If you use Google analytics to track visitor data on your website, might you be in breach of GDPR – and could you be setting yourself up for a big fine?
At first glance the answer to the question about Google analytics is straight forward. The General Data Protection Regulation – GDPR – coming into force on May 25th applies to personal data. As a general rule, Google analytics data is anonymous, so you are in the clear.
But drill down, and things become more complex.
GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
It is use of phrases such as ‘indirectly, or ‘location’, that add to the complexity.
Under GDPR, and data subject can contact you and ask for details on all data you hold on that individual – this is known as the ‘right of access’.
But if you are unable to ascertain what data relates to this person, then GDPR’s ‘right of rectification’ and ‘right of erasure’ just cannot apply.
But this can be an issue if you also collate email addresses, IP addresses. phone numbers, etcetera, perhaps via a registration process and this information is linked to data gathered via a cookie.
But there is a further complexity. The latest advances in AI, using neural networks and deep learning techniques, can cross reference different data sets – and by combining different analysis on different data, such as from radio frequency devices, or separate data sources, AI may be able to analyse Google analytics data and pinpoint people’s identity or at least their location and IP address.
And the advice is don’t do it. Data is enormously valuable – but, unless you can work out a way to ensure permission to use personal data is freely and willingly given, keep it anonymous.