Have Google Analytics on your website? Here’s why you need to have a Privacy Policy

Most modern websites have Google Analytics installed as it’s a wonderful tool to grow your business and improve your website. Google Analytics can give you invaluable insights into how your potential customers are using your website, such as how they found you, what pages they visited, and what pages they found the most compelling. However, one seldom discussed consequence of Google Analytics is that it can cause you to be subject to multiple privacy laws, thus requiring you to have a Privacy Policy. In addition, Google itself will require you to have a Privacy Policy that makes certain disclosures if you want to install Google Analytics on your website. (For help getting started with Google Analytics, read this article.) In this article, we will discuss the Personally Identifiable Information (PII) that Google Analytics collects, the privacy laws that you may be subject to due to the fact that you have this tool on your website, and Google’s Privacy Policy requirements so that you can ensure that your use of Google Analytics does not put you at risk of privacy-related fines and lawsuits.

Since Google Analytics tracks how an individual uses your website, it also collects certain PII that helps ensure that such tracking is accurate. While the exact PII that Google Analytics collects depends upon the settings of your account, Google Analytics will usually collect IP addresses, device identifiers, and information as to how individuals interact with your website. While each privacy law has a slightly different definition of PII, it is generally defined as any information that could identify a particular person. The collection of PII can cause certain privacy laws to apply to your business.

Does your business website need to have a Privacy Policy?

Privacy laws that apply to websites

Since privacy laws have been drafted to protect consumers, and not businesses, privacy laws can apply to your business regardless of where you are actually located. The following privacy laws can apply to business websites that collect PII through contact forms, email newsletter forms, or features such as Google Analytics:

1. California Online Privacy and Protection Act of 2003 (CalOPPA): applies to any commercial website that collects the PII of California residents;
2. California Consumer Privacy Act (CCPA): applies to for-profit entities that do business in California and that collect the PII of California residents and that meet one or more of the following criteria:
3. Has annual gross revenues of $25,000,000 or more;
4. Buys, receives, sells or shares the PII of at least 50,000 California consumers, households, or devices; or
5. Derives at least 50% of its annual revenue from selling the PII of California consumers.
6. Nevada Revised Statutes Chapter 603A: applies operators of websites that collect the PII of Nevada residents for commercial purposes and that purposefully direct their activities towards Nevada, consummate a transaction with the State of Nevada or a resident of Nevada, purposefully avail themselves of the privilege of conducting activities in Nevada or otherwise engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution;
7. Delaware Online Privacy and Protection Act (DOPPA): applies to any commercial website that collects the PII of Delaware residents;
8. General Data Protection Regulation (GDPR): applies to you if you:
9. Are located in the European Union;
10. Offer goods or services to European Union residents, regardless of your location; or
11. Monitor the behavior of European Union residents, regardless of your location. Since Google Analytics involves the tracking of behavior of users online, websites that have Google Analytics installed usually will need to comply with GDPR.
12. United Kingdom Data Protection Act 2018 (UK DPA 2018): applies to you if you:
13. Are located in the United Kingdom;
14. Offer goods or services to United Kingdom residents, regardless of your location; or
15. Monitor the behavior of residents of the United Kingdom, regardless of your location. Since Google Analytics involves the tracking of users online, websites that have Google Analytics will usually need to comply with UK DPA 2018.
16. Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. Canadian courts and the Canada Office of the Privacy Commissioner have concluded that PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the PII of Canadian residents in the course of commercial activity;
17. Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and to Australian organizations that have a lesser turnover in certain cases. In addition, organizations formed outside of Australia have to comply with this law, regardless of their revenue or location, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia.

These privacy laws require websites to have a Privacy Policy that makes very specific disclosures. In addition, as more privacy bills are being proposed and passed, companies need to keep their Privacy Policy up to date with changing legislation. For example, Virginia and Colorado have passed new privacy laws that will go into effect in 2023 that will require companies that need to comply with these laws to include additional disclosures within their Privacy Policies. In addition, over a dozen states have proposed their own privacy bills, all of which, if passed, would require Privacy Policies to be updated. Failure to have an up to date and comprehensive Privacy Policy can be expensive as fines for non-compliance can be steep, starting at $2,500 per website visitor whose privacy rights have been infringed upon.

Google Analytics Privacy Policy requirements

In addition to being required to have a Privacy Policy by certain privacy laws, website owners that install Google Analytics are also required to have a Privacy Policy by Google’s Terms of Service. As you can see below, Google’s Terms of Service requires websites using Google Analytics to have a Privacy Policy that discloses the use of Google Analytics, and how it collects and processes PII. Google’s Terms of Service also requires websites to ensure that each visitor is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies in connection with Google Analytics.

As such, it is imperative that your website’s Privacy Policy discloses the use of Google Analytics, what PII is collected, how that PII is used, and the fact that it is shared with the analytics service provider.

If your website is using Google Analytics, you need to ensure that you provide an up to date and comprehensive Privacy Policy that not only complies with the laws that you are subject to, but also discloses your use of Google Analytics. We recommend that you contact a privacy attorney in your area or use a policy generator service such as Termageddon to create your Privacy Policy and help avoid privacy-related fines and lawsuits. {DEVADiGM} is here to help setup a Termaggedon license and install a privacy policy on your website, as well as a terms and conditions and/or disclaimer if needed.