GDPR Changes the International Marketing World, But What Does It Mean for Higher Education Analytics?

Carnegie Higher Ed Apr 18, 2018 Carnegie Higher Ed Persona The Visionary Frontrunner

April 30, 2018 Update: Google would like to ensure you are aware of their updated data processing terms and a new contact collection mechanism. Below are the steps Google would like users to take to review and accept the terms. You can refer to to learn more about Google’s data privacy policies.

1. Review and accept the updated data processing terms in each account for each product you manage in the Google Analytics Suite:

  • Google Analytics / Analytics 360: Admin > Account > Account Settings (scroll to bottom of page)
  •  Google Optimize / Optimize 360: Edit Account Details > (scroll to bottom of page)
  • Google Tag Manager / Tag Manager 360: Account Settings > (scroll to bottom of page)
  • Google Attribution / Attribution 360: Admin > Account Settings > (scroll to bottom of page)
  • Google Data Studio: User Settings > Account and Privacy (acceptance managed on a user basis)

2. Provide your legal entity and contact details for notifications we may need to send under the GDPR (e.g. subprocessor appointment):

  • For Analytics, Optimize, Tag Manager and Attribution, you can provide the contact details within Suite Home (“Organization Settings” >“Data Processing Amendment – Details”). Learn more.
  • For Data Studio, the contact collection mechanism exists in Data Studio only (not in Suite Home) and is available at User Settings > Account and Privacy. Learn more.


If you are a higher education professional working in admissions, marketing, or communications using Google Analytics, you probably received an email from Google about GDPR changes and how they impact you. But what does this message mean for you and your marketing efforts?

In short, Google Analytics has implemented changes to be compliant with new GDPR regulations. They’ve done a lot of the heavy lifting, but there are some steps you can take to improve your compliance.

Let’s break down what the Google Analytics email actually says and what actions you can take to follow up on their instructions.

First, what is GDPR?

The General Data Protection Regulations (GDPR) is a set of regulations that have been adopted by the European Union regarding data protection and privacy for individuals within the EU. Prior to the GDPR, the EU had rules about personal information data capture since the 1990s, but they varied from country to country. The goal of the GDPR is to give control of personal data back to residents and streamline and unify the regulatory environment within the EU. The regulations go into effect on May 25, 2018, after a two-year transition period from April 2016.

So if this is all taking place within the EU, how does it impact higher education in the United States?

The big takeaway here is that the GDPR affects every EU resident, as well as every company that offers goods or services to the EU or monitors the behavior of EU data subjects. This includes companies not based in the EU, such as American colleges and universities targeting EU students.

What does this mean for my Google Analytics data?

The GDPR will affect the way some personal identifier information is captured and stored for higher education websites. The user must consent to having their personal data stored, and they need to be able to redact their consent (and their data) at any time.

In terms of Google Analytics, if your institution captures any data from EU clients, there are some ways to ensure you are compliant at a basic level. Most of this is already captured in your Google Analytics terms of use, but here is a refresher just in case:

  • Do not upload and store data that contains the following:
    • User names sent in page URLs
    • Phone numbers captured during form completions
    • Email addresses used as customer identifiers
    • ZIP codes when used in conjunction with page visits of small geographic areas

There are some grey areas the GDPR defines as personal data, but Google does not. Here are the two:

  • Long URLs: Commonly seen in forms, these can be used to identify a specific user. The way to fix this is to shorten any questionable form redirect links.
    • Example:
  • IP addresses: Though they aren’t stored in your GA database, these can be accessed by a Google employee, so it’s best to make sure they’re anonymized. There is a plugin option to alter IP addresses that sets a few zeros at the end of the IP; however, it can make geographic reporting a little less accurate and requires some JavaScript.

A word about cookies:

  • In the EU, the traditional soft, passive opt-in (ex: “by browsing this site, you agree to be cookied…”) will shift to a hard, intentional opt-in (a pop-up with a consent checkbox) if personal data is being collected on the site. Only after this consent can you begin to collect cookies.

What does this mean for my Google Analytics Reporting and Insights?

The good news is, these changes don’t herald the end of your digital marketing campaign or the data you can glean from GA. We’re here to tell you: it’s not time to panic.

At Carnegie Dartlet, we work with many colleges and universities to optimize their Google Analytics for informed marketing decisions. Even after you make all these changes to your settings, you’ll still be able to gain insight that will impact your institution’s online marketing using Google Analytics.

We do recommend you take this Google announcement seriously. Work with your communications team and analytics administrator to ensure that your data storage is set to a timeline and that you’re not collecting personal data, and make sure you dump any personal data, turn off the User ID option, shorten those form URLs, and use the plugin option to mask the IP addresses.

For official GDPR information, please go to

Follow Courtney on Twitter @courtney_bit.

Never miss an update.