then your users have no problem sharing their data with you. If, however, metrics have been somewhat or drastically affected, then you would need to spend time and make educated assumptions on what the possible scenarios are that affect your data.

In Conclusion

Every company, big and small, that operates a website must consider compliance with both the GDPR and the CCPA data privacy regulations. The implementation of a consent management platform will take care of all the technical measures that your organization needs to take in order to give users control over what data they share with you. Make sure you test your CMP implementation and understand exactly how your data may be affected.