Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Google Analytics, cookies and GDPR compliance with Cookiebot CMP.

Updated March 24, 2021.


Google Analytics is the most popular online solution for gaining insight into how your website performs with its visitors.

But is Google Analytics GDPR compliant to use? How do you balance Google Analytics, cookies and end-user consent on your website?

In this blogpost, we break down both Google Analytics, cookies and the EU’s GDPR requirements for your domain. We also look at how you can use the Google Consent Mode to make your Google Analytics run based entirely on end-user consent states for maximized analytics in full GDPR compliance.

Find out all about Google Analytics, cookies and GPDR compliance here.



Google Analytics, cookies and GDPR


How to make Google Analytics GDPR compliant on your website

Google Analytics is Google’s powerful and popular traffic analytics tool that allows you to get deep, real-time insights into how your website is being used, how much, and by whom.

Google Analytics is sort of like having a living map of your website in real-time, allowing you to see how your users are moving around.

Where are users travelling to and from, and how are they behaving while they’re on your domain? What catches their attention, and what makes them shy away?

Data like this obviously provides valuable insights into how your domain is performing, highlighting the weak spots and the strong parts so that you can optimize it on the fly.

Being able to see all of this data in context, presented neatly into graphs and statistics can be an eye-opener for most website owners and operators.

But how does Google Analytics do this, you might then ask?

On a technical level, Google Analytics works through JavaScript tags that run in your website’s source code and is usually operated with Google Tag Manager.


Learn more about Google Tag Manager and Cookiebot CMP


But from the other side of the screen – from the point of view of your website’s users – these JavaScript tags running Google Analytics set cookies on their browsers that harvest personal and sometimes sensitive data from them in return.



Under EU’s GDPR, Google Analytics cookies need end-user consent to be activated on your website.



Profiling is the accumulation and combination of personal data into large and eerily detailed data sets on individuals, their habits, behavior and preferences, and it forms the basis of behavioral advertisement that, in turn, serves eerily targeted online commercials back at your users.

However, your end-users in Europe have a right to data privacy that is protected by the EU’s General Data Protection Regulation (GDPR). This regulation is uniform across all 27 EU countries and empowers users with several rights over their personal data – chief among them the right to consent.

Under the EU’s GDPR, you are required to ask for and obtain the explicit consent to run any kind of cookie or tracker on your website that processes personal data.

And using Google Analytics on your website sets cookies on users’ browsers that process personal data.

Using Google Analytics is therefore not GDPR compliant by default.

So… how can you make your website’s use of Google Analytics GDPR compliant? And how do you balance Google Analytics, cookies and end-user consent on your website to still get those valuable statistics and insights without breaking European data protection laws, and the trust of your users?

Let’s make a quick break down Google Analytics and GDPR compliance on your website.



Google Analytics GDPR compliance, in short


Google Analytics GDPR compliance checklist

Here’s a quick list of what it takes to run Google Analytics in GDPR compliance on your website. If you’re looking for a more detailed run-through, read on below. To ensure that Google Analytics – its cookies, trackers and statistics tools – run in full compliance with EU’s General Data Protection Regulation (GDPR), you need to:

  1. Ask for and obtain end-user consent for all Google Analytics cookies on your website prior to their activation and operation.
  2. Control each Google Analytics cookie in order to only activate them after your users have given their explicit consent to them.
  3. Provide transparent information in your website’s cookie policy about the details of all Google Analytics cookies in operation – including their provider, technical details, duration and purpose. This is important as consent is only valid under the GDPR if it constitutes an informed choice on behalf of the users.
  4. Compile detailed information in your website’s privacy policy about all Google Analytics cookies on your domain, and what personal data your website processes in general.
  5. Turn on IP anonymization in your Google Analytics account and make sure that it uses pseudonymous identifiers.



Google Analytics cookies need GDPR end-user consent.

Google Analytics use cookies that the EU’s GDPR categorize as personal data, requiring end-user consent to function.



All of this can seem like complicated data protection matters that is sure to give you a headache before you’ve even started.

Luckily, the Cookiebot consent management platform (CMP) is a world-leading solution that automates the entire process of getting end-user consents for Google Analytics cookies in full GDPR compliance on your website.

Read more about the plug-and-play Cookiebot CMP below and how it can make your website and its use of Google Analytics GDPR compliant for free today.

Try Cookiebot CMP for free today… or forever if you have a small website.

Scan your website to see if you have Google Analytics cookies in use



Google Analytics and Cookiebot CMP


Automatic Google Analytics GDPR compliance with Cookiebot CMP

Cookiebot CMP is a world-leading consent management platform that deep-scans your website to detect and automatically control all cookies and trackers, including all Google Analytics cookies in use on your domain.

The Cookiebot CMP plug-and-play solution organizes your website’s cookies into four simple cookie categories, which your users can activate or deactivate prior to any personal data processing.

It’s fast and simple GDPR compliance with just a few lines of JavaScript.



Cookiebot CMP banner for compliance with GDPR for Google Analytics on your website.

Cookiebot CMP consent banner making your website’s use of Google Analytics GDPR compliant.



Cookiebot CMP makes your website’s use of Google Analytics GDPR compliant with –

Create your account for free to get started and let Cookiebot CMP take the hard part out of GDPR compliance, Google Analytics and cookies.

Try Cookiebot CMP free for 30 days… or forever if you have a small website.

Scan your website for free to see all cookies and trackers in use



Cookiebot CMP for GDPR compliance for Google Analytics and cookies.



Google Consent Mode and Google Analytics


Run Google Analytics in GDPR compliance without losing analytics data

Google Consent Mode launched on September 3, 2020 and is a huge step towards a balance on your website between data privacy compliance and analytics insights.

Google Consent Mode is an open API that enables your website to run Google Analytics based on the consent state of your end-users in seamless integration with Cookiebot CMP.

With the Google Consent Mode, you can manage your Google Analytics, cookies and GDPR user consent all at once to secure compliant analytics and insights for your website.

If users don't give their consent to statistics cookies, Google Consent Mode makes sure that you still get aggregate and non-identifying insights into your website’s performance, such as –

Google Consent Mode ensures full GDPR compliance simultaneously with optimized analytics data – respecting both end-user privacy and your website’s need for data and user insights.

By using a consent management platform like Cookiebot CMP to ask for and obtain the prior consent for processing personal data from users, your website can use this consent state to let the Google Consent Mode run all your website’s preferred Google-services in a simple and compliant way.

Try the Google Consent Mode on your website with Cookiebot CMP for a compliant balance between Google Analytics, cookies and GDPR.


Read Google’s blogpost for more info on the Google Consent Mode

Try Cookiebot free for 30 days… or forever if you have a small website.

Scan your website for free to see what cookies and trackers you use



Google Analytics and GDPR compliance, in detail


Learn more about Google Analytics, cookies and the EU’s GDPR

Let’s go into a bit more detail on the EU’s GDPR, what implications it has for your website, and what kind of cookies Google Analytics use.

The General Data Protection Regulation (GDPR) is an EU-wide data privacy regulation that protects all personal data from individuals inside the European Union, and comes with strict requirements for how websites, companies and organizations all around the world are allowed to collect and process such data.

The EU’s GDPR applies to any website anywhere in the world that processes personal data from inside the EU.

In short, the EU’s GDPR requires you to ask for and obtain the explicit consent from EU residents prior to any processing of their personal data.



EU's GDPR requires Google Analytics cookies to be run on end-user consent state.

EU’s GDPR demands that you get consent from your users for the cookies that Google Analytics set from your website.



Personal data under the EU’s GDPR is any kind of data that can identify an individual – either directly or indirectly.

Included in this definition is common online identifiers such as cookies, unique IDs, ClientIDs, IP addresses, search and browser history, and many other types of data collected every day on the Internet from users, when they visit websites.

Cookies serve a range of different purposes from functionality, performance, statistics and targeted advertisement. Some cookies are necessary for your website to work, and some are not. Some enhance user experience, some serve for monitoring and user profiling, and some do both.

This is where Google Analytics and the GDPR overlap, because Google Analytics uses cookies to track your website’s users and their behavior.


Did you know that websites on average have 20 cookies in use?
Scan your website for free to detect and control them all

Try Cookiebot CMP for free today… or forever if you have a small website.



Google Analytics’ cookies on your website

Google Analytics uses several different HTTP cookies to track users and their behavior on your website, to distinguish and remember them over time and upon repeated visits.

Be aware that all Google Analytics cookies need end-user consent to be in compliance with the EU’s GDPR.

Only so-called “necessary cookies” are allowed to be in function on your website without user consent, i.e. cookies strictly necessary for the basic functions on your domain.

However, Google Analytics cookies cannot be classified as necessary cookies.

Google Analytics set the following cookies when in use on your website –

These Google Analytics cookies are stored on your users’ browsers when they land on your website. This is how Google Analytics can distinguish and remember each individual user, follow them across different websites and present you with a detailed map of their journey to and from your domain.

As shown above, some Google Analytics cookies expire after 1 minute (e.g. the _gat cookie), while other Google Analytics cookies stay on the browser for two years (e.g. the _ga cookie).



Google Analytics cookies need GDPR compliant end-user consent to function on your website. Try Cookiebot CMP.

Google Analytics can be GDPR compliant, if you include end-user consent as part of its operation.



But no matter their duration, all of the above-mentioned Google Analytics cookies fall under the GDPR’s definition of personal data.

That’s because Google Analytics cookies collect that can be used to identify an individual, sometimes directly, sometimes indirectly in combination with other data.

Data that Google Analytics’ cookies collect include –


Learn more about GDPR and cookie consent on your website

Google is phasing out third-party cookies – but consent is here to stay

Learn more about GDPR compliant website tracking


In general, websites harbor an estimate of 20 cookies.

According to the study Beyond the Front Page from 2020 –

Cookies will be set from your website if you use Google Analytics or a similar analytics solution, but also other embedded content sets cookies, e.g. performance and marketing tools like HubSpot, embedded videos from third-party platforms like YouTube or Vimeo, and social media plugins such as Facebook like buttons.

These cookies will process personal data from your end-users on your website.

Using a fully automated cookie solution like Cookiebot CMP is a vital tool for your website’s GDPR compliance, ensuring that Google Analytics cookies and other third-party tracking technologies are detected and controlled, enabling the user to give their valid consent.

Try Cookiebot CMP free for 30 days… or forever if you have a small website.

Scan your website for free to control all Google Analytics cookies



Google Analytics cookies process personal data from users.

Your website’s users are protected under the EU’s GDPR from unconsented data collection.




Steps to make Google Analytics and its cookies GDPR compliant


Here’s a step-by-step guide on how to get valid GDPR consent to Google Analytics and cookies on your website.



Step 1 – end-user consent

You must ask for and obtain the explicit and valid consent from your users in order to use Google Analytics in GDPR compliance on your website.

A valid GDPR consent looks like this –



Step 2 – have an exhaustive privacy and cookie policy

Your privacy policy must include detailed information about all Google Analytics cookies and other tracking technologies in operation on your website.

Here, you need to provide transparency about the data processing on your site. Make sure that all data processing on your website is clearly stated in your privacy policy, including the purposes for which you collect data, the kinds of data you collect, and who you share it with.


Learn more about GDPR compliant privacy policies


In addition to – or as part of your privacy policy – your cookie policy should be accessible to your users, outlining what cookies are in use, what purpose they serve, and how one may opt in and out of them.

Cookiebot CMP automatically provides you with an exhaustive and always up-to-date cookie policy.



The GDPR requires you to list Google Analytics and its cookies in your website’s privacy policy.

The GDPR requires you to list Google Analytics and its cookies in your website’s privacy policy.



Step 3 - turn on IP Anonymization in your Google Analytics account

An IP address is defined as personal data in the EU’s GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.

That’s why it’s a good idea to turn on the IP anonymization feature in Google Analytics.

This change will slightly reduce the geographic reporting accuracy of your Google Analytics account. To turn on anonymization, you must make a change in the code:

If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.

If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.

Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’).

Once this feature is enabled, the full IP address is never written to the disk according to Google.

Additionally, check your pseudonymous identifiers in your Google Analytics to make sure that data is not identifiable.

Your Google Analytics implementation may already be using pseudonymous identifiers such as –



Google Analytics and GDPR compliance in Germany


Minimum requirements for using Google Analytics under GDPR in Germany

On May 12, 2020, Germany’s supervisory data protection committee DSK (Datenschutzkonferenz) issued guidelines on minimum requirements for the use of Google Analytics on websites in Germany.

The DSK minimum requirements are applicable on regular use of Google Analytics (i.e. standard settings from Google, so basically how most websites would use the analytics tool upon normal implementation).



In Germany, Google Analytics cookies has extra requirements.

Germany sets minimum requirements for using Google Analytics that complement the wider EU’s GDPR.



The DSK minimum requirements for using Google Analytics in Germany include but are not limited to –

Read more about the DSK's minimum requirements for the use of Google Analytics under GDPR (blogpost in German)

Try Cookiebot free for 30 days... or forever if you have a small website, and make your website and its use of Google Analytics GDPR compliant.



FAQ


Is Google Analytics GDPR compliant?

By default, Google Analytics is not GDPR compliant. When using Google Analytics on your website, you must first obtain the explicit consent of end-users to activate the Google Analytics cookies, as well as describe all personal data processing in your website’s privacy policy. Using a consent management platform can automate the entire Google Analytics GDPR compliance process.

Try Cookiebot CMP free for 30 days… or forever if you have a small website.


Do I need GDPR for Google Analytics?

If you have users from inside the EU, you need to be in compliance with the EU’s GDPR – no matter where in the world you and your website is located. Any processing of personal data from individuals inside the European Union requires their explicit consent to do so. This includes the use of Google Analytics, cookies and other tracking technologies on your website.

Scan your website for free to see all cookies in use


How do I generate GDPR compliance in Google Analytics?

Using Google Analytics in GDPR compliance on your website is all about getting the informed and explicit from your end-users. Google Analytics cookies collect data that are classified under the EU’s GDPR as personal data, requiring end-user consent before they can be activated and collect data. Use a consent management platform like Cookiebot CMP to automate the entire Google Analytics GDPR compliance process.

Try Cookiebot CMP free for 30 days… or forever if you have a small website.


Does Google Analytics store personal data?

Yes, various data that Google Analytics cookies can collect from your end-users through your website, such as IP addresses, unique IDs and ClientIDs – is data that either directly or in combination with other data can identify an individual. If this individual is located inside the EU, the GDPR protects their data privacy.

Learn more about GDPR and cookie consent


Does Google Analytics collect IP addresses?

Yes, Google Analytics can collect IP addresses, but you can turn on IP anonymization and ensure that Google Analytics does not process users’ actual IP address, but uses an anonymized IP address instead.

Try Cookiebot CMP free for 30 days… or forever if you have a small website.


Does Google Analytics use cookies?

Yes, Google Analytics uses several different HTTPS cookies, including some persistent cookies with a duration of up to two years. Google Analytics store cookies on end-users’ browsers, once they land on your website.

Learn more about cookies and website tracking


What cookies does Google Analytics use?

Google Analytics uses several HTTP cookies on your website, e.g. the statistics cookie _ga to distinguish individual users and track how they engage with your website. The _ga cookie in Google Analytics is stored on a user’s browser when they land on your website and lasts for two years. Explicit consent from users inside the EU is needed for this Google Analytics-cookie to be activated.

Learn more about Google Analytics, cookie and GDPR compliance


What is Google Analytics data?

Google Analytics can be used as a statistics tool on your website to measure performance and gain insights into how users behave on your website. Data that Google Analytics can offer about your website includes visitor measurements, performance insights of landing and subpages, number of times and time of day of previous visits to your website, and information about how users found your website.

Make your website tracking GDPR compliant with Cookiebot CMP


What type of cookies does Google Analytics use?

Google Analytics cookies include several HTTPS cookies that collect various information about your website’s users in order to offer you insights into your domain’s performance. Google Analytics cookies include _ga (cookie used to distinguish individual users on your domain), _gid (cookie used to distinguish individual users on your domain), _gat (cookie used to throttle request rates), AMP_TOKEN (cookie containing a unique ID assigned to each user on your domain) and _gac_ (cookie containing a unique ID that makes Google Analytics and Ads work together).

Learn more about Google Analytics and GDPR compliance


Can Google Analytics work without cookies?

Yes, using Google Consent Mode can make your website run Google Analytics based on the consent state of your end-users. If end-users choose not to consent to cookies, Google Consent Mode enables Google Analytics to collect basic measurements without the use of cookies, respecting user privacy while at the same time offering you valuable insight into your website’s performance.

Try Google Consent Mode with Cookiebot CMP for free today


What does Google Analytics add to the first-party cookie?

Google Analytics uses a ClientID in the _ga cookie that can distinguish and remember individual users upon repeated visits to your website. This requires end-user consent to be GDPR compliant.

Try Cookiebot CMP free for 30 days… or forever if you have a small website.



Resources


Google Analytics

Google Consent Mode

GDPR Report: GDPR and Google Analytics

Shivarweb: What does Google Analytics do?

Google developers guide: Google Analytics cookie usage on websites

Stackoverflow: What data is collected by Google Analytics (by default)

Google's Privacy policy

Medium: Google Analytics and GDPR Compliance

Google Ads Data Protection Terms: Service Information

GOOGLE IN EUROPE Getting ready for Europe’s new data protection rules

Googles EU User Consent Policy

Full classification of Googles Ads products

New Google Consent Mode 

Cookiebot™ CMP integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free