Updated April 3, 2020.
Google Analytics is by far the most popular tool for website owners to gain insight into how their site is being used.
But can the GDPR and Google Analytics coexist? Can you keep on using it and comply with the regulation, and what does it take? Determine if your use of Google Analytics is GDPR compliant.
Find out what Google is doing in preparation for the GDPR, what changes you should implement to your Google Analytics account, and how you can make your website’s use of Google Analytics compliant.
Scroll to Checklist 1 if you want to skip the introductions and get down to business right away.
Google Analytics is Google’s powerful and widely used traffic analytics tool that allows website owners to get deep and real time insight into how their site is being used, how much, and by whom.
How do users find your website, how do they move around on it, how long do they stay for, and where do they go from there?
As such, Google Analytics is essentially a user data processing tool.
The General Data Protection Regulation is a EU law that sets out strict requirements on how data of EU citizens may be handled.
It was enforced on 25 May 2018 and affects companies, organizations and websites large and small, that handle personal data of users from the EU.
For website owners, the regulation means that you have to go through all of your personal data processing activities and make sure that they comply.
Typically, data processing activities on websites are one of two types:
The GDPR means you have to go through both, and revise what data you are gathering, whether you really need this data and why, and how you are keeping it secure.
Due to their multiple uses, cookies are often the tricky part of ensuring compliance with the regulation.
Cookies serve a range of different purposes from functionality and performance, over statistics, to targeted marketing.
Some are necessary for the website to work, and some are not. Some enhance the user experience, some serve for monitoring and user profiling, and some do both.
Some are set by the website itself, while the majority are of third party provenance, typically set by embedded third party plug-ins.
On top of that, cookies on websites tend to change, meaning that getting an overview once and for all will not suffice.
In general terms, though, cookies do track users’ actions and are therefore subject to the GDPR.
Plugins, embedded content, and tools in use on your website all set cookies.
As a website owner, you are responsible for all of the data processing activities going on on your website, of first party and third party provenance unheeded.
The issue for website owners when it comes to using tools such as analytics, is the broad definition of personal data in the GDPR:
Not only IP addresses, contact information and sensitive data such as medical and financial records are personal, but also any data which can identify someone “directly or indirectly” using “all means reasonably likely to be used”.
This includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.
Google Analytics works by means of tracking code that is added to the pages of your website. Every user is registered with a unique ID, so that Google Analytics can provide you with insight into how many unique visitors there are to the site, for example, and how many users return.
With Google Analytics, one can survey how often any single user has visited the website, what pages they visited, for how long they stayed and how they interacted with the site.
Combined with their enormous statistical data on internet users, Google Analytics can provide very precise information on what segments your website attracts according to demographics such as age, gender, professional and private interests, geographical location etc.
An accurate overview of what data Google Analytics actually tracks is difficult to get hold of, as it is constantly developing and improving, and Google does not provide transparency about their methods.
According to their Google Ads Data Protection Terms: Service Information, Google Analytics collects the following types of personal data:
We collect information to provide better services to all our users — from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like. The information Google collects, and how that information is used, depends on how you use our services and how you manage your privacy controls.
When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using. This helps us do things like maintain your language preferences across browsing sessions.
When you’re signed in, we also collect information that we store with your Google Account, which we treat as personal information.
Visit Google’s Privacy & Terms to read more on what information Google collects, why Google collects it and how you can take control of your data.
On their blog, Google in Europe, Google has been sharing information about how they are preparing to meet the requirements of the GDPR since August 2017.
During the spring 2018, they have regularly released updates about their work to become GDPR compliant: they have updated their EU User Consent Policy, made changes to their contract terms, and made changes to their products in order to meet the requirements:
In accordance to their advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy.Google's EU User Consent Policy is being updated to reflect the legal requirements of the GDPR.
It sets out website owners responsibilities for making disclosures to, and obtaining consents from end users in the European Economic Area (henceforth EEA).
The policy is incorporated into the contracts for most Google ads and measurement products globally.
Google has been rolling out updates to their contracts for many products since August 2017, reflecting their status as either a processor or a controller under the GDPR (see full classification of Googles Ads products).
The new GDPR terms supplement your contract with Google and came into force on 25 May 2018.
In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.
To comply, and support their customers compliance with GDPR, Google is:
However, all of these steps unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.
To prepare your use of Google Analytics for the GDPR, there are basically two things you should do:
It is not sufficient to filter out personal data via the Google Analytics filters.
The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics.
Check your page url’s, page titles and other dimensions. Ensure that no personal data is being collected.
A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter.
If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!
The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.
Therefore, it is a good idea to turn on the IP anonymization feature in Google Analytics.
This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.
To turn on anonymization, you must make a change in the code.
If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.
Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 22.214.171.124 — where the last portion/octet is replaced with a ‘0’). Once this features is enabled, the full IP address is never written to the disk according to Google.
Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:
User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames etc.
Hashed/Encrypted data such as email address: Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.
Transaction IDs : Transaction IDs are technically pseudonymous identifiers, since when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.
That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.
Also, the declaration automatically provides the mandatory options of changing and revoking consent.
Read more in our article about cookie consents and the GDPR.
Cookiebot is one of the few cookie consent solutions that does all of that.