By now, you’ve heard the rumblings ahead of the May 25, 2018, arrival of the GDPR. That is, the General Data Protection Regulation, a law adopted in 2016 to address data protection and privacy for individuals in the European Union. It aims to protect personal data and give individuals more control over how their data is used.
In our digitally connected world, this law has global reach. Of course, EU citizens visit websites all over the globe, including those of United States-based higher education institutions. The GDPR becomes enforceable on May 25, 2018 — hence the recent flurry of activity around and discussion about the regulation.
Have you received notices from Google and other companies regarding changes to their data controls and privacy settings? There are a few things higher education marketers must pay attention to.
Disclaimer: mStoner isn’t a law firm, and our suggestions don’t constitute legal advice. However, with or without the GDPR, now is a good time to address the basics of data collection and privacy.
The full story of how the GDPR changes higher education websites is still being written. The rest of 2018 will be interesting as we observe what sorts of issues arise and to what extent enforcement takes place.
To be sure, U.S.-based .edu websites have a smaller audience of EU citizens relative to all affected organizations and businesses. The data collected on most higher education sites prior to an application submission is limited, and mostly anonymous.
For those reasons, the overall impact on colleges and universities is comparatively smaller than on e‑commerce sites selling widgets in the EU. However, virtually all of higher education uses tools such as Google Analytics to collect data on the web, and the use of these tools and techniques requires consideration of the GDPR.
Take these four steps to beef up your GDPR understanding and engage in the ongoing discussion about data privacy:
The policies should be straightforward and clearly answer the following key questions:
Google recently emailed Google Analytics users about their forthcoming data retention controls. These new settings allow you to specify at what point Google no longer retains individual user data for reports. This means reports using custom dimensions or segments that rely on specific details from user data would no longer contain data for users who haven’t visited your site since the expiration date. By default, Google Analytics will start to automatically remove individual user data older than 26 months. You can change this setting to a shorter or longer period, or choose to never delete the data. The setting is done at the Google Analytics property level.
At first, this change sounds drastic. Keep in mind that aggregate Google Analytics data, which fuels standard reports, will not be affected. You will still have aggregate data in your reports, even if the individual user data is removed. Also, visitors who continue to visit your site will be retained; it’s only the visitors who haven’t been to your site in more than 26 months (with the default setting) who won’t be retained. Ultimately, advanced reporting and segmentation are the possible areas of impact.
Moving forward, Google is giving organizations control over data retention and the ability to set policies for user data. All Google Analytics administrators should review their properties and select a setting. The status quo is to change the data retention setting to never expire, but be aware that from a GDPR standpoint it may be problematic to justify keeping data forever. Practically speaking, allowing this data to expire will have a limited effect on most analytics reporting for higher education websites.
A key aspect of the GDPR is getting consent from website visitors to track them on websites and use or process the data collected. Two current examples employed by many sites include:
Exactly what “consent” means in various settings is subject to debate, and I’m not in a position to unravel all the use cases here. Two key questions to consider, for starters:
Be intentional about the use of Google Analytics and other tracking mechanisms. Avoid placing tracking code that shares data with other entities without understanding their data policies and if consent is required. When collecting data via forms, disclose how data is used.
Third-party tracking, in which data from a tracking service might be shared with a third party without the knowledge of the visitor, is another focus of the GDPR. This affects Google Analytics Advertising features, which includes collection of data to drive the demographics and interests reports in Google Analytics. This is an example of a feature that shares user data from Google Analytics with third parties. The GDPR regulation indicates this type of tracking requires visitor consent. Analytics expert Brian Clifton offers details into how this works.
If you aren’t really using data from Advertising features, considering turning this off in your Google Analytics account. If you use the data, you need to consider how you obtain consent from your visitors. This also applies to other services that may embed tracking code as part of their service, resulting in a third-party tracking situation such at the Disqus example in Clifton’s blog post above.
This is an important area to watch as data processors such as Google adjust their tools and policies to comply with the GDPR.
Across the web, organizations that handle data are grappling with the changes brought by the GDPR. Late-breaking features and changes to tools such as Google Analytics are happening now and will affect nearly everyone, so expect the discussion to continue in the coming months.
Greg Zguta Director of Client Support I've been working on education web projects since the late 90's and enjoy visiting campuses and watching how technology has transformed higher education since I got my first email account at Oberlin College in 1992. Back then, I mostly used the web to check weather radar and sports scores . . . I suppose technology hasn't transformed everything yet.