By now, I’m sure that you have already received a few dozen emails regarding the new General Data Protection Regulation (GDPR) that’s taking effect on May 25th, 2018.
Due to the hefty penalties, up to 4% of annual revenue or 20 million euros (whichever is greater), the news of GDPR has caused quite a panic among businesses around the world.
We have received countless emails from MonsterInsights users asking us what changes are we making with regards to GDPR.
In this post, I want to explain how the new MonsterInsights features along with Google Analytics will help automate some of the compliance process for website owners.
Legal Disclaimer: Due to the dynamic nature of websites, no single plugin can offer 100% legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. Nothing on this website should be considered legal advice.
What is GDPR?
General Data Protection Regulation (GDPR) is a new privacy regulation passed by the European Union (EU) that will have significant impact on businesses around the world. The law is over 200 pages long and consist of data subject rights such as right to be forgotten, breach notification, consent, etc.
It’s nearly impossible for any blog post to accurately describe all that’s involved which is why we recommend consulting an attorney to discuss full compliance.
Having that said, we’ll do our best to summarize how GDPR impacts you in relations to your usage of Google Analytics and MonsterInsights.
How does GDPR affect Google Analytics?
According to GDPR, you must obtain explicit consent before collecting or processing any personal information of a EU resident or citizen.
Since you can use Google Analytics to track user ID / hashed personal data, IP addresses, cookies, and other behavioral profiling event data, you have one of two options:
- Anonymize potentially personal identifying data like IP addresses
- Obtain explicit consent before loading the Google Analytics script
If you don’t have consent, then you also cannot share the Demographics and Interest reports with your Remarketing / Advertising (Google Adwords) account.
Aside from that, you also have to adjust the data retention controls in Google Analytics to ensure that you continue to have historical data and can access ad-hoc reports like multi-channel funnel attribution reports, flow visualization reports, custom reports, etc (more on this later in the article).
How does MonsterInsights help with GDPR?
Since MonsterInsights is a third-party Google Analytics integration for WordPress, we have done our best to integrate with the changes that Google Analytics have made to their product, so you can easily automate some of the GDPR compliance process.
Earlier this week, we released our EU Compliance Addon for MonsterInsights which is available on all premium licenses.
To help you better understand the new features and changes, we’re going to break down every detail one-by-one.
1. Automatically Anonymize or Disable Personal Data Tracking
When you enable the MonsterInsights EU compliance addon, it automatically:
- Anonymizes IP addresses on all Google Analytics hits, eCommerce hits, and form tracking hits
- Disables UserID tracking on Google Analytics hits, eCommerce hits, form tracking hits, and the UserID dimension in the Custom Dimensions addon
- Disables author tracking in the Custom Dimensions addon
- Enables the ga() compatibility mode
- Disables the Demographics and Interests Reports for Remarketing and Advertising tracking on Google Analytics hits
It’s important to note that it ONLY disables the demographics and interest report for remarketing and advertising tracking (i.e Google Adwords). You will continue to get demographics and interest report from aggregated data in Google.
2. Enable Consent Box Integrations
If you want to continue to track personalized data, then you will need to get user consent. Instead of building a consent box solution inside MonsterInsights, we decided to integrate with existing popular solutions, so you can have a site-wide consent box that encompasses everything.
When you have one of the above plugins enabled, then MonsterInsights will wait to load the analytics script until the user gives their explicit consent. We have also enabled the ga() compatibility mode so Cookiebot can properly pass the data.
The downside of solution #2 is that unless the user opt-in, they won’t be tracked which will lead to a lot of missing GA sessions data. This is why we always recommend option #1 as an ideal solution.
However enough users ask for this solution, so we made it available. To learn how to further customize this, please see our documentation on getting started with the EU compliance addon.
3. Easy Opt-out of Data Tracking
Depending on your needs, you may wish to provide an option for users to opt-out of tracking.
MonsterInsights has 3 ways to offer opt-out option for tracking:
- If you are using Cookie Notice or CookieBot plugin, then you should use their respective built in options.
- If you are not using either of those plugins, then you can use one of MonsterInsights’s Opt Out link integrations or easily create an opt-out link by following our guide.
- We have also made MonsterInsights compatible with both Google Analytics’s Chrome browser opt-out extension and Google Analytics’s built-in cookie opt-out system.
User and Event Data Retention Policy in Google Analytics
By now you have likely received an email from Google Analytics to inform you about the changes coming to the data-retention policy. Starting May 25, 2018, Google will automatically set your data retention to 26 months by default.
You have an option to choose from: 14 months, 26 months, 38 months, 50 months, or never expire user and event data.
You can configure this by logging into your Google Analytics account and clicking on the Gear icon the bottom left of the page.
To edit, in the Property column click on Tracking Info » Data Retention.
According to Google, this setting will not affect most standard reporting based on aggregated data. But what does that really mean?
This means that you’ll have access to your default reports like: Audience, Acquisition, Behavior, and Conversions because they use aggregated data.
You can select a date range for these reports, and they will generate in seconds because they are readily available.
That sounds all great, but there’s a big problem unless you take action in the next two weeks.
What Google is not telling you is that purging this data will eliminate your ability to run ad hoc reports on historical data.
Ad-hoc reports are based on sample data that includes applying a segment, filter, secondary dimension, or a custom report. This includes losing access to historical data on your Multi-Channel Funnel and Attribution reports, Flow-visualization reports, etc.
While you may not use these reports every day, they can be pretty significant once you start diving deeper into your website analytics.
The decision to making the data-retention policy to “Never Expire” or expire on 50 months should be made by consulting with an attorney.
To learn more about this, this article by Jeff Sauer provides detailed insights and perspective on the data-retention policy.
We hope this article and our new features help you automate some of the GDPR compliance issues on your website.
Due to the dynamic nature of websites, no single plugin can offer 100% GDPR compliance. This is why different services and plugins are announcing their own GDPR enhancements to help your business comply with the law. For example: our sister product, WPForms, recently came out with their own set of GDPR enhancements for WordPress forms.
At the end of the day, it is your responsibility as a business owner to comply with GDPR.
As always, thanks for your continued support of MonsterInsights and we look forward to bringing more new features to you.
Syed and the MonsterInsights Team
Not using MonsterInsights Pro? Upgrade your license to access the EU Compliance Addon among many other features!