All Blog Posts

Google Analytics and the GDPR

Find out all about Google Analytics, cookies and how to obtain data privacy compliance with a consent management platform (CMP).

Updated August 18, 2022.

Google Analytics is the most popular online solution for gaining insight into how your website performs with its visitors.

But is it in compliance with GDPR to use Google Analytics? How do you balance Google Analytics, cookies and end-user consent on your website?

In this blogpost, we break down both Google Analytics, cookies and the EU’s GDPR requirements for your domain. We also look at how you can use the Google Consent Mode to make your Google Analytics run based entirely on end-user consent states for maximized analytics in full GDPR compliance.

Google Analytics, cookies and GDPR

What is Google Analytics?

Google Analytics is Google’s powerful and popular traffic analytics tool that allows you to get deep, real-time insights into how your website is being used, how much, and by whom.

Google Analytics is sort of like having a living map of your website in real-time, allowing you to see how your users are moving around. Where are users traveling to and from, and how are they behaving while they’re on your domain? What catches their attention, and what makes them shy away? 

Data like this obviously provides valuable insights into how your domain is performing, highlighting the weak spots and the strong parts so that you can optimize it on the fly. 

Being able to see all of this data in context, presented neatly into graphs and statistics can be an eye-opener for most website owners and operators.

But how does Google Analytics do this, you might then ask?

Illustration of a person reading a long piece of paper - Cookiebot
Google Analytics uses cookies that under the EU’s GDPR need end-user consent.

How does Google Analytics work?

On a technical level, Google Analytics works through JavaScript tags that run in your website’s source code and is usually operated with Google Tag Manager.

But from the other side of the screen – from the point of view of your website’s users – these JavaScript tags running Google Analytics set cookies on their browsers that harvest personal and sometimes sensitive data from them in return.

Under the EU’s GDPR, you are required to ask for and obtain the explicit consent to run any kind of cookie or tracker on your website that processes personal data.

And using Google Analytics on your website sets cookies on users’ browsers that process personal data.

Using Google Analytics is therefore not GDPR compliant by default.

So… how can you make your website’s use of Google Analytics GDPR compliant? And how do you balance Google Analytics, cookies and end-user consent on your website to still get those valuable statistics and insights without breaking European data protection laws, and the trust of your users?

Let’s make a quick breakdown of Google Analytics and GDPR compliance on your website.

Steps to make Google Analytics GDPR compliant

Here’s a step-by-step guide on how to get valid GDPR consent to Google Analytics and cookies on your website.

NOTE:
Rulings to ban the use of Google Analytics from the Italian, Austrian, French and Danish data protection authorities (DSB, Garante, CNIL and Datatilsynet respectively) do not apply to companies outside of these countries, but these may not be the only EU-based rulings that target US-operated cloud services. We at Usercentrics – the parent-company of Cookiebot CMP – follow the developments closely. Our recommendation is to pay close attention to the Cookiebot CMP scanner report and to seek legal counsel if you make use of any services located in “non-adequate” countries.

Step 1 – end-user consent

You must ask for and obtain the explicit and valid consent from your users in order to use Google Analytics in GDPR compliance on your website.

A valid GDPR consent looks like this – 

  • Prior and explicit consent must be obtained before any activation of cookies (apart from whitelisted, necessary cookies). 
  • Consents must be granular, i.e. users must be able to activate some cookies rather than others and not be forced to consent to either all or none. 
  • Consent must be freely given, i.e. they are not allowed to be forced. 
  • Consents must be as easily withdrawn as they are given. 
  • Consents must be securely stored as legal documentation that the consent was obtained. 
  • Consents must be renewed at least once per year. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

Step 2 – have an exhaustive privacy and cookie policy

Your privacy policy must include detailed information about all Google Analytics cookies and other tracking technologies in operation on your website. 

Here, you need to provide transparency about the data processing on your site. Make sure that all data processing on your website is clearly stated in your privacy policy, including the purposes for which you collect data, the kinds of data you collect, and who you share it with.

In addition to – or as part of your privacy policy – your cookie policy should be accessible to your users, outlining what cookies are in use, what purpose they serve, and how one may opt in and out of them.

Step 3 – turn on IP Anonymization in your Google Analytics account

An IP address is defined as personal data in the EU’s GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.

That’s why it’s a good idea to turn on the IP anonymization feature in Google Analytics.

This change will slightly reduce the geographic reporting accuracy of your Google Analytics account. To turn on anonymization, you must make a change in the code: 

If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’

If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.

Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’).

Once this feature is enabled, the full IP address is never written to the disk according to Google.

Additionally, check your pseudonymous identifiers in your Google Analytics to make sure that data is not identifiable. 

Your Google Analytics implementation may already be using pseudonymous identifiers such as – 

  • User ID (make sure that user IDs are alphanumeric database identifiers, and not data written in plain text).
  • Hashed or encrypted data (Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner).
  • Transaction IDs (make sure that this ID is an alphanumeric database identifier).
Abstract data illustration - Cookiebot
Google Analytics uses cookies that the EU’s GDPR categorize as personal data, requiring end-user consent to function.

Google Analytics GDPR compliance, in detail

Let’s go into a bit more detail on the EU’s GDPR, what implications it has for your website, and what kind of cookies Google Analytics uses.

The General Data Protection Regulation (GDPR) is an EU-wide data privacy regulation that protects all personal data from individuals inside the European Union, and comes with strict requirements for how websites, companies and organizations all around the world are allowed to collect and process such data.

The EU’s GDPR applies to any website anywhere in the world that processes personal data from inside the EU.

In short, the EU’s GDPR requires you to ask for and obtain the explicit consent from EU residents prior to any processing of their personal data.

Personal data under the EU’s GDPR is any kind of data that can identify an individual – either directly or indirectly.

Included in this definition are common online identifiers such as cookies, unique IDs, ClientIDs, IP addresses, search and browser history, and many other types of data collected every day on the Internet from users, when they visit websites.

Cookies serve a range of different purposes from functionality, performance, statistics and targeted advertisement. Some cookies are necessary for your website to work, and some are not. Some enhance user experience, some serve for monitoring and user profiling, and some do both.

This is where Google Analytics and the GDPR overlap, because Google Analytics uses cookies to track your website’s users and their behavior.

Does Google Analytics use cookies?

Google Analytics uses several different HTTP cookies to track users and their behavior on your website, to distinguish and remember them over time and upon repeated visits.

Be aware that all Google Analytics cookies need end-user consentto be in compliance with the EU’s GDPR. 

Only so-called “necessary cookies” are allowed to be in function on your website without user consent, i.e. cookies strictly necessary for the basic functions on your domain.

However, Google Analytics cookies cannot be classified as necessary cookies.

Google Analytics set the following cookies when in use on your website – 

  • _ga (cookie used to distinguish individual users on your domain, expires after 2 years)
  • _gid (cookie used to distinguish individual users on your domain, expires after 24 hours)
  • _gat (cookie used to limit amount of user requests in order to maintain your website’s performance, expires after 1 minute)
  • AMP_TOKEN (cookie containing a unique ID assigned to each user on your domain, expires somewhere between 30 seconds and 1 year)
  • _gac_<property-id> (cookie containing a unique ID that makes Google Analytics and Ads work together, expires after 90 days)

These Google Analytics cookies are stored on your users’ browsers when they land on your website. This is how Google Analytics can distinguish and remember each individual user, follow them across different websites and present you with a detailed map of their journey to and from your domain.

As shown above, some Google Analytics cookies expire after 1 minute (e.g. the _gat cookie), while other Google Analytics cookies stay on the browser for two years (e.g. the _ga cookie).

But no matter their duration, all of the above-mentioned Google Analytics cookies fall under the GDPR’s definition of personal data.

That’s because Google Analytics cookies collect information that can be used to identify an individual, sometimes directly, sometimes indirectly in combination with other data.

Data that Google Analytics’ cookies collect include – 

  • ClientIDs consisting of a string of numbers unique to each user on your website
  • Number of times and time of day of previous visits to your website
  • Information about how they found your website, their search and browser history
  • IP addresses (unless switched off in your Google Analytics account)

In general, websites harbor an estimate of 20 cookies. 

According to the study Beyond the Front Page from 2020 – 

  • 72% of cookies will be loaded in secret by other third-party cookies
  • 18% of cookies are so-called “trojan horses”, i.e. cookies hidden as deep as within eight other cookies
  • 50% of these “trojan horses” will change between repeated visits from your website’s users.

Cookies will be set from your website if you use Google Analytics or a similar analytics solution, but also other embedded content sets cookies, e.g. performance and marketing tools like HubSpot, embedded videos from third-party platforms like YouTube or Vimeo, and social media plugins such as Facebook like buttons.

These cookies will process personal data from your end-users on your website.

Google Consent Mode and Google Analytics

Run Google Analytics in GDPR compliance without losing analytics data

Google Consent Mode launched on September 3, 2020 and is a huge step towards a balance on your website between data privacy compliance and analytics insights.

Google Consent Mode is an open API that enables your website to run Google Analytics based on the consent state of your end-users in seamless integration with Cookiebot CMP.

With the Google Consent Mode, you can manage your Google Analytics, cookies and GDPR user consent all at once to secure compliant analytics and insights for your website.

If users don’t give their consent to statistics cookies, Google Consent Mode makes sure that you still get aggregate and non-identifying insights into your website’s performance, such as – 

  • Timestamps 
  • User agents 
  • Referrers 
  • Other basic measurements for modelling 

Google Consent Mode ensures full GDPR compliance simultaneously with optimized analytics data – respecting both end-user privacy and your website’s need for data and user insights. 

Try the Google Consent Mode on your website for a compliant balance between Google Analytics, cookies and GDPR.

Summary

Let’s sum up how to use Google Analytics in compliance with the EU’s GDPR.

To ensure that Google Analytics – its cookies, trackers and statistics tools – run in full compliance with EU’s General Data Protection Regulation (GDPR), you need to:

  1. Ask for and obtain end-user consent for all Google Analytics cookies on your website prior to their activation and operation.
  2. Control each Google Analytics cookie in order to only activate them after your users have given their explicit consent to them.
  3. Provide transparent information in your website’s cookie policy about the details of all Google Analytics cookies in operation – including their provider, technical details, duration and purpose. This is important as consent is only valid under the GDPR if it constitutes an informed choice on behalf of the users.
  4. Compile detailed information in your website’s privacy policy about all Google Analytics cookies on your domain, and what personal data your website processes in general.
  5. Turn on IP anonymization in your Google Analytics account and make sure that it uses pseudonymous identifiers.

FAQ

Is Google Analytics GDPR compliant?

By default, Google Analytics is not GDPR compliant. When using Google Analytics on your website, you must first obtain the explicit consent of end-users to activate the Google Analytics cookies, as well as describe all personal data processing in your website’s privacy policy. Using a consent management platform can automate the entire Google Analytics GDPR compliance process.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Do I need to follow the rules of GDPR to use Google Analytics?

If you have users from inside the EU, you need to be in compliance with the EU’s GDPR – no matter where in the world you and your website is located. Any processing of personal data from individuals inside the European Union requires their explicit consent to do so. This includes the use of Google Analytics, cookies and other tracking technologies on your website.

Scan your website for free to see all cookies in use

How can I become GDPR compliant in Google Analytics?

Using Google Analytics in GDPR compliance on your website is all about getting the informed and explicit from your end-users. Google Analytics cookies collect data that are classified under the EU’s GDPR as personal data, requiring end-user consent before they can be activated and collect data. Use a consent management platform like Cookiebot CMP to automate the entire Google Analytics GDPR compliance process.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Does Google Analytics collect personal data?

Yes, various data that Google Analytics cookies can collect from your end-users through your website, such as IP addresses, unique IDs and ClientIDs – is data that either directly or in combination with other data can identify an individual. If this individual is located inside the EU, the GDPR protects their data privacy.

Learn more about GDPR and cookie consent

Does Google Analytics collect IP addresses?

Yes, Google Analytics can collect IP addresses, but you can turn on IP anonymization and ensure that Google Analytics does not process users’ actual IP address, but uses an anonymized IP address instead.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Does Google Analytics use cookies?

Yes, Google Analytics uses several different HTTPS cookies, including some persistent cookies with a duration of up to two years. Google Analytics store cookies on end-users’ browsers, once they land on your website.

Learn more about cookies and website tracking

What cookies does Google Analytics use?

Google Analytics uses several HTTP cookies on your website, e.g. the statistics cookie _ga to distinguish individual users and track how they engage with your website. The _ga cookie in Google Analytics is stored on a user’s browser when they land on your website and lasts for two years. Explicit consent from users inside the EU is needed for this Google Analytics-cookie to be activated.

Learn more about the GDPR and cookies

What is Google Analytics data?

Google Analytics can be used as a statistics tool on your website to measure performance and gain insights into how users behave on your website. Data that Google Analytics can offer about your website includes visitor measurements, performance insights of landing and subpages, number of times and time of day of previous visits to your website, and information about how users found your website.

Make your website tracking GDPR compliant with Cookiebot CMP

What type of cookies does Google Analytics use?

Google Analytics cookies include several HTTPS cookies that collect various information about your website’s users in order to offer you insights into your domain’s performance. Google Analytics cookies include _ga (cookie used to distinguish individual users on your domain), _gid (cookie used to distinguish individual users on your domain), _gat (cookie used to throttle request rates), AMP_TOKEN (cookie containing a unique ID assigned to each user on your domain) and _gac_<property-id>(cookie containing a unique ID that makes Google Analytics and Ads work together).

Learn more about the GDPR and cookies

Can Google Analytics work without cookies?

Yes, using Google Consent Mode can make your website run Google Analytics based on the consent state of your end-users. If end-users choose not to consent to cookies, Google Consent Mode enables Google Analytics to collect basic measurements without the use of cookies, respecting user privacy while at the same time offering you valuable insight into your website’s performance.

Try Google Consent Mode with Cookiebot CMP for free today

What does Google Analytics add to the first-party cookie?

Google Analytics uses a ClientID in the _ga cookie that can distinguish and remember individual users upon repeated visits to your website. This requires end-user consent to be GDPR compliant.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Resources

Google Analytics

Google Consent Mode

GDPR report: GDPR and Google Analytics

Google’s privacy policy

Google developer’s guide: Google Analytics cookie usage on websites

Medium: Google Analytics and GDPR compliance

Google’s EU User Consent Policy

Full classification of Google Ad’s products

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.