- What personally identifiable data are you collecting and for what purpose?
- How do you collect this data?
- How do you keep it secure?
- When do you share or disclose personally-identifiable data?
- What measures are taken to ensure the accuracy of data?
- How your customer can access the data you hold about them and ask for corrections to be made.
- You must say that you are using cookies (Google Analytics places cookies on the user’s browser to track visits to your website).
- You must say that you are using Google Analytics and how it collects and processes data. Google suggests pointing to their own description of this by linking to their article “How Google uses information from sites or apps that use our services”.
There are extra requirements if you have switched on Advertising Features within Google Analytics. In this case Google Analytics is collecting data about your visitors from advertising cookies on their browser, if those cookies are present. This enables extra advertising-related reporting. The Demographics and Interest Reports fall under this ‘advertising-related’ category.
Remarketing is another Advertising Feature (separately enabled), and allows you to create remarketing audiences within Google Analytics based on people’s behaviour on your website and their demographics and interests.
- The Google Analytics Advertising Features you’ve implemented.
- Information about how cookies and identifiers are being used – including advertising cookies or other cookies set by your partners when someone visits your website.
- How visitors can opt-out of Google Analytics Advertising Features. For example, through Ads Settings on their browser, Ad Settings for mobile apps, or through Advertising opt-out services.
See Google’s Policy Requirements for Google Analytics Advertising Features.
Google also encourages website owners to link to their information on Google Analytics opt-out browser add-ons. These can be installed by anyone to prevent their data from being used by Google Analytics.
You are not allowed to send any personally-identifiable information to Google Analytics. This might occur in a scenario where a person fills out forms or logs on to your website, and the page URL subsequently includes a name or other personally-identifiable information. This kind of information must be removed before the data is sent to Google Analytics.
Google Analytics terms of service also requires that you “will comply with all applicable laws, policies and regulations relating to the collection of information from Users”. this means not just local privacy laws, but also any other applicable laws. Some of these can be far-reaching …
Things get more complex if you are an Australian business that either collects personal information from residents of Europe, or has a website that is accessed by residents of Europe. In this case, the GDPR (General Data Protection Regulation) applies to you.
GPDR applies for countries in the European Economic Area (EEA). The UK also enacted very similar laws after Brexit.
I have seen it suggested that, if you do not want to do business with people in the EEA, it is a good idea to include statements on your website saying that you do not offer services to people in these countries and you do not accept sign-ups to your email list from them.