The Marketing Technologist.

We talk about analytics, code, data science and everything related to marketing technology. Backed by the tech geeks of Greenhouse.

Setting up Google Analytics within the AP Guidelines

Data and privacy has become an important concern in our lives. The introduction of GDPR has impacted freedom in tracking and cookie usage. In order to be allowed to track and target users, websites must ask users for consent.
In Google Analytics, data from users that have not consented may not be used for remarketing features. This article focuses on how to use Google Analytics within the guidelines of the Autoriteit Persoonsgegevens in The Netherlands.

Background

You might ask yourself why using one Google Analytics property with configurations in the Google Analytics settings variable is wrong. This configuration is advantageous in the fact that there is only one property to maintain, potentially leading to lower storage costs. However, what happens if the user consents on the second page in one session? All of the session information will be stored in Google Analytics. In fact, you are now using hit-level information from the moment where the user did not consent yet. From an ethical point of view it is questionable if you want to use this hit-level data for remarketing purposes.

Image 1 - One Google Anaytics property with configurations in the Google Analytics variable


In order to be compliant according to the Autoriteit Persoonsgegevens, you need to set up two Google Analytics properties. One property will be the privacy friendly one, whereas the other is only loaded after consent. Incase the user consents at the second page in a single session. Image 2 shows for both properties the data that will be stored. This configuration has a clear division between data that may (not) be used for remarketing features.

  • In the consented property, User IDs may be stored and remarketing features may be activited.
  • The privacy friendly property contains all session information, except User IDs, and can be used for statistical analysis. Though, this configuration might be costly since you have to maintain two GA360 properties.
Image 2 - Two Google Analytics properties. One privacy friendly and one consented.


Configuration

This section explains how to configure the privacy as well as the consented analytics property. Further, the settings that need to be applied to your Google Tag Manager settings variable or analytics.js are mentioned in this section.

Google Analytics interface

For the account configuration of your Google Analytics interface, there are four important settings that you need to check.

1. Data processing amendment

The first step is to read and sign Google Analytics’ Data Processing Amendment in the account section of Google Analytics.


2. Sharing data with Google

In the account section of Google Analytics there are five ways to share data with Google. All of these boxes can be unchecked.

Please note that this does not affect advertising features.


3. Sharing data with Google for advertising purposes

In the property section of Google Analytics, you will find two options to enable data sharing for marketing purposes.
In the privacy friendly property: do not enable these features.
In the consented property: you can enable these features.

Further instructions on how to ensure that no data is shared for marketing purposes are given later in this article


4. User ID tracking

According to the guidelines of the Autoriteit Persoonsgegevens users need to consent to allow you to collect their User IDs. In the Google Analytics admin section, you need to enable User ID tracking if you want to collect User IDs in your Google Analytics data.

In the privacy friendly property: do not enable these features.
In the consented property: you can enable these features.

The picture below shows the configurations in the Google Analytics interface if you are enabling this.


Tracking code

There are four points you need to configure in your Google Analytics (analytics.js) tracking code. IP Anonymization can only be enabled in the tracking code. Advertising Features and the usage of User IDs can only be enabled in the consented property.

  1. Anonymise IP:
    - set anonymizeIp to true in both trackers.
  2. Advertising Features:
    - set allowAdFeatures to false in the privacy friendly tracker.
    - set allowAdFeatures to true in the consented tracker.
  3. User ID tracking:
    - do not set the field userId in any of your tags in the privacy friendly tracker.
    - you can set the field userId in your tags in the consented tracker.
  4. Force SSL: set forceSSL to true in both trackers.

When using analytics.js the following the tracking code should look like this:

Next, we should set the privacy friendly Google Analytics tracker in all of the Google Analytics tags that we want to send to the privacy friendly Google Analytics property, and the consented Google Analytics tracker in all tags that we want to send to the consented property. An example of the Google Analytics pageview tag is shown in the picture below.


For the privacy friendly Google Analytics tags you do not need to set any specific blocking rules, since we made the required changes to our Google Analytics interface and our Google Analytics tracker. However, for the consented tags we need to make sure that these are not fired without consent. The pictures below show how this is done. Take into account that OneTrust is used as cookie tool in this example, but that the setup also applies for other vendors.

Let's get started

Now you are able to understand how to set up a Google Analytics environment that is compliant according to the guidelines of the Autoriteit Persoonsgegevens in The Netherlands. Lastly, I want to refer to Erik Driessen's article on Privacy in Google Analytics and Google Analytics App + Web, since this has been my source and inspiration to deepen into the world of data & privacy.

Hopefully you enjoyed reading this article. Have fun setting up your privacy friendly Google Analytics!