On 25th of May 2018 the new General Data Protection Regulations (GDPR) will come into force. EU GDPR is the most important change regarding data privacy in over 20 years, causing all web data controllers and processors to re-consider how they manage, store, and transmit user data.
As many other web applications, Google Analytics is subject to these new regulations. Since Google Analytics Dashboard for WP (GADWP) is one of the most popular Google Analytics solutions for WordPress, in this documentation page we will try to guide you through some essential privacy features available on GADWP and some Google Analytics aspects. You may find these useful while preparing for GDPR compliance or other user privacy regulations. Please note that professional legal advice should always prevail any of the followings and that the information contained within this guide does not constitute and should not be taken as legal advice.
About EU General Data Protection Regulations (GDPR)
If you’re interested in specific details regarding GDPR or GDPR in general, we highly recommend visiting www.eugdpr.org. The FAQ section of the above mentioned website would be a pretty good starting point.
Things you should know about Google Analytics
According to Google Analytics terms of service (TOS), Analytics customers are prohibited from sending personal information to Google.
By default, the GADWP plugin doesn’t send this type of data to Google. If you customized the plugin or have extended its functionality to send any kind of personal information you should be aware that you are subject to account termination or data deletion. Personally identifiable information (PII) includes and is not limited to: names, social security numbers, email addresses, data that permanently identifies a particular device (such as a mobile phone’s unique device identifier if such an identifier cannot be reset), or similar data.
Regarding IP addresses (which can also be considered PII in certain circumstances), Google Analytics reports don’t include nor display such information.
You should also be aware that Google has now updated their Data Processing Amendment (DPA) to account for the General Data Processing Regulations (GDPR). To read and accept the DPA, follow these steps:
- open analytics.google.com
- click on the Admin button; the Admin button has a gear symbol and can be found at the bottom left of your screen
- select Account Settings
- at the bottom of the screen review and accept the amendment accordingly
In addition, you should know that Google Analytics provides a browser extension that will allow users to opt-out tracking across all websites. If you want to include this option in your privacy policy, here’s the link. Some of your users may find it useful.
Data Privacy features in Google Analytics Dashboard for WP
In the following paragraphs we’ll describe features that are available on GADWP and which are related to data privacy.
The IP anonymization feature
While Google Analytics is not revealing IP addresses on reports, this doesn’t mean the IPs are anonymized by default.
GADWP provides such a feature, which you should probably enable. In order to anonymize the user IP using GADWP follow these steps:
- in your WordPress Administration area select Google Analytics from the left menu
- click on the Tracking Code sub-menu
- select Advanced Settings at the top of the screen
- enable the anonymize IPs while tracking option
The Do Not Track (DNT) feature
Some browsers will send a Do Not Track header while the user navigates your website. If you would like to regard that as a user choice you can enable this feature on the plugin. If the feature is enabled on plugin’s settings and the user has DNT switched on, the plugin will stop sending data to Google Analytics. To enable DNT support on GADWP follow these steps:
- in your WordPress Administration area select Google Analytics from the left menu
- click on the Tracking Code sub-menu
- select Advanced Settings at the top of the screen
- enable the option called exclude tracking for users sending Do Not Track header
Please note that DNT is not an industry standard, so certain browsers may not have this feature available.
The User Opt-Out feature
The latest version of Google Analytics Dashboard for WP plugin provides full support for user opt-out. To use this feature follow the steps below:
- in your WordPress Administration area select Google Analytics from the left menu
- click on the Tracking Code sub-menu
- select Advanced Settings at the top of the screen
- enable the option called enable support for user opt-out
Once enabled, a special script will be inserted above the tracking code. Afterwards, to allow users to opt-out, you can create a link as:
<a href="javascript:gaOptout()">Click here to opt-out of Google Analytics</a>
The plugin also provides a dedicated shortcode. You can use this shortcode to generate an opt-out button or link. By clicking the generated button, users will be able to disable tracking with Google Analytics.
To create a user opt-out button simply add this shortcode where needed:
[gadwp_useroptout html_tag="button"]Google Analytics Opt-out[/gadwp_useroptout]
If you omit the html_tag or use html_tag=”a”, an opt-out link will be created instead.
Final Notes
While any idea and related feature suggestions are welcome, let’s not transform the comments in a GDPR or other regulation debate!
In chapter “The User Opt-Out feature” you are describing a shortcode for the gaOptout() link.
However, on your website the shortcode gets already replaced by the “Google Analytics Opt-out” button, so the shortcode is not readable as source code.
Furthermore, it would be great to have some (configurable) response (e.g. by javascript alert) like “GA has been disabled for this website” if the user clicked the link/button, instead of just jumping to top of page with no response.
Thanks for the feedback, that’s something we need to have.
Thanks, I’ve updated the post.
Alin, thank you for fixing the documentation so quickly.
May I point out another technical issue?
If a user group is excluded from tracking, the shortcode is inactive for this user group and will not be replaced by a link or button, because the shortcode function will not get called in this case.
This makes it difficult to check if the implementation of the shortcode was made correct.
Is it possible to activate the shortcode function independently of the current user’s group?
Yes, that would be possible. I usually prefer loading features only when used or needed. It’s how the plugin is designed, if a feature is not enabled/needed it won’t be loaded, to keep things lite for every use case. While I do prefer this model, shortcodes should be always executed, otherwise will generate a bad user experience and confusion.
I still kinda think google analytics is the most trusted
Sorry for the newbie question, but how do I add either of the shortcodes; I did enable for user opt-out. I tried copying and pasting it to my page, and also tried creating a link to it, but all I get is the text on my site and no link or button.
If you logout and browse your site as a guest (without being logged in) the button will show up. It’s a bug.
Thanks.
Great work guys!
just one question – is there a short code or code snippet I could use to show if opt our has been selected. and a way to allow a user to opt-in again?
plus: how long will the cookie with the opt out option survive?
There’s no shortcode for that, at the moment.
The expiration of the opt-out cookie is set to 10 years.
Hi Alin, you might consider tagging your plugin as gdpr in the plugin repository so it appears along with the others:
https://wordpress.org/plugins/tags/gdpr/
Google analytics has been my most trusted web stats so far and thanks for the info.
I am not the most technical person and need a little help here please. I enabled the anonymize IPs while tracking option and want to enable the option called exclude tracking for users sending Do Not Track header. However, I don’t understand what I am supposed to do with the shortcode. Where should I be putting it?
Hi,
The shortcode can be used in you privacy policy page or similar, if needed.