· 11 min read

Google Analytics And GDPR Compliance: A Must-Know Guide

Do you use Google Analytics to track website traffic?

Then it's likely that this changed with the introduction of the General Data Protection Regulation (GDPR).

Because Google Analytics is NOT GDPR Compliant.

While many marketers have been aware of GDPR for a long time, many are still learning about its implications.

But, don't worry; we are here to save the day and show you all the tips and necessary information you need on GDPR and Google Analytics!

What is GDPR?

GDPR stands for General Data Protection Regulation, and it went live on the 25th of May, 2018.

The law applies to all companies that control or process data of EU citizens. This means you need to understand what type of information you collect and how Google Analytics fits into this equation.

What are the GDPR Requirements?

  • Any processing of visitors' data must be fair and transparent.
  • Your site visitors must voluntarily grant you specific, informed, and unambiguous consent to handle their data by subscribing to your newsletter.
  • Consent requests must be easily distinguished from other content.
  • Only valid objectives mentioned clearly to your visitors can handle data.
  • Only collect and process as much data as is absolutely necessary for the purposes mentioned, and you should only keep the data for as long as is required.
  • By implementing data encryption, processing must be done in a way that ensures sufficient security, integrity, and confidentiality.
  • Visitors to your site can cancel the consent given before at any time.

Who Does GDPR Apply To?

  • If you are an organization operating within the EU.
  • If you are an organization outside the EU yet you offer goods or services to EU citizens.

Is Google Analytics GDPR Compliant?

No. Google Analytics is one of the most popular tools globally for digital analytics, and it's also been in use forever.

But anyone in marketing or web design knows that you need to be GDPR compliant.

Google Analytics breaches the GDPR for monitoring visitors using cookies, acquiring personal information, and sharing the information with other services, such as those for advertising.

When you upload the Google Analytics script to your website, it begins tracking user activity and collecting data on on-site visitors via cookies and clicks.

Even if GA does not collect your name and address, GDPR defines PII (Any data that may be used to identify a specific individual is considered personally identifiable information (PII).) to include permanent IDs such as ClientID, UserID, and IP Address, all of which are collected and maintained by Google Analytics.

Because you're sharing your visitors' PII with a third-party (GA), you must make this information public and provide visitors the option to opt-in or opt-out of data collection and processing.

Google Analytics Cookie Usage on Websites

Google Analytics gives website owners JavaScript tags (libraries) that store information about the page a user has viewed, such as the URL of the page, when the user navigates across websites.

In addition, HTTP cookies are used by the Google Analytics JavaScript libraries to "remember" what a user did on previous pages/interactions with the website.

How To Make Google Analytics GDPR Compliant On Your Website (Google Analytics GDPR setup)

Let's go through making Google Analytics compliant with GDPR (General Data Protection Regulation).

For starters, make sure you have a privacy policy on your website that informs users why and how you collect their data. If you can legally obtain consent (through opt-in boxes or popups), then do so.

You can also get permission if a user provides an email address.

Privacy Policy

Your privacy policy will need to include Google Analytics expressly and explain what it is and why you utilize it in the specified circumstance.

It must also specify what information is being gathered, why, how, and to whom it is provided for each data use case.

Your cookie policy should be available to your users in parallel to – or as part of – your privacy policy, describing what cookies are in use, what function they serve, and how to opt-in and out of them.

Google Analytics IP Anonymization (or IP masking)

In the EU's GDPR, an IP address is considered personal data. So by default, IP addresses are never reported, but Google utilizes them to offer geolocation data.

That's why it's a good idea to use Google Analytics' IP anonymization option.

Once established, Google will anonymize your IP address as quickly as technically possible by eliminating the final octet before storing or processing it (your IP becomes xxx.xxx.xxx.0, with a '0' replacing the last portion/octet).

According to Google, once this option is activated, the complete IP address is never copied to the disk.

Note: IP-address anonymization is always enabled in Google Analytics 4 (which collects data from your apps and/or website).

You collect data from your apps using the Firebase SDKs and your website using a global site tag with a Measurement ID for your web data stream.

Google Analytics Cookie Disablizations

GA-cookies

All Google Analytics cookies require end-user consent to comply with the EU's GDPR.

Google Analytics "uses cookies to identify unique users across browser sessions" and sets numerous cookies (including _ga, _gid, and _gat). "To remember what a user has done on prior pages/interactions with the website," says Google.

  • _ga: Recognizes users & expires in 2 years.
  • _gid: Recognizes users & expires in 24 hrs.
  • _gat: Limit the number of user requests to keep your website running smoothly. It expires after 1 minute.
  • AMP_TOKEN: A unique ID assigned to each user & expires in 30 sec to 1 yr.
  • **gac:** Containing a unique ID that makes Google Analytics and Ads work together & expires in 90 days.

Google Analytics cookies are placed in their browsers when visitors come to your website. This is how Google Analytics can recognize and remember each unique user, track them across several websites, and provide you a complete map of their trip to and from your domain.

Note: If you disable cookies, you'll disrupt Google Analytics, which will make your analytics data inaccurate. You can disable Google Analytics cookies, but it causes a significant reduction in the efficacy of Google Analytics. Unique visitor tracking will be broken, with nearly every pageview counted as a unique visitor.

Settings for data retention

This gives you control over how long individual user data is retained before being erased automatically.

google-analytics-2

Go to your Google Analytics account's "Admin" section.

Reduce the "User and event data retention" to the shortest amount of time feasible in the "Tracking Info" section by clicking on the "Data Retention" section and reducing the "User and event data retention" to the shortest amount of time possible (14 months). Twenty-six months is the default setting.

Settings for User-ID

Disable the User-ID function in the "Tracking Info" section by clicking on the "UserID" section.

google-analytics-1

Disable Data Sharing

You can also turn off Google's data sharing. Uncheck the "Data Sharing Settings" under "Account Settings" to accomplish this.

google-analytics-3

TL;DR

To ensure that Google Analytics – including its cookies, trackers, and statistics tools – complies with the GDPR, you must do the following:

1. Before activating and operating any Google Analytics cookies on your website, request and get end-user consent.

2. Control each Google Analytics cookie to ensure that they are only activated when your users have given their explicit approval.

3. Provide detailed information about all Google Analytics cookies in use (including their provider, technical details, duration, and purpose) in your website's cookie policy.

4. Compile comprehensive information about all Google Analytics cookies in your website's privacy policy on your domain.

5. Enable IP anonymization and ensure that pseudonymous identifiers are used.

Wrap Up

But the bottom line is that all organizations using Google Analytics should be, or should have become, GDPR compliant.

That's why we've offered up everything you need to know about Google Analytics and GDPR compliance in this guide.

Google Analytics can provide invaluable insights into user behavior on your website, and following the steps above should ensure that any data collected adheres to GDPR requirements.

FAQ

Do I Need GDPR For Google Analytics?

Yes. If you collect personal data via your website, you need to get the user's consent first.

To comply with GDPR, make sure you get permission from your users for the Google Analytics cookie and describe what data you are using from those cookies in your privacy policy. No matter where you and your website are situated in the globe, you must comply with the EU's GDPR if you have users from the EU.

Does Google Analytics Store Personal Data?

Yes.

Google Analytics stores cookies and uses cookies to monitor your visits Google Analytics creates unique user IDs to keep track of users across sessions and devices.

Related Blogs: