You can’t collect meaningful data with Google Analytics and meet your legal obligations so don’t bother trying – what are your options?
Google Analytics (GA) is the dominant platform for analysing websites visits and visitors. Google offers this service monetarily for free but the code you drop into the header of every webpage allows Google to retrieve a mine of data about your site visitors and combine this with other data they hold to track individuals across the internet.
In June 2019 the UK Information Commissioners Office (ICO) issued guidance on cookies and other similar tracking technologies. As the ICO points out, rules on cookies come under the Privacy and Electronic Communications Regulations (PECR) but the standard of consent is key to General Data Protection Regulation (GDPR) – that big scary bit of legislation from 2018 that had everyone scrambling to hire consultants to avoid fines.
ICO issued simple guidance on the standard of consent for tracking technologies. A blog post from Ali Shah, Head of Technology Policy points out that Analytics software like GA is not classed as a ‘strictly necessary’ cookie and users must make a ‘clear and positive action’ to consent to the cookie being downloaded to their machine. Pre-ticked boxes assuming consent are non-compliant. Cookie walls preventing access to force consent and using legitimate interests as a catch-all are also not compliant.
Therefore, GA, as implemented on most websites, is not compliant with the legislation. Below I look at some possible actions for website owners for dealing with this.
Option1 – continue with Google Analytics but try to comply with PECR and GDPR
A few pioneers are trying this out. You keep GA in place but the Google tracking is disabled by default and you ask your website users if they wouldn’t mind switching it on for you, so you have some data about site usage.
The ICO website takes this approach using the civic computing cookies control software the basic version of which is free to download and use. It’s an ugly blue vertical scroll out bar on desktop but does allow you to be clear in a way that can’t be misinterpreted.
The big downside is will anyone turn on the tracking? Research by the University of Michigan and Ruhr-University found that just 0.1% of site visitors would choose to turn these options on when presented with this kind of choice.
This is the reason for the headline of this post. Yes, you can use GA and still comply but it’s hardly worth it given the slim chance of the tracking being turned on by users when they reach your site.
The ad-tech industry knows this of course which is why they try so hard to remove any sense of a choice and use ‘nudging’ and dark patterns to force your hand.
If you keep GA, you will be continuing to feed a data supply chain for Google about the people who use your site. This data is used by Google as part of its surveillance capitalist business model recently highlighted by Amnesty International in its report Surveillance Giants.
“…the surveillance-based business model of Facebook and Google is inherently incompatible with the right to privacy and poses a systemic threat to a range of other rights including freedom of opinion and expression, freedom of thought, and the right to equality and non-discrimination.”
Amnesty International 2019
Read more
Option 2 – Use an alternative service
Contrary to what Google would have you believe, other products are available that do the same sort of thing but without violating the decision rights of your site visitors.
The excellent website switching.software highlights some alternatives. The big bonus with these options is that there are no cookies involved at all and so no need to have a cookie notice to cover them.
Matomo is a powerful analytics tool but designed to avoid capturing personal information about visitors. It actually claims to be more accurate than GA because of data sampling. It can be downloaded and installed on your own hosting service for free and there is also a cloud-based version which comes at a cost. The United Nations, NASA and the European Commission all use Matomo.
Another option is Fathom which is a privacy-respecting analytics platform. It’s cloud-based and comes at a cost. The data and user interfaces look simpler than GA. Fathom has recently discontinued its open source option but it’s still a better option than GA.
If you use a content management system, there might be native plugins that you can use instead of GA. This blog uses a WordPress plugin to provide very basic information like how many people look at which page and how they arrived on the site – do you really need more? See option 4.
Another option is Koko Analytics an open source WordPress plugin by Danny van Kooten, a former developer with Fathom. The plugin keeps all the data about your visitors on your site.
Last but no means least, Plausible Analytics is another open source, cookie and tracking free option which is simple and lightweight.
Option 3 – Stick with Google Analytics as is – aka the bury your head option
The non-compliant use of cookies and trackers is so widespread and the risk of sanction from the ICO seemingly so remote, that most people seem quite happy to leave things the way they are. They either don’t understand what changes need to be made to be compliant or know and aren’t bothered. Those companies that do get chased down by the ICO so far seem to be for data breaches and the two biggest online advertisers and consistent violators of GDPR Google and Facebook have hardly had a glove laid on them.
The study from the University of Michigan and Ruhr-University found that 86% of websites had cookie banners offering no options other than a confirmation button with 57% using ‘dark pattern’ nudge techniques like making the agree button a bright colour and twice as big as any other option.
You could do nothing and leave GA in place as it is and nobody is likely to come after you for now. But if there are alternatives which remove the risk entirely and come at low or no cost why would you wait?
Option 4 – no analytics at all
Do you need GA? Perhaps you need something similar or perhaps you need nothing at all. I do have a basic analytics plugin for this blog but I don’t need it. This is a blog about the things I want to write about and I’m going to write what I want even if nobody ever reads it. I don’t review the analytics data and change what I’m going to write about. I mostly review the data if I have a sudden influx of emails to try and figure out what happened – usually, somebody tweeted or posted a link somewhere popular and I get a rare blip of popularity. But this goes to show how even someone like me who is against surveillance capitalism, is so conditioned to feeling the need to attain data even when I don’t need it and probably won’t use it.
As well as the lack of need some websites are deciding on balance, they would prefer not to track the people who visit their site. Having ‘No tracking’ on the site is seen as a badge of honour. I hope this will become more popular in time.
Conclusion
Of these options using an alternative to GA is the best bet and if you run a website that needs analytics you should go down that road. Keeping GA and trying to comply (option1) is going to mean you lose most of your data and Google are never going to change how GA works to comply with GDPR because that would mean losing the data which to them is like being restricted of oxygen.
Continue reading about this
- Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds (TechCrunch)
- #privacy: Most EU cookie notices are not GDPR compliant (PrivSecReport)
- Getting cookie consent right (infolaw)
- Is this what a fully compliant cookie consent tool looks like? (James Gadsby Peet)
Updates
- Danny van Kooten got in touch about Koko Analytics which I also decided to include in the post. Danny also told me that Fathom is no longer open source so I updated the section to reflect that.
- Another Twitter user said the paid version of enterprise GA does not share data with Google. I can find no evidence to support this as it links to the standard Google T&Cs.
- Marko Saric referred me to Plausible Analytics which I thought merited inclusion.