This is the second blog post in our GDPR series. Read the next post in our series, Are you a good steward of your constituent data? To catch up, start with our first post: GDPR: Is Your Organization Ready?

By now you should have figured out if GDPR, the General Data Protection Regulation, affects your organization. (If you’re still not sure, take a look at our first blog post in our GDPR series: GDPR: Is Your Organization Ready?) You’re also probably ready for a stiffer drink than a glass of milk, but seriously what goes better with cookies?

While GDPR will affect all of your data collection, in this post we’re focusing specifically on the impact to your Google Analytics or other analytics tracking. Since most of our clients use Google Analytics (GA) we are going to make this specific to GA. However, these recommendations can be applied to other tools such as Adobe Analytics.


Step 1: Alert users that you are using cookies, and give them a way to actively opt-in to cookies.

According to the GDPR…

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

As such, we recommend that when a user impacted by GDPR arrives at your website that the user sees:

  • A banner alerting them that the site uses cookies;
  • Some text explaining all of the cookies you’re setting with either:
    • A note explaining why that particular cookie(s) are necessary for the user experience (e.g. tracking the logged-in state) such that the UX just won’t work right without it.  In this case, you can simply explain that to the user, and let them know they can set their browser to block these but that their user experience won’t work at all or very well.
    • Or they should see un-selected option(s) for opting in – in other words, for all cookies that are not truly required for the user experience, they have to take a specific action (e.g. check a box or click a button) to give their consent. If your site uses cookies for different purposes, the user will need to opt-in to each separately. This includes Google Analytics and other behavior tracking tools such as Hotjar or Clicktale, as well as other advertising tracking such as Facebook or AdWords. 
  • Links to your privacy policy and cookie policy;
  • Instructions on how to come back and change their options later.

The main point is that until the user affirmatively agrees to accept cookies, you cannot place a cookie on the website; this includes analytics tracking and other pixels.


Step 2: Configure GA tracking to look for opt-in cookies.

If the user has agreed to accept your analytics cookies, then you can start tracking with Google Analytics. The easiest way to handle the opt-in/opt-out is to set a cookie that indicates that the user has opted into cookies. All other cookies must look for the presence of this opt-in cookie before additional cookies can be set.

One way to set this up using Google Tag Manager (GTM) is to create an exception trigger for all tracking tags that blocks tracking from being fired unless the user has opted into cookies.

Here’s an example of what the pageview trigger would look like with the exception applied:

Here’s an example of the trigger configuration:

If a user indicated that they would like to opt out of behavioral or advertising tracking, you should set a cookie that indicates the user has opted out. Then you can place an additional exception on your tags to block tracking if the user has opted out of behavior tracking such as Google Analytics.

Here’s an example of the tag configured with the additional behavioral opt-out check:

Here is the configuration for the behavior tracking exception trigger:

Step 3: Remove Personally Identifiable Information from GA.

Some nonprofit CRM tools capture Personally Identifiable Information (PII) in the URL, which is then recorded in GA during a pageview. To prevent this information from being captured, there are several solutions to remove or redact this information.

Brian Clifton has created an excellent solution for redacting PII from Google Analytics:

Step 4: Accept Data Processing Agreement in GA.

In Google Analytics, under Admin > Account > Account Settings, you will need to agree to the Data Processing Amendment. You can learn more about that here:

Step 5: Right to be Forgotten

Last, but not least, the GDPR respects the user’s “Right to be Forgotten.” GA has stated that it will have a tool that will allow you to retroactively remove user data by user ID or GA cookie ID by the May 25 deadline. If a user requests to be forgotten, this new tool will allow them to remove their data.

Those are the key elements to making sure that your analytics tracking is set up for GDPR. As approaches and new information come to light, we’ll keep you posted! 

This is the second blog post in our GDPR series. Read the next post in our series, Are you a good steward of your constituent data? To catch up, start with our first post: GDPR: Is Your Organization Ready?