Google Analytics

Authentication & Authorization

Credentials

• Google Analytics connects via OAuth 2.0.

• DataGrail owns a Google Analytics Web Server Application that provides the credentials to authenticate customers allowing the integration to connect by simply logging into their Google Analytics store with their admin credentials and accepting to install the app.
• Please note, that DataGrail Google Analytics Web Server Application is unverified within Google which results in any customer who tries to install them may see the “This App Isn’t Verified” error. However, there’s a workaround to fix this problem, where the customer can add the DataGrail app to their Trusted list of apps in Google to bypass this restriction (see DataGrail Help Docs).

Scopes

Google Analytics API requires specific scopes that need to be approved by you in order to grant DataGrail read/write on certain objects necessary to complete privacy requests:

• https://www.googleapis.com/auth/analytics.readonly (read-only access to the Analytics API).

• https://www.googleapis.com/auth/analytics.user.deletion (scope is required to call the upsert method).

Additionally to required OAuth 2.0 authorization parameters, DataGrail defines the next optional parameters:

• access_type: “offline” – indicates that the DataGrail application can refresh access tokens when the user is not present at the browser.

• prompt: “select_account consent”:

  • Prompt the user for consent.

  • Prompt the user to select an account.

Endpoints Utilized

• Request authorization:

  • GET https://accounts.google.com/o/oauth2/v2/authorize

• Get and refresh access token:

  • POST https://www.googleapis.com/oauth2/v4/token

Version

Google Analytics integration currently supports:

• Analytics Reporting API Version 4.0 (v4).

• Management API Version 3.0 (v3).

Limits

DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

Access

• DataGrail initiates the access requests for Google Analytics integration via Intake Forms and accepts User ID as identifier for the access.

• For an access request, DataGrail will take the following actions:

  • Fetch list of the users profiles.

  • Search user’s activity for the last week by the User ID in each of the collected profiles.

• For all objects found, DataGrail will return all available fields. You can edit which objects and fields you want to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

• GET https://www.googleapis.com/analytics/v3/management/accounts/~all/webproperties/~all/profiles

• GET https://analyticsreporting.googleapis.com/v4/userActivity:search

Deletion

• DataGrail initiates the access requests for Google Analytics integration via Intake Forms and accepts User ID as identifier for deletion.

• For a deletion request, DataGrail uses the upsert method to request the data deletion for a given user.

• Once deletion is requested, data associated with this user identifier will be removed from the Google Analytics Individual User Report within 72 hours, and then deleted from Analytics servers during the next deletion process. Deletion processes are scheduled to occur approximately every two months.

• Note that Google Analytics reports based on previously aggregated data (for example, user counts in the audience overview report) will be unaffected.

Endpoints Utilized

• POST https://www.googleapis.com/analytics/v3/userDeletion/userDeletionRequests:upsert