What Does the ePrivacy Regulation Mean for Your Google Analytics?

Disha Sharma
By
May 14, 2020 ·

Google Analytics is a staple for most optimizers and marketers.

The ubiquity of this solution makes it innocuous to the point where we tend to overlook the settings of our Google Analytics account when privacy regulations roll out.

But the GDPR was a substantial nudge for testers to scrutinize their Google Analytics data storage and processing.

And now with the ePrivacy Regulation, another layer of consideration – around how to gain visitor consent for the use of the analytics suite – will be added to the plate of optimizers.

Originally meant to release on the same day as the GDPR, the ePrivacy Regulation is set to change how cookie consent works. It will redefine how websites seek consent from their users for installing cookies into their browsers. And because web analytics solutions like Google Analytics use cookies to collect, store, and track their analytics data, they naturally fall under its purview.

So will the ePrivacy Regulation need every website that uses Google Analytics (and caters to European audiences) to seek explicit cookie consent?

Well, the answer is subjective.

And it depends largely on how a Google Analytics account is set up and configured.

Let’s take a closer look.

Non-Intrusive and Privacy-Friendly Use of Google Analytics

If you only use Google Analytics as a simple first-party data analytics tool to learn about your website audience in a non-invasive way, you might not need to seek explicit cookie consent. In fact, the European Commission’s ePrivacy Regulation proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes:

“The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”

Dubbed as the “cookie provision,” this consent exemption allows webmasters who have configured their Google Analytics in a privacy-friendly way to install their cookies without seeking explicit consent.

Also, in its Cookie Consent Exemption paper, the Working Party — an independent European advisory body on data protection and privacy constituted by the European Parliament — made a special case for such first party analytics cookies to be exempted under the revised ePrivacy Regulation proposal:

However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.

Following from this, you might not necessarily need to add explicit cookie consent banners to your website if your use of Google Analytics is non-intrusive. To qualify for this, among all the other things, your Google Analytics account must be configured in such a way that it:

  • Has the right anonymization in place ensuring that the data collected isn’t personally identifiable
  • Ensures that no data information about any users is ever passed on to any Google Analytics servers
  • Doesn’t share the Google Analytics data with any third-party solution providers

In addition to these, you’d also be expected to publish an easy-to-understand cookie policy that plainly explains what Google Analytics cookies you use, what data they collect, and how the data gets processed.

Also, your users should get the option to easily opt out of your Google Analytics cookie tracking.

Using Google Analytics in More Ways Than as a First-party Analytics Tool

Quite a few marketers use more advanced implementations of Google Analytics. Such a configuration often slices and dices the analytics data in a way that tiptoes the privacy lines that laws like the GDPR draw. For example, if you use your Google Analytics cookies to map the user id that Google Analytics uses for a visitor to your other marketing solutions, then you’d need explicit consent of your visitors before using your cookies. If you’re using the user id feature for cross-device tracking, again, you might have to seek explicit consent.

Using Google Analytics Advertising Features, too, will need you to ask for consent from your users before installing your Google Analytics cookies as Google installs additional cookies in this case.

Likewise, if you use third party tracking pixels with your Google Analytics, you’ll have to seek explicit consent in most implementations.

As you can tell, such configurations of Google Analytics could use and process some personal user data and also end up sharing it with other service providers.

And so these cases fall under the GDPR and need explicit consent. And because the ePrivacy Regulation is meant to “particularise and complement” how the GDPR approaches personal data processing by “translating its principles into specific rules,” the cookie consent rules it proposes applies to websites using Google Analytics cookies in such non-standard implementations.

The ePrivacy Regulation and Browsers (and the Impact on Your Google Analytics Cookies and Data)

As you can get, post the ePrivacy Regulation, using Google Analytics in more advanced ways will need you to seek explicit consent from your users before installing cookies into their browsers.

But that’s not all. The ePrivacy Regulation also wants to encourage privacy by design and default in the web browsers and wants companies that power browsers to help users make better and more informed cookie consent choices via the browser settings itself:

Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

So if your users choose to go with options like “never accept cookies” or opt for accepting just “strictly necessary cookies,” your Google Analytics data will get impacted.

Developments like Apple’s updates to the ITP and others — in line with the growing demands for more private browsing experiences — are also cutting short the cookie duration, including the duration of the first-party cookies that Google Analytics sets.

Based on the type of browser we are talking about, repeat visitor counts may be significantly impacted.

Wrapping it Up…

Depending on how you configure and use Google Analytics on your website, you can learn a lot about your users. And so even if your usage doesn’t require you to set up cookie consent walls and banners on your website, you must still explain your cookies and their use in a neat and easy-to-understand cookie policy.

In case you happen to need cookie consent for your Google Analytics cookie usage, make sure to seek it the right way.

And if you think you could cover even your non-standard Google Analytics cookies without consent under the GDPR’s Legitimate Interests provision, check out our detailed take on consent versus legitimate interests.

At Convert, we take a privacy-first approach to everything we do. We consider the GDPR and the upcoming ePrivacy Regulation that builds on it to be solid initiatives to stop the internet from becoming an “always on” surveillance system —   guzzling tons of user data every second, mostly without the users’ (specific, informed, active, and freely given) consent.

We don’t  just comply with such laws but also help our customers offer memorable digital experiences while still staying compliant with them. In fact, our A/B testing and experiments solution doesn’t use any personal data in the default setting, operates with first party set cookies and is the only enterprise-level experimentation solution to be designed this way. We’re forever committed to empowering our customers run winning experiments while fully respecting their users’ privacy.

Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Originally published May 14, 2020 - Updated November 10, 2022
Written By
Disha Sharma
Disha Sharma
Disha Sharma
Content crafter at Convert. Passionate about CRO and marketing.
Edited By
Carmen Apostu
Carmen Apostu
Carmen Apostu
Head of Content at Convert

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!