How the new Google Analytics may impact how you ask for consent

How the new Google Analytics may impact how you ask for consent

You might have missed it. You might not have missed it. But Google has shared their plans to unify app and web tracking. It does look like a good new direction for the product. If you like to read more about the details of the new release, I recommend reading Krista Seiden's post. What I would like to focus on in this post, is the new focus of Google Analytics. It will shift towards Firebase's data schema, adopting a user focused event based data model.

Let me start this section by mentioning that 1) I am not a lawyer, and 2) that views discussed here are purely my own. And 3) I am not a lawyer.

With the introduction of GDPR, the way we ask for consent has become more important. Web analytics is an interesting concept to ask consent for. Let me use Google Analytics as an example. Google Analytics is awesome product. It also a flexible product. It allows you to leverage your web analytics data in powerful ways:

  • Cross-device user tracking (using a user ID or Google Signals).
  • Enrich your reports with demopgrahic data (using audience data from DoubleClick).
  • Remarketing (using audiences).

It's important to understand that these great features also greatly impact the way you should ask for consent. You could argue that you can ask for three levels of consent for Google Analytics alone:

  • basic insights (a privacy friendly as it gets, with IP anonymization turned on, ad features disabled, and any type of cross-device tracking disabled).
  • advanced insights (adding demographic reports and cross-device tracking).
  • marketing usage (allowing data to be used for remarketing).

You could argue that the basic insights level is a necessity for most businesses. You need to know what's going on your website. But I think the other two most definitely require some sort of consent. So how could the new Google Analytics impact this?

Users Users Users

Google Analytics' new data schema will focus on users, events, and event parameters. Google Analytics currently reports users based on three types of identifiers:

  • Cookies
  • Customer ID (with user ID tracking)
  • Google ID (using Google Signals)

While the first one is used within the basic insights level of consent, it is also the least valuable to use when looking at users. A cookie is unique per browser per device. So it does not really tell you how many users have visited your website. It tells you how many unique combinations of devices and browsers have visited your website.

The other two options solve this issue. They allow you to track a user across systems. Google Analytics can identify them with either a customer ID you set in your tracking code, or a Google ID based on users that are signed in to some Google product (and have the correct permissions for data sharing).

With the focus on users, recognising users across systems becomes even more important. And the basic insights consent level may disappear. You could argue that recognising a user across systems is essential to a business operating in a multi-screen world. But keep in mind that this is a shift in the way you track your users. And that should trigger you to think about the way you ask for consent. Especially when identifying a user becomes the default.