We've had a lot of questions recently about the forthcoming General Data Protection Regulation (GDPR) legislation. No really...a LOT. There's a lot of confusion about what needs to be done, especially with respect to site analytics.
The more we've read about the requirements for complying with the legislation, the less convinced we are that using Google Analytics is going to be viable.
In order to allow users to be tracked for analytics we're going to require them to actively opt in. Having a pop up that says by continuing to use this site you agree to us tracking you... isn't good enough (and frankly was always a rubbish thing to do).
To use a tracking cookie we're going to have to ask our users to explicitly let us track them. We'd have to record when we got this acceptance from them, and allow them an option to change their mind. They need to be able to see what data we hold on them and we need to be able to remove that data.
The latest Google consent policy advice says:
You must obtain end users’ legally valid consent to:
- the use of cookies or other local storage where legally required; and
- the collection, sharing, and use of personal data for personalization of ads or other services.
When seeking consent you must:- retain records of consent given by end users; and
- provide end users with clear instructions for revocation of consent.
Now Google Analytics is undeniably fascinating - we spend hours getting lost in stats, but most of the sites we look after aren't selling things and we're not desperately trying to increase stickiness. Mostly we want just an idea of how well the site is doing and making sure that things are ticking along as usual.
As well as it being a pain for us to make GA compliant though there's another consideration; Do we even want to be part of the whole tracking ecosystem?
When I browse the web, I use a browser that has do-not-track enabled by default, includes automatic tracking protection and on top of that has a plugin that blocks adverts. The whole idea of companies wanting to keep a record of sites I've been to, where I am and how I'm accessing the internet is not one I'm keen on. I'd really rather they didn't.
From an ethical point of view, should we really be enabling Google to sell more adverts?
This isn't a clear cut decision to make. I can really see how having targetted ads and search results can be a good thing. I keep trying other search engines every once in a while but always end up back at Google Search because they give me the results I need. Obviously that's in part because they've been tracking my searches for years and can target my interests (although they still don't always get it right ).
So, what's the alternative?
Well we've started recommending and implementing self hosted statistics instead. In particular we're using the open source Matomo (previously known as Piwik) stats package configured to anonymise IP addresses and not track users.
** UPDATE **
As well as our Matomo instance we've also started using Fathom Analytics which is a great looking, privacy focused analytics service.
** /UPDATE **
This certainly has an impact on the data collected - it's much harder to identify return visits for example, but unless you have a particular reason to view that information then the stats it provides will almost certainly be enough to keep your board members happy.
The data collected by Matomo is kept on your own servers and not transferred to any other company; and since we're not able to indentify individual users then we're in the clear as far as GDPR goes.
No unfriendly 'opt in' check boxes needed and a clear conscience to boot.
Some useful GDPR reading
Smashing mag have this article which is aimed at developers but covers the basics well.
How to make Matomo GDPR compliant has some useful links. We still think you should consider only collecting anonymous stats though.
Mailchimp have a guide to the GDPR (pdf) which is available to download from this page
The ICO guide to the GDPR is a good place to start for an overview of the whole thing.