There has been a lot of fear-mongering after a recent ruling by the Austrian Data Protection Authority which ruled the standard implementation of the Google Analytics script as inadequate within European laws.
The issue is that the website that got evaluated did not anonymize IP addresses and did not block “Google Signals” and other advertising features that can be enabled with Google Analytics. Because the user was logged into other Google services within the same browser, this allowed Google to stitch together the behavior of the user based on the IP address. Combine that with the fact that the US government can require Google to hand over data to them when requested, and we have some (rightfully so) unhappy privacy advocates!
If you want to read more about the ruling itself, I recommend reading this.
I’m not going to go into opinions or speculation about the future, instead, we’re going to focus on what you can do right now to prepare your organization for the potential future scenarios that lie ahead.
If you do want some more insights on where this might go, have a look at this post from Cory Underwood on his own blog and this post on the Search Discovery blog.
What steps can you take to prepare your setup?
This ruling will not be the last. There will be changes to Google’s products and more additional rulings based on those changes and new legal cases going forward. The most important thing for you as a company will be to gain ultimate control over every script you fire on your website in order to be able to adjust everything when needed.
The game plan is fairly straightforward:
- List all scripts that fire on your website
Use a tool like Tag Inspector to get the ball rolling. If you have a larger website, this might turn out to be more difficult than you would think. Figure out what tool each script belongs to, and where it’s firing from. - Find the ‘owners’ of the scripts
Figure out who is responsible for these scripts internally and ask them if the script is still required. (You’ll likely find that a lot of scripts can be deleted, so you’re also optimizing site speed while you’re at it!) - Move as many scripts as possible to Tag Manager
Remove all hard-coded scripts that fire directly from your website code and move them over into a Tag Management solution if possible. This allows you to control them efficiently going forward. - Implement Server-Side Google Tag Manager
Create your own server-side GTM container within your own companies Google Cloud environment. This allows you to run a data collection endpoint on your own subdomain (data.yourdomain.com for instance). - User Server-Side Clients when possible
Not all vendors support Server-Side tracking (yet), but if they do, invest in migrating to using the server side solution. In the case of this blog post, we’re talking about Google Analytics, and it supports tracking via Server-Side GTM. - Implement a Consent Management System (CMP)
If you haven’t already, that is. Implement a system that allows you to ask your website visitors for the proper consent to fire the pixels you want to fire. - Integrate your CMP with Tag Manager and Consent Mode
Simply having a ‘cookie bar’ is not enough. It also needs to actually function properly and integrate with your tag manager and the scripts within. We recently wrote a blog post about just this topic. - Block everything by default
Create logic in your server-side and web tag manager containers that blocks (or alters) scripts from firing without the proper consent. When there is no consent, make sure your solution falls back to blocking everything by default. - Anonymize IP addresses and disable Google Analytics Advertising features
Use your newly created setup to fire Google Analytics in the most privacy-friendly way by default. Make those Data Privacy Authorities happy!
And then what?
If you took care of the steps listed above, you now have full control over what data you collect and what you do to it before you send it to any 3rd party vendor. By leveraging Server-Side Tag Manager, which is a Google Cloud Instance that is fully owned by your company and which runs on your own domain, you are able to alter data before it leaves your environment towards Google’s servers where the hit will get processed. By anonymizing IP addresses yourself and by forcefully disabling all advertising features, the ruling of the Austrian DPA no longer applies (this is not legal advice, do your own research).
However, there will be new rulings. Fortunately, you’re prepared. You have a consent management system tightly integrated with your server-side GTM instance and the ability to adjust anything you like based on new rulings!
Worst case scenario; Google Analytics is totally banned in Europe. (Highly unlikely in my opinion.) You will still have a usable setup with a dataLayer full of information and a consent management system tied in with your tag management solution. Switching to a different analytics solution will be relatively easy! All the infrastructure is already there.
Preparing for the worst-case scenario
Depending on how business critical your Google Analytics data is, you might want to prepare for the worst. In that case, a dual tracking solution might be worth the investment.
If you’ve completed the steps mentioned earlier in this article, it should be relatively easy to add an additional analytics solution. What solution to pick as an alternative is a whole other topic on itself. This blogpost by Krisjan Oldekamp does a good job comparing some alternatives.
Additional questions or need our help?
Do you have any additional questions or do you need help walking through the steps mentioned in this article? Feel free to schedule a call with me using the link below to see if we can help out!