I am considering using Google Tag Manager to track abandoned forms. I note that collecting data that "personally identifies an individual (such as a name, email address or billing information)" is against their Terms of Service.
However, I am whether Google actually enforce this policy, and if so, how?
P.s I not actually looking to implement this - merely curios whether and how it is actually enforced.
It's not enforced unless people write to Google. There are many tracking mistakes on various sites when PII data gets tracked and no one does anything about it for years, even decades. Google doesn't actively check the content of your data to find PII, but it will investigate and take action if people send complains.
Corp lawyers and tracking specialists are usually extremely careful around gathering PII data without explicit consent. Well, maybe gigantic corps would be an exception since they know exactly how to monetize PII.
Anyhow, the real issue here is that you rarely (if ever) want to know what they type for analytics reasons. You want to know what fields they interacted with, how many times they tried to submit the form, what kind of errors they've got before abandoning. That allows for plenty analysis aimed at the form performance improvement.
First of all, sorry for the long text. Second, I decided to ask this on Stack Overflow rather than somewhere like Law Stack Exchange because the reason for the question is GDPR but the question itself is about software architecture.
I've been trying to pay attention regarding what one must do concerning GDPR and everything I find always seems to assume that one is working with user accounts, i.e. that users register on your website and that everything or almost everything you need to care about GDPR in terms of safeguarding your users' data starts here. It is also my understanding that one must be able to prove that their users gave their consent to you using their data as per in a privacy policy and even to which version of the privacy policy they consented to (since these sometimes get updated). This necessarily means that the data regarding this proof of consent must be stored server-side. This is easy to do when you have a user account to bind this data to but what about when you work with non-registered or guest users?
Let me give you a little background for my actual question: as a personal project I'm currently building a small website which will allow users to add comments to certain pages and even submit photos. The thing is, this is the only interaction users can do at all, so I don't want nor need them to have an account, making it also one less thing to worry about and allowing for easier engagement with the site. For the comments the only thing that's really needed is the comment text itself and some user name (which can be anything from their real name to some alias, it doesn't really matter). I'll also add an optional field for the user to state where they're from -- say, "Paris, France" -- if they so wish to share that.
Anyway, all of this just begs for spam to come my way, so I was thinking of integrating Akismet and Google's reCAPTCHA, since that has worked very well for me in the past. The problem is that Akismet requires an email address to also be passed on to it in order for it to check if the comment is spam, so I would also need to ask users for their email address on the comments form. Since I literally only need their email while checking for spam and would never make it public anyway, I would save it in the database and get rid of it after a few days or so and communicate this on the site's privacy policy.
So, here comes the question. I think email addresses together with the other info above count as PII and since I'm storing email address and sharing them with a third party, it seems clear to me that I have to ask users for their consent to do so, and not allow for their comment to be submitted if they don't give their consent, of course. But there are no actual user accounts in place here so there's no central location for such consent to be stored as proof. So how does one go about this? The only thing I can think of is having a checkbox on the comment form and storing its value together with the comment. Of course, with proper validation in place the stored value will always be 1, but still, it needs to be explicitly stored for it to be GDPR-compliant. I don't love the idea of a user having to check a checkbox agreeing with the privacy policy everytime they want to comment on something, but I don't think I see another way around this. Do you?
Many thanks in advance and, again, sorry for the long text.
I asked this question in other forums, and didn't have a solution so far.
I would like to have Google Analytics' source and medium added in every form sent by my websites, as hidden fields.
I use WordPress, and the plugings that I commonly use for contact forms are Contact Form 7 and Fast Secure Contact Form.
Any ideas?
Thanks in advance!
-- Gabriel
There isn't really a way.
It used to be that channel attribution was computed in the GA tracking code in the client, and you could extract it from the cookie values. However since Google has switched to the measurement protocol (which is what's behind both analytics.js and gtag.js) attribution is determined on the Google servers and there is no really feasible way to get the information in realtime to include it in a form.
You could create a script that emulates GA attribution, but the rules are somewhat complex and it is unlikey you would get an exact match.
Another way (which, if you are in Europe, might bring you in conflict with the new privacy guidelines from march on) would be to save a unique token with the form, send the same token as custom dimension to Google Analytics, and then join the information after the fact via the API. Some time ago I described the process in a tutorial, and even if this is for salesforce (and the specific code most certainly obsolete) it describes the problem and the solution somewhat exhaustively.
I have a website that allows people to create an account (that is the conversion I wish to track).
I wish to know where a specific person is coming from. I have google analytics installed and have set up the registration page as a goal, but the reporting tells me traffic sources as an aggregated pie chart. It doesn't report down to the user account level to say that 'person with email xyz' came from 'facebook' for example.
What custom variables or mark up would I need to add to GA to report at that detailed level, if that is at all possible?
Otherwise, I will just have to record the first http_referer in a cookie and stick it in a database during the registration process.
Any advice?
Firstly I must ask you, how actionable do you think it is to look at data at that granular of a level? Finding out what % of people who registered came from facebook or some other place is actionable, because it helps you do things like determine where to focus marketing efforts. But individual users? How is this actionable to you? (hint: it's not)
However, if you are still determined to know this, you should first note that it is against Google's ToS to record personally identifiable data both directly (recording the actual value in GA) or indirectly (e.g. - recording a unique id that you can use to tie to personal info stored within your own system). If this is something you don't want to risk, I suggest moving to another analytics tool that does not have this sort of thing in their ToS (e.g. Adobe SiteCatalyst, which costs money, or perhaps you may instead prefer to choose an "in-house" approach, like Piwik)
If you are still determined to follow through with this and hope not to get caught or whatever, Google Analytics doesn't record data like what info a visitor filled out in a form (like their email address) unless you populate that data in a custom field/dimension/metric/event to be sent along with the request. Usually you would populate this on the form "thank you" page (which is usually the same page you use as your goal url or goal event if you're popping and using an event for your goal). So you would populate the email address in one of those custom variables and then have it as a dimension to break down the http referrer by.
Now, I realise the initial response to this is likely to be "you can't" or "use analytics", but I'll continue in the hope that someone has more insight than that.
Google adwords with "autotagging" appends a "gclid" (presumably "google click id") to link that sends you to the advertised site. It appears in the web log since it's a query parameter, and it's used by analytics to tie that visit to the ad/campaign.
What I would like to do is to extract any useful information from the gclid in order to do our own analysis on our traffic. The reasons for this are:
Stats are imperfect, but if we are collating them, we know exactly what assumptions we have made, and how they were calculated.
We can tie the data to the rest of our data and produce far more accurate stats wrt conversion rate.
We don't have to rely on javascript for conversions.
Now it is clear that the gclid is base64 encoded (or some close variant), and some parts of it vary more than others. Beyond that, I haven't been able to determine what any of it relates to.
Does anybody have any insight into how I might approach decoding this, or has anybody already related gclids back to compaigns or even accounts?
I have spoken to a couple of people at google, and despite their "don't be evil" motto, they were completely unwilling to discuss the possibility of divulging this information, even under an NDA. It seems they like the monopoly they have over our web stats.
By far the easiest solution is to manually tag your links with Google Analytics campaign tracking parameters (utm_source, utm_campaign, utm_medium, etc.) and then pull out that data.
The gclid is dependent on more than just the adwords account/campaign/etc. If you click on the same adwords ad twice, it could give you different gclids, because there's all sorts of session and cost data associated with that particular click as well.
Gclid is probably not 100% random, true, but I'd be very surprised and concerned if it were possible to extract all your Adwords data from that number. That would be a HUGE security flaw (i.e. an arbitrary user could view your Adwords data). More likely, a pseudo-random gclid is generated with every impression, and if that ad is clicked on, the gclid is logged in Adwords (otherwise it's thrown out). Analytics then uses that number to reconcile the data with Adwords after the fact. Other than that, there's no intrinsic value in the gclid number itself.
In regards to your last point, attempting to crack or reverse-engineer this information is explicitly forbidden in both the Google Analytics and Google Adwords Terms of Service, and is grounds for a permanent ban. Additionally, the TOS that you agreed to when signing up for these services says that it is not your data to use in any way you feel like. Google is providing a free service, so there are strings attached. If you don't like not having complete control over your data, then there are plenty of other solutions out there. However, you will pay a premium for that kind of control.
Google makes nearly all their money from selling ads. Adwords is their biggest money-making product. They're not going to give you confidential information about how it works. They don't know who you are, or what you're going to do with that information. It doesn't matter if you sign an NDA and they have legal recourse to sue you; if you give away that information to a competitor, your life isn't worth enough to pay back the money you will have lost them.
Sorry to break it to you, but "Don't be Evil" or not, Google is a business, not a charity. They didn't become one of the most successful companies in the world by giving away their search algorithm to the first guy who asked for it.
The gclid parameter is encoded in Protocol Buffers, and then in a variant of Base64.
See this guide to decoding the gclid and interpreting it, including an (Apache-licensed) PHP function you can use.
There are basically 3 parameters encoded inside it, one of which is a timestamp. The other 2 as yet are not known.
As far as understanding what these other parameters mean—it may be helpful to compare it to the ei parameter, which is encoded in an extremely similar way (basically Protocol Buffers with the keys stripped out). The ei parameter also has a timestamp, with what seem to be microseconds, and 2 other integers.
FYI, I just posted a quick analysis of some glcid data from my sites on this post. There definitely is some structure to the gclid, but it is difficult to decipher.
I think you can get all the goodies linked to the gclid via google's adword api. Specifically, you can query the click performance report.
https://developers.google.com/adwords/api/docs/appendix/reports#click
I've been working on this problem at our company as well. We'd like to be able to get a better sense of what our AdWords are doing but we're frustrated with limitations in Analytics.
Our current solution is to look in the Apache access logs for GET requests using the regex:
.*[?&]gclid=([^$&]*)
If that exists, then we look at the referer string to get the keyword:
.*[?&]q=([^$&]*).*
An alternative option is to change your Apache web log to start logging the __utmz cookie that google sets, which should have a piece for the keyword in utmctr. Google __utmz cookie and you should be able to find plenty of information.
How accurate is the referer string? Not 100%. Firewalls and security appliances will strip it out. But parsing it out yourself does give you more flexibility than Google Analytics. It would be a great feature to send the gclid to AdWords and get data back, but that feature does not look like it's available.
EDIT: Since I wrote this we've also created our own tags that are appended to each destination url as a request parameter. Each tag is just an md5 hash of the text, ad group, and campaign name. We grab it using regex from the access log and look it up in a SQL database.
This is a non-programmatic way to decode the GCLID parameter. Chances are you are simply trying to figure out the campaign, ad group, keyword, placement, ad that drove the click and conversion. To do this, you can upload the GCLID into AdWords as a separate conversion type and then segment by conversion type to drill down to the criteria that triggered the conversion. These steps:
In AdWords UI, go to Tools->Conversions->Add conversion with source "Import from clicks"
Visit the AdWords help topic about importing conversions https://support.google.com/adwords/answer/7014069 and create a bulk load file with your GCLID values, assigning the conversions to you new "Import from clicks" conversion type
Upload the conversions into AdWords in Tools->Conversions->Conversion actions (Uploads) on left navigation
Go to campaigns tab, Segment->Conversions->Conversion name
Find your new conversion name in the segment list, this is where the conversion came from. Continue this same process on the ad groups and keywords tab until you know the GCLID originating criteria
Well, this is no answer, but the approach is similar to how you'd tackle any cryptography problem.
Possibility 1: They're just random, in which case, you're screwed. This is analogous to a one-time pad.
Possibility 2: They "mean" something. In that case, you have to control the environment.
Get a good database of them. Find gclids for your site, and others. Record all times that all clicks occur, and any other potentially useful data
Get cracking! As you have started already, start regressing your collected data against your known, and see if you can find patterns used decrypting techniques
Start scraping random gclid's, and see where they take you.
I wouldn't hold high hope for this to be successful though, but I do wish you luck!
Looks like my rep is weak, so I'll just post another answer rather than a comment.
This is not an answer, clearly. Just voicing some thoughts.
When you enable auto tagging in Adwords, the gclid params are not added to the destination URLs. Rather they are appended to the destination URLs at run time by the Google click tracking servers. So, one of two things is happening:
The click servers are storing the gclid along with Adwords entity identifiers so that Analytics can later look them up.
The gclid has the entity identifiers encoded in some way so that Analytics can decode them.
From a performance perspective it seems unlikely that Google would implement anything like option 1. Forcing Analytics to "join" the gclid to Adwords IDs seems exceptionally inefficient at scale.
A different approach is to simply look at the referrer data which will at least provide the keyword which was searched.
Here's a thought: Is there a chance the gclid is simply a crytographic hash, a la bit.ly or some other URL shortener?
In which case the contents of the hashed text would be written to a database, and replaced with a unique id.
Afterall, the gclid is shortening a bunch of otherwise long text.
Takes this example:
www.example.com?utm_source=google&utm_medium=cpc
Is converted to this:
www.example.com?gclid=XDF
just like a URL shortener.
One would need a substitution cipher in order to reverse engineer the cryptographic hash... not as easy task: https://crypto.stackexchange.com/questions/300/reverse-engineering-a-hash
Maybe some deep digging into logs, looking for patterns, etc...
I agree with Ophir and Chris. My feeling is that it is purely a serial number / unique click ID, which only opens up its secrets when the Analytics and Adwords systems talk to each other behind the scenes.
Knowing this, I'd recommend looking at the referring URL and pulling as much as possible from this to use in your back end click tracking setup.
For example, I live in NZ, and am using Firefox. This is a search from the Firefox Google toolbar for "stack overflow":
http://www.google.co.nz/search?q=stack+overflow&ie=utf-8&oe=utf-8&aq=t&client=firefox-a&rlz=1R1GGLL_en-GB
You can see that: a) im using .NZ domain, b) my keyword "stack+overflow", c) im running firefox.
Finally, if you also stash the full landing page URL, you can store the GCLID, which will tell you the visitor came from paid, whereas if it doesn't have a GCLID, then the user must have come from natural search (if URL tagging is enabled of course).
This would theoretically allow you to then search for the keyword in your campaign, and figure out which adgroup them came from. Knowing the creative would probably be impossible though, unless you split test your landing URLs or tag them somehow.