It’s been a few months since I updated this blog. It’s been a few more months since I updated CAOS Pro. Fortunately, not without reason! What you didn’t know, is that I’ve been working on a major update for the past few months! An update that is all about GDPR compliance for using Google Analytics in the EU.
A Quick Recap
2022 was a crazy year, GDPR-wise; lawyers were sending out warning letters left and right, judges handing out fines. Services you knew and loved declared illegal!
Google has been under fire by privacy authorities for years, but last year they finally dealt some heavy damage.
The default implementation of Google Analytics was ruled illegal by a judge in Austria and a website owner in Germany received a € 100,- fine as a warning for using Google Fonts without informing its visitors.
For Google Fonts, the solution was easy. But using Google Analytics in the EU was met with a ton of uncertainty, because using Google Analytics in compliance with the GDPR was no longer a simple matter.
Many jumped ship and switched to Google Analytics alternatives, like Plausible or Fathom. Others who couldn’t, were exposing themselves to a legal jungle.
Meanwhile, Google panicked and pushed Google Analytics 4 out of beta (while it wasn’t — and the Measurement Protocol was still in Alpha) and tried to exude confidence by deprecating Universal Analytics (V3) and announcing the end of the service by July 1st, 2023.
Great move, Google.
I tried to keep up with the weekly hourly daily continuous bugfixes being pushed to the anything but stable Gtag.js (V4) library, meanwhile looking for ways to keep GDPR compliance easy for my users.
Honestly, I couldn’t keep up. Whenever I fixed something, something else would break in the JS library. I was close to tearing out my hair — if I still had any.
Fast-Forward to 2023
Now, things have cooled down a little. Google finally came through with a stable JS library and Measurement Protocol and a fancy, new EU-US Data Framework is supposed to protect us from the greedy claws of US Intelligence Agencies.
To be honest, none of that will help you with using Google Analytics in compliance with the GDPR.
Fortunately, the French Data Protection Authority (CNIL) decided to be helpful and provide us with an actionable list of requirements (based on recommendations by the EDPB — Use Case 2 / Paragraph 85) on how to use Google Analytics in compliance with the GDPR.
Fortunately for me (!) CAOS Pro already met 90% of the requirements:
- The absense of transfer of the IP address to the servers of the analytics tool is taken care of by anonymizing the last two octets of the IP address, so it provides a geographical mesh ensuring a minimum number of internet users (255 x 255 = 65.025 to be exact) per cell while still maintaing (albeit far less accurate) location data.
- The replacement of the user identifier by the proxy server is provided by CAOS Pro’s Cookieless Analytics feature, including a time-varying component (the creation date) as required.
- The absense of collection of cross-site or lasting identifiers (CRM ID, UUID, Client ID, etc.) are all removed by the Stealth Mode proxy,
- And so is the deletion of any other data that could lead to re-identification.
The only requirement that wasn’t met was the removal of any data that could be used to generate a fingerprint, e.g. user-agents.
CAOS Pro v2.3.0 changes this and makes it much easier to configure Google Analytics for GDPR compliance.
Easy GDPR Compliance for Google Analytics in WordPress
CAOS Pro introduces the Increase GDPR compliance feature. One simple toggle to take care of all the needed technical measures required according to the CNIL.
The word “increase” is there for a reason. While there are many things I can take care of, there are a few things you need to take care of yourself to be fully GDPR compliant:
- Remove any URL parameters that provide external referrer information,
- Remove any parameters contained in the URL collected by Google Analytics, e.g. UTM-tags and any parameters used for internal routing,
Finally, your site’s hosting conditions must be “adequate”. As the CNIL puts it:
The proxy server must also be hosted in conditions that ensure that the data it processes will not be transferred outside the European Union to a country that does not provide a level of protection substantially equivalent to that provided within the European Economic Area.
So, there. Let’s see how it works, shall we?
GDPR Compliance for Google Analytics with CAOS Pro
Increase GDPR Compliance is truly a bitesize option, which is available as of CAOS Pro v2.3.0 and is located under the Basic Settings tab.
All you need to do is check that box, hit Save & Update, and CAOS Pro will be configured according to the requirements listed above.
For your convenience, I’ve added a feature that blocks any changes to the settings involved, clearly explaning why these settings can’t be changed.
You’ll notice blue info boxes throughout CAOS Pro’s settings screens informing you of the whats and whys:
What’s the Catch?
You might think that this sounds too good to be true — and you’re partially right.
Using Google Analytics in the EU and the GDPR era means collecting less data. No cross-site tracking, no remarketing, no demographics, no precise location data. None of the marketing tools deemed helpful in the past decade or so.
Basically, you’re allowed to see what your visitor is doing on your site and nothing else. On a somewhat brighter side, this is exactly the same as what any other Google Analytics alternatives are offering, while Google Analytics remains free and its alternatives require a premium.
But (!) while Google Analytics remains free, what you do need to consider is prior consent.
Google Analytics 4 stores a first-party cookie in your visitor’s browser. Regardless of what you’re storing in the user’s browser, if the type of cookie isn’t on the list of exemptions, prior consent is required. Some Google Analytics alternatives are cookieless, which would mean no consent is required.
Some European countries (e.g. Belgium and Ireland) and the UK always require prior consent. Other European countries (e.g. Italy, The Netherlands and France) consider first-party analytics cookies to be exempt from prior consent. To make it even more complicated, this deviation from the ePrivacy Directive might not even be valid, because the ePrivacy directive doesn’t offer any room to member-states to deviate
To be safe, I’d say using Google Analytics — or any 3rd party analytics tool (using cookies) at all — without collecting prior consent is a thing of the past.
Summary
CAOS Pro now offers an easy (if not, the easiest) way to implement Google Analytics on your WordPress website in compliance with the GDPR in the form of one simple checkbox: increase GDPR compliance.
The implementation follows the recommendations derived from the EDPB’s presentation of June 18th, 2021 by the French Data Protection Authority, CNIL.
CAOS Pro takes care of the technical part. This means some work might still be required on your end, e.g. you’d have to remove UTM-tags from the outgoing URLs.
It’s also worth noting that using Google Analytics in compliance with the GDPR comes at a cost, because the collected data will be less accurate and prior consent is (in most cases) still required.