The latest release of Universal Analytics has excited many working within the industry as it addresses the use of User-Id cross device tracking, but how do these changes effect the information Google Analytics collects about us and how should sites respond?
It is important to remember that Google Analytics’ terms of service forbid users from storing personally identifiable data.
What is meant by Personally Identifiable Data?
Google Analytics stores data at three levels and all three will have their own unique identifier:
This occurs with each pageview or interaction and will be associated with a Session. If the Session Identifier expires or is different with each hit, then Google Analytics will see every hit as belonging to a new Session.
This contains information that relates to a specific browsing session. These are associated with a User. If the User Identifier is different for each session then Google Analytics will see every Session as belonging to a different User.
This contains information that relates to the overall User or Visitor.
Despite having their own identifiers, Google Analytics is unable to associate a Hit, Session or User with a specific person, i.e. these Hits belong to Matt Stannard. Instead, it can tell me that these belong to User 56123AE19485FF.
If we add a Name, National Insurance Number, Passport Number or E-Mail Address to any Hit, Session or User, then we are providing Personally Identifiable Data and as such Google Analytics is then able to join the Hits, Sessions or User data to Matt Stannard. However, this is against the terms of service.
So, by personally identifiable data Google actually means any information that may allow it to identify a real world individual.
Traditionally, Google Analytics stored information in a number of cookies, with varying expiry dates depending on whether the information was related to a session, or to the user.
Google Analytics would use these cookies to store whether a user was a repeat visitor, the last time they visited the website, session and custom variable data and information about the campaign, source and medium that brought the user to the site.
Display Advertiser Support
Shortly before the release of Universal Analytics into public beta, Google announced integration with its Display network. This feature allows users of Google Analytics to integrate demographic data taken from the Google Display network into their analytics account. It also allows Google Analytics to create remarketing lists.
To use this feature a small change is required to the Google Analytics to allow it to read the appropriate cookie. It also needs to be enabled in Google Analytics itself:
So if sites use this feature what does it mean in terms of privacy? Again, it’s important to stress that no personally identifiable data is shared between the GDN and Google Analytics.
Including the opt out link – https://tools.google.com/dlpage/gaoptout/ – would also be advisable.
The Universal Analytics security and privacy document explains the specific features used.
You could include a link to the Opt-Out plugin – https://tools.google.com/dlpage/gaoptout
Cross device tracking is a new feature supported in Universal Analytics. In order to track a user across devices, they must identify themselves in some way. This could be through logging in or through your site’s own personalisation cookies.
The User-Id feature enables us to pass this identifier to Google Analytics so that it is able to track the user as the same person. This may sound invasive but it’s really important to stress that the identifier itself should not be a piece of personally identifiable data, it is a number.
When using the User-Id you are also able to “stitch” a session. So, without stitching, if a user visits 5 pages before logging in, then by default Google Analytics would treat this as a separate user to the one who had logged in. By stitching these, Google Analytics tags these pageviews as being made by the user who has logged in. Google Analytics will only stitch views that occur within the current session.
As a site owner, if you use User-Id you must agree to the User-ID policy:
- Be transparent
- Explain what technologies you are using on your website (be they Google or otherwise)
- List the data collected by each technology and explain why and how you use this
- If you use Display Advertiser Support include links to Opt Out
- If you use User-Id explain how you link data together internally
- Do not store Personally Identifiable Data