As you may have already read in our whitepaper 'GDPR in the recruitment industry’, there are a number of important issues when you run a (recruitment) website. In this blog post, I will discuss the consequences of the GDPR for tracking your website traffic with Google Analytics, for example.

Since the introduction of the Cookie Act a few years ago, there has been a lot of confusion about whether or not you need to ask permission for placing cookies. How is it then, for some you do and for others you don't? Confusion reigns supreme, partly encouraged by the government, which was rather vague about the grey area of tracking cookies, subsequently made the law more flexible, and then adjusted it again.

Do you need permission for Google Analytics cookies?

From 25 May onwards there is a clear guideline in place. If you do not use the cookies for advertising functions, do not collect IP addresses and do not share data with third parties, you may place Google Analytics cookies without explicit permission.

So you may not need a cookie wall or other complicated constructions to beg your visitor for permission, but there still are a few conditions. Here they are in a list:

Checklist: How to use Google Analytics under the GDPR

1. Conclude a processor agreement with Google

This sounds more difficult than it is. Google has already prepared it for you in your Analytics account under 'Administrator > Account settings'. At the bottom of the page you will find the Google processor agreement. After accepting, do not forget to click on 'Save'.

2. Make sure you do not share data with Google

While still in your 'Account settings', uncheck the boxes you see under 'Share data settings'.

3. Disable data collection for advertising functions

Placing cookies for retargeting via Facebook or the Google Display Network, for example, is not allowed without permission. Even if you do not use this, you must ensure that the collection of data for those purposes is disabled in Analytics.

Go back to the 'Administrator' menu. Under 'Property' click 'Tracking info' and then 'Data collection'. Turn off both options in this screen and click 'Save'.

4. Ensure that IP addresses are collected anonymously

With complete IP addresses, it would be possible for companies to find out more information about the visitor. This is not desirable and not allowed under the privacy legislation. With the 'anonymise IP' function, Google will make the last few digits of the IP address unrecognisable.

IP anonymisation with the new tracking code (gtag.js)

We anonymise the IP addresses by adding a small piece of script to the Google tracking code. Google Analytics has been using a new tracking code for some time now. Find it under 'Administrator > Property > Tracking info > Tracking code'. While we're at it, it is advisable to replace the old tracking code on the website with the new one.

Copy the tracking code from Analytics and paste it into a notepad for a moment. Now add this script:

, { 'anonymize_ip': true }

so your complete script looks like this example:

Then go in the OTYS CMS to 'Global Meta tags' and then to 'Google Analytics'. Replace the existing Analytics tracking code with the one you just adjusted.



Anonymise IP addresses with Google Tag Manager

Did you place the Analytics script from the Google Tag Manager? Then set the following field to anonymise the IP addresses from here:

Exclude your own traffic with a filter (optional)

Because you do not want your statistics to become polluted by traffic from yourself and your colleagues, you probably set a filter that excludes your own traffic based on IP address. Now that IP addresses are anonymous, you may think that this is no longer possible. However, you can just adjust your existing filter slightly. Set up your filter so that you only exclude traffic from the IP addresses starting with xxx.xxx.xx. Enter your own IP address here, removing the digits after the last dot.

5. Inform your visitors that you place tracking cookies

If all is well, you have a clear privacy statement on the website. This should mention that you collect data that provide insight into the use of the website. In any case state:

That you have concluded a processor agreement with Google

That you will never share data with Google

That data is processed anonymously

That you do not use the collected data for advertising purposes, such as retargeting via social media or the Google Display Network, for example

Which Analytics cookies will be placed, with what purpose and when they will be removed

If you meet these conditions, you can use Google Analytics without having to ask permission from your visitors.

If you do want to use retargeting, for example, not all steps above apply. You will then have to explicitly request permission before you place the cookies and tell your visitors in detail which cookies it concerns. For this you can use the cookie bar.





