The General Data Protection Regulation (GDPR) and The Personal Information Protection and Electronic Documents Act (PIPEDA) are data privacy regulations that protect all personal data from individuals inside the European Union and Canada, respectively. They apply to any website anywhere in the world that processes personal data from inside the EU or Canada. Using Google Analytics (GA) is therefore not GDPR/PIPEDA compliant by default.
A common solution is to place a cookie consent banner on a website. However, the side-effect of this is that unless user takes action to allow for GA tracking, no data will
be tracked in GA for that visit. As a result, all back-end data will be limited for that website.
Underscore’s recommendation is to not place a cookie consent banner on US specific websites (or only serve it to nonUS users). Also, if the cookie consent banner is necessary, it should be clearly visible, to allow users to take action.
Placing a consent banner on a website is not enough to make GA tracking GDPR/PIPEDA compliant. Other actions include:
- updating privacy policy about how and why GA is used and what data it collects and how users can opt out of it
- removing or masking PII, such as IP addresses before sending them to GA
- utilizing GA data settings such as Data Retention and Data Deletion to help users exercise their GDPR rights.