06/11/2022

Ultimate Master Guide To Google Analytics & GDPR Compliance

Insights

8 min remaining

Do you use Google Analytics to track website traffic?

This could have changed since the introduction of the General Data Protection Regulation (GDPR).

Google Analytics does not comply with GDPR.

While many marketers are familiar with GDPR, there is still much to learn.

We are here to answer all your questions.

What’s the GDPR?

GDPR stands for the General Data Protection Regulation. It was launched on May 25, 2018.

Companies that collect or control data from EU citizens are bound by the law. You must also understand the nature and role of Google Analytics in this equation.

What is the GDPR requirement?

  • All data processed by visitors must be fair, transparent and lawful.
  • Site visitors must sign up for your newsletter to give you clear, informed and unambiguous permissions to use their data.
  • It’s important to differentiate consent requests from other content.
  • Only visitors with clearly stated objectives can access data.
  • Only collect and process data that is necessary for the purposes stated. You should not keep data longer than necessary.
  • Data encryption can be used to secure data and ensure confidentiality.
  • Website visitors can cancel their consent at any time.

To whom is GDPR applicable?

  • If you are a member of the EU.
  • If your company is not located in the EU, but provides goods and services to EU citizens.

Google Analytics GDPR Compliance

Google Analytics is a very popular tool for digital analysis. It has been around for a long time.

Anyone who works in marketing or web design knows that GDPR compliance must be met.

Google Analytics is in violation of the GDPR. It monitors visitors with cookies and acquires personal data. This information can then be shared with other services, such as advertising.

After you upload the Google Analytics script it will start tracking user activity and collecting data via cookies and clicks.

Although GA does not collect your name and address, GDPR allows you to define personal identifiable information (PII). These permanent IDs include ClientID, UserID, and IP Address. They are all collected through Google Analytics.

Make your visitor’s PII publicly available and allow them to opt in or out of data collection.

Google Analytics offers JavaScript tags (libraries)that store information about pages viewed and accessed by users.

Google Analytics JavaScript libraries use HTTP cookies to “remember how a user acted previously on pages/interactions within this website”.

Making Google Analytics GDPR-Compatible for Your Website (Google Analytics Setup)

Let’s take a look at how Google Analytics can comply with the GDPR.

First, make sure your privacy policy is visible on your website. It should be clear to the users why and how their data was collected.

You can request permission for an email address that a user has provided.

Privacy Policy

Your privacy policy must include Google Analytics. It should also include a description of why it is being used in that particular instance.

This should include information about the data being collected and how it was obtained.

Access to your cookie policy should be available to all users. It will explain what cookies are used and their functions, as well as how you can opt-out.

Google Analytics IP Anonymization (or IP masking)

An IP address is personal data as defined by the EU’s GDPR. Google however uses them to provide geolocation information. 

Google Analytics’ IP anonymization function is a smart move.

Once your IP address is established, Google will anonymize it. After establishing your IP address, Google will remove the last octet before storing it or processing it. Your IP address will be xxxxxxx.xxx.0, with a 0 replacing any remaining portion/octet.

Google claims your entire IP address won’t be copied to your computer once you activate this option.

Notification: Google Analytics 4 (which collects data from your website and apps), always enables IP anonymization.

Firebase SDKs can collect data from both your app and your website. To track your web data stream, a global site tag and a Measurement ID are used.

All Google Analytics cookies must have the consent of the end-user to comply with EU’s GDPR.

Google Analytics “uses cookies to identify unique users across browser sessions” and sets many cookies (including _ga or _gid cookies). 

  • _ga can be a user-recognised number that expires after two years.
  • _gid can be used to identify users. It expires after 24hrs. 
  • _gat To maintain high website performance, limit the requests.
  • AMP_TOKEN – This unique ID is assigned to each user. It expires after 30 seconds up to one year.
  • **gac** A unique ID that allows Google Analytics to be used together with Ads. It expires after 90 calendar days.

Google Analytics Cookies are stored in the browsers of visitors whenever they visit your website. Google Analytics Cookies are used to track and recognize each user across multiple websites, and provide a complete map showing where they have been to your site.

Note: Google Analytics will stop working if you disable cookies. This could lead to incorrect analytics data. Each pageview counts as a unique visitor.

Settings for data retention

You can control the length of user data before it is erased automatically.

Log in to your Google Analytics account and go to the “Admin” section.

Click on “Data Retention”, and you can reduce “User” or “event data retention for the shortest possible time. This section is located in the “Tracking Information”. The default setting for this section is 26 months.

Configurations to User-ID

To disable the User-ID function, click on the “UserID” section.

Disable data sharing

Google can also block data sharing. 

TL;DR

It is your responsibility to ensure that Google Analytics and its trackers comply with GDPR.

1. Ask for and get the consent of any end-user before you activate or operate any Google Analytics cookies.

2 Each Google Analytics cookie can be controlled so that users only give their consent.

HTML3_ Provide detailed information about all Google Analytics cookies that were used, including their source, duration, and purpose in your cookie policy.

4. All information regarding Google Analytics cookies that are used to track your website’s privacy policies.

5. Enable IP anonymization to ensure pseudonymous IDs

Take a bow

Google Analytics users must all comply with GDPR.

This guide contains all the information you need to comply with GDPR and Google Analytics.

Google Analytics gives you valuable insight into user behavior on your site. These steps will ensure that your data conforms to GDPR.

FAQ

What’s the GDPR for Google Analytics,

Yes. Yes.

By requesting permission from your users for the use of Google Analytics cookies, you must comply with GDPR. You must also describe in your privacy statement what data you use from Google Analytics cookies. You must adhere to GDPR. 

Google Analytics stores personal data?

Yes.

Google Analytics stores cookies and uses them to track your visits. Google Analytics uses unique userIDs to track users across sessions or devices.

About the author

Kobe Digital is a unified team of performance marketing, design, and video production experts. Our mastery of these disciplines is what makes us effective. Our ability to integrate them seamlessly is what makes us unique.