Using Google Analytics? Better Update that Privacy Policy

Last updated on 18 September 2019 by Jennifer Laird
Using Google Analytics? Better Update that Privacy Policy

If your website or app uses Google Analytics, then you must draft and publish a Privacy Policy. The reason for this is twofold. Firstly, Google specifies this requirement in its Terms of Service. Secondly, Privacy Policies are a legal requirement when a company stores, transfers, or otherwise handles someone's personal information.

Since Google Analytics tracks data about visitors to your website by storing cookies on their computers, a Privacy Policy is essential. If you utilize Google Analytics but you don't include a Privacy Policy on your website, you're using the tool illegally and you've also breached your contract with Google.

We recommend always including a Privacy Policy on your website because it tells your users that you take their personal data, and their privacy, seriously. Why is privacy such a big issue? It all comes down to one thing: balancing the need for businesses to understand consumer behavior against the need for people to protect their personally identifiable information from falling into the wrong hands.

Most people want a say in who has access to their personal data and what happens to it. The need for Privacy Policies, then, stems from an attempt to respect an individual's privacy while allowing organizations to track and monitor everything from website traffic to engagement levels. Privacy Policies are a win-win for everyone.

So, how does Google Analytics fall into all of this? Google Analytics is, at its core, a tracking tool. To understand why you need a Privacy Policy, let's take a closer look at the service.

Google Analytics is Google's own web and traffic analytics tool. It's free to use and it's ideal for businesses who want to know more about:

  • Who visits their website
  • How their website is used
  • What's popular on their website, and what's not
  • Whether visitors return to their website

Here are just some of the specific reasons why you might consider signing up to Google Analytics:

  • It helps you pick out warm leads and the visitors most likely to convert to paying customers
  • You can see how effective your targeted ads are
  • The platform gives you a broad-picture idea of how your website is performing which is essential for devising an overall marketing strategy

How Google Analytics Collects Data

How Google Analytics Collects Data

Google Analytics uses cookies to remember a user's behavior and it shares these insights with you. The developers explain this process fully on their reference platform, but in simple terms, Google Analytics mainly uses first-party cookies to generate reports on who visits your website and what they do once they get there.

When we break it down, this information is extremely useful for commercial purposes. For example, the collected data shows you where in the world your traffic is coming from, and whether you're appealing to your intended audience:

Google Analytics Help: Safeguarding Data - Cookies and Identifiers - IP Address section

The data is also useful for specific marketing purposes:

Google Analytics Help: Safeguarding Data - Advertising Identifiers section

It's worth taking a brief look at how Google Analytics uses cookies as part of its remarketing offerings.

Google Analytics and Remarketing

Google can place advertising cookies on a user's computer if you opt for this extra service. This service lets you target ads based on:

  • Geographical location
  • Audience behavior
  • Audience interests

You can then devise a remarketing strategy based on the information you gather from Google Analytics:

Google Analytics Help: About Advertising Features - Remarketing with Analytics section

You can create marketing campaigns based on specific niches within your audience. For example, you can target certain users by their age or gender.

Google Analytics achieves all of this by collecting personal information from your visitors.

Briefly, personal information is any information which can be used to identify someone, such as their:

  • Name
  • Age
  • Home address
  • Date of birth
  • IP address

Now that we're more clear about how Google Analytics works, let's summarize the two reasons why you need a Privacy Policy to use Google Analytics: firstly, Google's own policies, and secondly, the law itself.

Google Terms of Service and Analytics Policy

Google Terms of Service and Analytics Policy

Google has three separate policies which you should be aware of, namely:

  • A general Privacy Policy
  • The general Google Terms of Service
  • A specific Terms of Service for the Google Analytics service

Google's Privacy Policy

It's worth familiarizing yourself with Google's Privacy Policy because this is the same kind of data that you'll be collecting from your own audience. For example, it includes audience behavior and targeted ads:

Google Privacy Policy: Information collected clause excerpt

Remember that you will be collecting the same information that Google Analytics collects when you use its service, so reading Google's Privacy Policy will help you know what to include in your own.

Google's Terms of Service

The general Terms of Service is worth reading because it forms part of the terms you agree to when you use Google Analytics. The Google Terms of Service makes this clear:

Google Terms of Service: You must follow any policies clause excerpt

By signing up for Google Analytics, you're agreeing to be bound by these Terms and the Privacy Policy.

Google Analytics Terms of Service

You can access the Terms of Service for Google Analytics by clicking here.

The clause in these Terms that's relevant for our purposes is clause 7. This is the privacy clause and it sets out a few things very clearly. Here is the clause in full:

Google Analytics Terms of Service: Privacy clause excerpt

Now, let's break this clause down. It's your responsibility to ensure you have a Privacy Policy that:

  • Complies with any applicable regulations, laws, and Google terms
  • Sets out how you use cookies or identifiers to collect personal data
  • Makes it clear that you use Google Analytics
  • Shows users how they can consent, or withdraw consent, to cookies and other information gathering

You must ensure that you draft and, most importantly, enforce a Privacy Policy that meets global legal standards.

It's not enough to have a Privacy Policy. It must be legally sound. Don't worry, we'll consider this shortly.

Your Privacy Policy must tell your audience that you use cookies and other identifiers. You aren't allowed to assume that your audience knows you'll use cookies, or that they consent to having cookies installed on their device.

Be honest about your use of Google Analytics. It's best if you simply follow Google's instructions on this point. Google tells you to display a link to one of its policies.

When users click this link, they're taken to a policy that explains how Google uses cookies to process and collect data:

Google Privacy and Terms: How Google Uses Information from Sites or Apps that Use Our Services clause excerpt

By linking to this policy in your own Privacy Policy, you're complying with clause 7.

Google only tells you to take "commercially reasonable" steps to obtain consent for cookies. This means that your job is to draw attention to cookie use. You should do the following:

  • Explain that you use cookies
  • Ask users for consent
  • Show them where they can find out more

Complying with Clause 7: Example

Complying with Clause 7: Example

HarperCollins is a company that uses Google Analytics. When you click on to the HarperCollins website homepage, you're immediately presented with a banner that asks you to consent to cookie use. The banner also tells you that HarperCollins shares information with analytics partners, which includes Google Analytics:

HarperCollins cookie notice

Explicit consent, like the one obtained by HarperCollins, is always the best way to ensure that your audience consents to cookie usage.

You'll note that the banner gives visitors a chance to customize their cookie settings before they accept cookies. This is great because visitors can select what cookies they're happy to allow on their device, which complies with clause 7.

PrivacyPolicies.com: Cookies Consent - Create Complaint

Here's how you can use our Cookie Consent to implement a cookie management solution for your website.

  1. Click on Cookie Consent at the top of our website.
  2. PrivacyPolicies.com: Cookies Consent - page introduction

  3. Choose your compliance preference: ePrivacy Directive only, or ePrivacy plus GDPR compliance.
  4. PrivacyPolicies.com: Cookies Consent - Choose your compliance preference - Step 1

  5. You can customize your Cookie Consent widget to best fit your website. Add your website name and select your banner notice type and color palette.
  6. PrivacyPolicies.com: Cookies Consent - Customize your Cookie Consent widget - Step 2

  7. You can also group your JavaScript automatically using our builder page. Pass all your JavaScript through here so that we can include the necessary cookie consent level
  8. PrivacyPolicies.com: Cookies Consent - Add your JavaScript scripts - Step 3

  9. Copy your Cookie Consent code and append it to your website page before the closing of the </body> tag.
  10. PrivacyPolicies.com: Cookies Consent - Copy your Cookie Consent code - Step 4

To comply with clause 7, there's one other condition that every Privacy Policy must meet. It must adhere to:

"...all applicable laws, policies, and regulations relating to the collection of information from Users"

Let's now turn to the second of our major Google policy requirements: compliance with the law itself.

Privacy Policy Standards & Drafting Your Policy

Privacy Policy Standards and Drafting Your Policy

Although the laws vary around the world, it's generally the case that you must provide users with a Privacy Policy if you collect information from them. Examples of laws that affect how businesses collect data include:

  • The General Data Protection Regulation (GDPR) - European Union
  • Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
  • California Consumer Privacy Act (CCPA) - California, USA

These pieces of legislation are all really similar, and their requirements for a Privacy Policy are broadly the same. A legally compliant Privacy Policy should include at least the following sections.

Name and Contact Details

You should put your business contact information, and your official business name, somewhere in your Privacy Policy. This means that visitors know how to contact you if they want more information.

Here's an example from Levi's:

Levis Privacy Policy: Introduction clause with contact information

The Information You Collect

Your audience has a right to know what information you gather from them. Here is an example of such a clause from Barnes & Noble. It explains, so far as possible, what kind of information the retailer collects depending on how the visitor uses the service - for example, it collects a billing address if they make a purchase, and their program of study if they order academic books:

Barnes and Noble Privacy Policy: What Personal Information we Collect clause

Why You Collect the Information

It's not enough to say you collect the information. Regulations such as the GDPR state that you should only collect as much personal data as is necessary. For example, you don't need someone's home address if they sign up to an email newsletter.

Here's how megastore toy retailer Mattel handles this requirement. The company makes it clear that it only collects the information it needs to fulfil a consumer's request, such as an order. It then breaks down the individual reasons why data is collected, which is very helpful for consumers who want to know this information:

Mattel Privacy Statement: Why do we collect information clause excerpt

Data Use & Sharing Policies

You must make your audience aware of how you use their data. It's illegal to share personal information with third parties, for example, unless you explain in your Privacy Policy that you use data this way. Again, here's how Levi's tackles this. Significantly, Levi's highlights that user consent is needed for the company to share data in some ways:

Levis Privacy Policy: How we use your information clause - voluntary consent section

The Right to Opt Out

Everyone has the right to be forgotten by a website or to block websites from installing cookies on their device. They also have the right to opt out of marketing campaigns. Nike, for example, tells its audience about their rights to opt out of various forms of marketing:

Nike Privacy and Cookie Policy: Opting out of Direct Marketing clause

Nike also tells its users that they can change their cookie settings, and therefore their data gathering preferences, at any time:

Nike Privacy and Cookie Policy: Cookies clause excerpt

A Specific Google Analytics Clause

If you want to take your Privacy Policy even further, you can dedicate a whole clause to how you work with Google Analytics and how you use the service to track consumer data.

For a great example of such a clause, check out this one from Women's Best. You'll note it also includes a direct link to Google's own Privacy Policy for consumers who want more information:

Womens Best Privacy Policy: Google Analytics clause

You must also be sure to link to your Privacy Policy somewhere on your website, whether it's your header, footer, or a sidebar. Here's an example from Levi's:

Levis website footer links

Conclusion

You must provide a Privacy Policy to your audience if you want to use Google Analytics.

Privacy Policies aren't just legal requirements under the GDPR, the CCPA, and other privacy laws. They are required under the Google Terms of Service for Google Analytics. Clause 7 of these Terms of Service contains what you need to know about devising a contractually compliant Privacy Policy.

Always tell customers:

  • You collect their data through cookies or other identifiers
  • What personal data you collect
  • Why you collect this information
  • How it's processed or shared with other parties
  • What rights the user has to opt out of marketing, analytics, and data sharing

By following these conditions, you'll create a Privacy Policy that's fully compliant with the Google Terms of Service for Google Analytics.

How to Create Your Privacy Policy

PrivacyPolicies.com: Privacy Policy Generator - How to Create your Privacy Policy

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy."
  2. Select the platform/s where your Privacy Policy will be used.
  3. PrivacyPolicies.com: Privacy Policy Generator - Create your Privacy Policy - Step 1

  4. Answer the questions related to your entity type and location.
  5. PrivacyPolicies.com: Privacy Policy Generator - Answer questions - Step 2

  6. Answer the questions relating to what type of information you collect from your users.
  7. PrivacyPolicies.com: Privacy Policy Generator - Answer questions about type of information you collect - Step 3

  8. Select all the ways you wish to allow your users to contact you with questions regarding your Privacy Policy.
  9. PrivacyPolicies.com: Privacy Policy Generator - Select ways you wish to allow your users to contact you - Step 4

  10. Select what kind of Privacy Policy you want to create.
  11. PrivacyPolicies.com: Privacy Policy Generator - What kind of Privacy Policy you want - Step 5

  12. Enter your email address where you'd like your Privacy Policy sent and click Create Privacy Policy.
  13. PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 6

  14. Now you can copy or link to your hosted Privacy Policy.
  15. PrivacyPolicies.com: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 7

Article categories
Jennifer Laird

Legal writer.