Privacy Policies have become a requirement for websites, Customers have come to expect them, and their use is required by several different regulations around the globe. Given the recent happenings in Europe, and the resulting changes made to Google Analytics 4, it’s natural to wonder if your use of Google Analytics is checking all the boxes for compliance.
While the focus tends to be on regulation, Google Analytics itself does have specific terms for use that need to be communicated to the end user (the person viewing the website) via the website’s privacy policy. It can be easy to overlook these requirements, and even if you did manage to add the relevant parts during the initial setup, the exact text required changes depending on which features you have enabled, and what area of the world the website is serving. Most recently, in April of 2022 the requirements changed for servicing Europe, with the EU User Consent policy requirements being added.
General Requirements
Using Google Analytics comes with various requirements, such as disclosing to the end user the use of Google Analytics and how it collects and processes data.
This requirement can be found on the following support page. Most of the relevant information is found under the Safeguarding your data support page.
The page contains information specific to the following items, some of which may be required under various regulatory requirements.
- Which cookies and identifies Google Analytics uses
- Information on the Data Processing Agreement (which your legal team should review and agree to)
- The data collected by Google Analytics
- International Data Transfers
- What the data is used for
- Who has access to the data under specific scenarios
- Data retention practices
- User Deletion information
- User-level Data Access and Portability
- Advertising personalization information
- Data privacy and security compliance information
Advertising Requirements
Use of certain features of Google Analytics (such as Google Signals and Interest Based Advertising) may require additional disclosures and requirements. Google makes these clear in the Policy requirements for Google Analytics Advertising Features support page.
Notably this requires sites to abide by the following:
This means you will not identify users or facilitate the merging of personally identifiable information with additional information collected through any Google advertising product or feature unless you have robust notice of, and the user’s prior affirmative (i.e., opt-in) consent to, that identification or merger, and are using a Google Analytics feature that expressly supports such identification or merger. Irrespective of users’ consent, you must not attempt to disaggregate data that Google reports in aggregate.
https://support.google.com/analytics/answer/2700409?hl=en
You are also required to disclose which advertising features have been enabled, which identifiers are used and how visitors can opt-out.
European Requirements
Servicing Europe? Then you have additional requirements to be aware of. Use Google Analytics in Europe also makes you subject to the EU User consent policy, Under this policy you are required to obtain legally valid consent and retain records of consent given by end users as well as provide directions for how end users can revoke consent.
Given the 33 page document (Guidelines 5/20 on consent under Regulation 2016/679) on what consent looks like under the General Data Protection Regulation, I would strongly advise reviewing the requirements with qualified legal counsel.
Japanese Requirements
The disclosure here talks about the merging of non-personal and personal data, and speaks about the consent requirements.
If you are operating on data out of Japan, you may wish to confirm with qualified legal counsel for what this means for your specific use cases.
Interest-based advertising
Enablement of Interested-based advertising (which includes Remarketing) may subject you to additional requirements and policies. These include the Google Ads Policy for Personalized Advertising and the Platform Program Policies which detail requirements for specific kinds of advertising and how data collected may or may not be used.
You are also restricted from using Google Analytics data to target any of the sensitive categories defined by Google Ads. Google requires that if Google Analytics is collecting data for any of the sensitive categories, that interest-based advertising be disabled.
One last thing to consider
Google will not tell you the exact text the privacy policy requires (neither will I). Regulations vary across regions and lines of business and because Google Analytics can be used in many ways (which change the text required) they shift the responsibility to the customer (the site using Google Analytics). It is for this reason I again strongly recommend working with qualified legal counsel to determine the requirements and ensure that the policy is drafted in a way that is it both complete and legally compliant with whatever regulation the website may be subject to.