The GDPR refers to cookies specifically, as follows:
(30):"Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them".
At the time of writing, the terms of service of Google analytics prohibit the use of the service to identify a visitor personally, however, the mere fact that Googles terms of service currently seek to prevent you from being able to identify a visitor personally, does not mean that the data that you are being provided with via Google analytics is not personal data for the purposes of the GDPR. A person can be identified indirectly via their IP address, and this then would bring a record of an individual’s use of a website, such as provided by Google analytics within the definition of personal data; personal data for which you are responsible for compliance with the GDPR.
For example, re-marketing, or re-targeting, enables a business to show display ads on the Google network to users who have previously visited a site or a particular page on a site. While you may not be aware of the personal identify of the individual concerned, if you are seeking to display an ad to that person by virtue of the fact that you know that they have previously visited a particular page on your website, in doing so you need to ensure that you are GDPR compliant.
So, how can you ensure compliance?
Well, there you have two main options, the first would be to ensure that Google analytics is set up and used by you in such a way that you are not collecting any personal data in the process, i.e. to put measures in place to ensure that any data collection is properly anonymised and no individual is capable of being indentified from any of the data collected. This is likely to prevent the use of re-marketing or retargeting services, which by their definition will need to identify and record individual users to be able to display remarketing ads to them.
The second option is to understand that you are collecting personal data in your use of Google analytics and to ensure that, as with any other personal data that you hold in your business, you collect hold and use this in compliance with the GDPR. For more details of what is involved in doing that, please see here.
Click here to return to the GDPR Compliance Hub.