Google Analytics, FB Pixel, Adwords Retargeting - What is needed?

[SEOpie]

Hi,

After reading for days, it's still pretty unclear exactly what is needed if we're using:

• Google Analytics
• Google Adwords
• Facebook Tracking Pixel
• Others

From what I gather, for GA you should be displaying a cookies banner or something similar, that doesn't have a pre-checked box. It doesn't need to prevent users from browsing, but should be visible and clear on all pages until consent is given.

For any retargeting, such as Google Adwords and Facebook Pixel, you should provide a way for users to Opt-in before you collect any data. This ultimately means using some form of software block (pop-up?) to prevent any tags from firing until consent is given.*

For all data acquired, you should also provide a way for all users to be able to purge any data you have of them, providing consent for necessary business use has reasonably expired (so if you still need their address to deliver goods, I guess).

For all of these data acquisition methods, you should be explaining in detail exactly what data is collected and how it is used in a separate Privacy Policy page, as well as providing the aforementioned ability to purge data if a user desires it.

Is this correct? Can anybody clarify with regards to traffic metrics and digital marketing/remarketing/abandoned carts, etc. what is specifically required?

*With regards to Adwords and FB Pixel, we are not actually the data processors for this data. Google and Facebook are. We do not hold user information for retargeting, therefore is this the same thing?

Ref:

 

[GrahamB41]

This is very much a point I’d like answered too.

We use FB ads and retargeting customers who have simply visited our website but not yet made a purchase. These potential customers who then log into their Facebook page, will most likely see an advert from our website.

Is it as simple as having a pop up cookies banner on our website that visitors are meant to click or not click? If they do not click “agree” to my cookies banner, does this mean they still would see our DB ads?

 

[fisicx]

You need to have an opt in on those cookies. You can’t assume consent.

It’s exactly this retargeting that has got Facebook into all sorts of trouble.

 

[GrahamB41]

You need to have an opt in on those cookies. You can’t assume consent.

It’s exactly this retargeting that has got Facebook into all sorts of trouble.

So to confirm, if a visitor to my website does not click the "accept" button on the cookies pop up, how do i know they will NOT be receiving any FB ads? Because they still might!

 

[fisicx]

It’s a conundrum isn’t it. The problem isn’t you, it’s facebook, google anyone else with trackers.

As long as you make reasonable efforts to manage personal data and have a good privacy policy you will be ok.

 

[Keith Budden]

Ideally you should have your website code such that if they don't consent to the Facebook pixel or the Google cookie, your website doesn't run the javascript which plants the pixel/cookie for that user.

I say 'ideally' because it really depends how your website is structured, if you're using a CMS like WordPress, Drupal or Processwire, it should be relatively simple......if you have a website where every page is 100% hard coded....good luck!

 

[twaen]

I've been going through this for a long time, and I'm going to say that getting compliant is going to be tough. Anyway here are the details from my research.

• You can make Google Analytics compliant (no cookie stored; session based) but it's not easy. (I have a good article on this but cannot post the link as I'm a new member) . Please PM if you need it (side note, it's not easy).
• We use StatCounter instead of GA. Making SC compliant is very easy - you just go to settings and opt out of cookie. This does reduce statistics quality, but there's no other way around. If SC is good for you, I would suggest using it as a compliant alternate, at least (together with GA).
• Getting consent for trackers (and other pixels) is not going to work well enough in my opinion. Most users will not accept to share their data with countless providers for no reason that would benefit them. Still, you can at least try to get consent for the small % that might accept. That's still some information.... but not enough.
• Any third-party script that sets a cookie pretty much needs consent. Due to above note, this will heavily impact conversion tracking and such.
• I definitely recommend everybody to install and use a tool like Cookie Inspector extension under Chrome. Then go to your website and analyze all the cookies you have. Work on getting rid of them. We're cookie free as of today.
• Services like Google AdSense for example (not Adwords) might be heavily impacted by GDPR. I've recently stirred some discussions on this matter, and the general consent seems to be that it cannot be compliant due to the way PII is shared with countless platforms further through Google.
• The above applies to any pixel whatsoever.
• Please note that anything third party included in your website will send requests to third parties. Even a simple script might do that regardless of what it is, if hosted elsewhere (like a .js library for example). Furthermore, remote images and videos etc. are also sending PII to those providers (e.g. IP address) and therefore they have to be GDPR compliant and you might need user consent. This might impact usage of CDN, hosted downloads and more. It is still very early to tell but it is not under legitimate interest so until some EU recommendations are in place allowing this, anything third-party included in your website and automatically loaded is subject to careful scrutiny and passing it by your lawyer and/or GDPR consultant.
  
  It ain't pretty, I'm afraid.