The deadline for implementing compliance with the EU’s General Data Protection Regulation (GDPR) is this Friday, May 25th, 2018. Numerous articles have been published about GDPR and what it means for site owners and developers, but there isn’t a single definitive, authoritative source to know whether a website needs to comply with GDPR, and if it does, what specifically needs to be done to become compliant. Those questions can generally only be confidently answered by a site owner’s legal counsel (and yes, that absolutely means that this blog post is informative, rather than authoritative.)

What GDPR Means

The most visible manifestation of GDPR compliance on the web is the appearance of “cookie consent pop-ups.” If you’re like me, you’ve probably found these to be an unnecessary annoyance. “Of course this website uses cookies – every website uses cookies!” However, if you attempt to block all cookies in your browser, then you’ll soon find that you’re unable to stay logged into your favorite websites, your preferences aren’t being saved, and so on. 

The aim of GDPR isn’t to regulate each and every cookie that a website uses. For example, session cookies are used to track when a user is logged in to a website. These cookies are not the focus of GDPR because logging into a website already implies that the user accepts that this information is being collected. As long as the session cookie itself does not consist of personally identifiable information (PII) such as an email address, name, or IP address, it does not violate the new GDPR regulations.

The primary concern of GDPR is related to tracking cookies. If you’ve ever looked up a product on Amazon, and then logged into Facebook to find an ad for that very product in your feed, that’s due to tracking cookies. When a user “accepts” cookies, what they are doing is “consenting” to allowing themselves to be tracked. Many websites that have cookie consent pop-ups aren’t actually compliant under GDPR, because they are incorrectly assuming that any user that goes onto their website has consented to be tracked. These websites put the responsibility on the users themselves that if they do not wish to be tracked, then they should simply not go to these sites, or turn their browser tracking off. 

This assumed status quo is no longer acceptable under the new GDPR regulations. Websites must give users the option to opt out of analytics tracking.

Google Analytics and Becoming GDPR Compliant

If your website is found to be subject to GDPR requirements, then one service that you likely use that is specifically covered by GDPR is Google Analytics tracking. Under GDPR, if you use Google Analytics, you most likely need to take specific steps to become compliant. You must:

1. Inform users that your website uses cookies to track users.
2. Provide a transparent, easily-accessible method for users to opt out of tracking without restricting access to your site in any way.
3. Provide a way for users to delete their own Google Analytics tracking data. Google Analytics plans to provide this functionality directly, however, it is not available at this time so you will need to provide it to them.
4. Avoid storing PII in cookies and tracking systems (for example, IP addresses, email addresses, names, etc.)

Becoming (Almost) Compliant With EU Cookie Compliance

If your site is using Drupal as its CMS, then there is a helpful module that you can use to knock out the first task: the EU Cookie Compliance Module. The module helps you to inform your users that you are tracking them, and allows developers to determine whether a user has accepted the use of tracking cookies or not. The module, however, stops there. It does not block tracking itself,  and its default configuration also has many of the same concerns that exist within noncompliant websites. For example, if you need to create a cookie consent pop-up, the module’s default configuration should absolutely not be used. Finally, the module does not address Google Analytics tracking.

Committing To Full Compliance

To address the additional steps not covered within the EU Cookie Compliance module, Forum One has created a Drupal 7 module that overrides the default configuration and disables Google Analytics tracking for users who have chosen to opt out.

This module disables Google Analytics by executing the following line of Javascript code in the <head> before the analytics code is included:

window['ga-disable-UA-xxxxxxx-yy'] = true; // UA-xxxxxxx-yy is your Google Analytics ID

Yes, that’s really it! If a user has chosen to opt out of Google Analytics tracking, then running this code before the ga() function is called is all that is required. 

If you’re in need of a module that you can install and it will “just work,” then go ahead and grab the Forum One  Drupal 7 module. See if it works for you. If it doesn’t, you’re encouraged to modify it to suit your needs. It’s a “sandbox” module which means unless you manually download newer versions you’ll never have to worry about your changes getting overwritten. To download it, clone the repository using git (see the Version Control tab for instructions).

Workflow For Compliance And Consent

One of our clients, the German Marshall Fund of the United States (GMFUS), found that they needed to be GDPR compliant and were happy to try out the F1 GDPR module to do so.

Once the module was installed, the only items that needed updating were shortening “The German Marshall Fund of the United States” to “GMFUS” and changing “analyse” (UK) to “analyze” (US) in the pop-up text. Here’s what the popups looks like on desktop and mobile:

The consent pop-up:

The acceptance pop-up:

Note the differences between the desktop and mobile versions. The popup is not overly intrusive on desktop to require a way to dismiss it immediately without accepting cookies. On mobile, however, the pop-up is very intrusive, so we need to allow mobile users to dismiss it without accepting cookies. 

In either case, users need to be given the option to update their preferences at a later time. In the case of GMFUS, this functionality is available on a Cookie Policy (or Privacy Policy) page that is linked directly from the pop-up as well as in the site’s footer. To opt out, a button is available directly on this page for users to do so:

The Forum One module comes with an HTML file that has code for embedding a button in a such a policy page. The Readme file has instructions for including the button.

Compliance Goes Beyond Google Analytics

This above information and our Forum One module largely focus on how to cover the role of Google Analytics in GDPR compliance; however, creating a pop-up or module on your site does not mean you are 100% compliant. Site owners are responsible for becoming familiar with GDPR and identifying other potentially non-compliant functionalities. How else might your site be using PII? The EU aims to take GDPR compliance seriously, and we hope that you will to.