Google Analytics is by far the most popular tool for website owners to gain insight into how their site is being used.
But is it compliant with the GDPR? Can you keep on using it and comply with the regulation, and what does it take?
Find out what Google is doing in preparation for the GDPR, what changes you should implement to your Google Analytics account, and how you can make your website’s use of Google Analytics compliant.
Scroll to Checklist 1 if you want to skip the introductions and get down to business right away.
What is Google Analytics?
Google Analytics is Google’s powerful and widely used traffic analytics tool that allows website owners to get deep and real time insight into how their site is being used, how much, and by whom.
How do users find your website, how do they move around on it, how long do they stay for, and where do they go from there?
As such, Google Analytics is essentially a user data processing tool.
What is the GDPR and how does it affect my website?
The General Data Protection Regulation is a EU law that sets out strict requirements on how data of EU citizens may be handled.
It was enforced on 25 May 2018 and affects companies, organizations and websites large and small, that handle personal data of users from the EU.
For website owners, the regulation means that you have to go through all of your personal data processing activities and make sure that they comply.
Typically, data processing activities on websites are one of two types:
- on the one hand, contact forms, email subscriptions and the like, where the personal data is explicitly requested and submitted directly by the user,
- and cookies and online tracking on the other.
The GDPR means you have to go through both, and revise what data you are gathering, whether you really need this data and why, and how you are keeping it secure.
The problem with cookies in the GDPR
Due to their multiple uses, cookies are often the tricky part of ensuring compliance with the regulation.
Cookies serve a range of different purposes from functionality and performance, over statistics, to targeted marketing.
Some are necessary for the website to work, and some are not. Some enhance the user experience, some serve for monitoring and user profiling, and some do both.
Some are set by the website itself, while the majority are of third party provenance, typically set by embedded third party plug-ins.
On top of that, cookies on websites tend to change, meaning that getting an overview once and for all will not suffice.
In general terms, though, cookies do track users’ actions and are therefore subject to the GDPR.
Plugins, embedded content, and tools in use on your website all set cookies.
As a website owner, you are responsible for all of the data processing activities going on on your website, of first party and third party provenance unheeded.
What is considered “personal data” in the GDPR?
The issue for website owners when it comes to using tools such as analytics, is the broad definition of personal data in the GDPR:
Not only IP addresses, contact information and sensitive data such as medical and financial records are personal, but also any data which can identify someone “directly or indirectly” using “all means reasonably likely to be used”.
This includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.
What personal data does Google Analytics collect?
Google Analytics works by means of tracking code that is added to the pages of your website. Every user is registered with a unique ID, so that Google Analytics can provide you with insight into how many unique visitors there are to the site, for example, and how many users return.
With Google Analytics, one can survey how often any single user has visited the website, what pages they visited, for how long they stayed and how they interacted with the site.
Combined with their enormous statistical data on internet users, Google Analytics can provide very precise information on what segments your website attracts according to demographics such as age, gender, professional and private interests, geographical location etc.
An accurate overview of what data Google Analytics actually tracks is difficult to get hold of, as it is constantly developing and improving, and Google does not provide transparency about their methods.
According to their Google Ads Data Protection Terms: Service Information, Google Analytics collects the following types of personal data:
- Online identifiers including cookie identifiers
- internet protocol addresses and device identifiers
- client identifiers
"We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.
We collect information in two ways:
1. Information you give us.
For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.
2. Information we get from your use of our services.
We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content."
According to the GDPR’s definition of personal data described above, the tracking of user behaviour and profiling is only compliant with the EU-regulations when the website obtains prior consent from the visitor, i.e. blocking Analytics until the visitor has opted in.
So, what is Google Analytics doing in preparation for the GDPR enforcement?
On their blog, Google in Europe, Google has been sharing information about how they are preparing to meet the requirements of the GDPR since August 2017.
During the spring 2018, they have regularly released updates about their work to become GDPR compliant: they have updated their EU User Consent Policy, made changes to their contract terms, and made changes to their products in order to meet the requirements:
Updated EU User Consent Policy
In accordance to their advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy.Google's EU User Consent Policy is being updated to reflect the legal requirements of the GDPR.
It sets out website owners responsibilities for making disclosures to, and obtaining consents from end users in the European Economic Area (henceforth EEA).
The policy is incorporated into the contracts for most Google ads and measurement products globally.
Google has been rolling out updates to their contracts for many products since August 2017, reflecting their status as either a processor or a controller under the GDPR (see full classification of Googles Ads products).
The new GDPR terms supplement your contract with Google and came into force on 25 May 2018.
In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.
- For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ➝ Account Settings).
- For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
- If you don’t contract with Google for your use of Google products, Google advises to seek advice from the parties with whom you contract.
To comply, and support their customers compliance with GDPR, Google is:
- Making some changes across the network of publisher sites on which your ads may appear - enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps.
- Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
- They have introduced granular data retention controls that allow you to manage how long your user and event data is held on their servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select.
- They are in the proces of launching a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase).
- Exploring consent solutions for publishers, including working with industry groups like IAB Europe.
Find out more
What YOU should do
However, all of these steps unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.
To prepare your use of Google Analytics for the GDPR, there are basically two things you should do:
- Make changes in your Google Analytics account settings
- Make sure that your website’s use of Google Analytics and other tools is compliant.
Checklist 1: Steps to make your Google Analytics GDPR compliant
1. Control how you are transmitting personal data to Google
It is not sufficient to filter out personal data via the Google Analytics filters.
The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics.
Check your page url’s, page titles and other dimensions. Ensure that no personal data is being collected.
A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter.
If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!
2. Turn on IP Anonymization
The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.
Therefore, it is a good idea to turn on the IP anonymization feature in Google Analytics.
This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.
To turn on anonymization, you must make a change in the code.
If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.
Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 126.96.36.199 — where the last portion/octet is replaced with a ‘0’). Once this features is enabled, the full IP address is never written to the disk according to Google.
3. Go through the collection of Pseudonymous Identifiers in your Google Analytics
Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:
User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames etc.
Hashed/Encrypted data such as email address: Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.
Transaction IDs : Transaction IDs are technically pseudonymous identifiers, since when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.
Checklist 2: Steps to make your website’s use of Google Analytics etc. compliant
- is specific and up-to-date at all times,
- is written in a plain and understandable language,
- provides clear instructions on how one may opt in and out of ones data being collected.
That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.
Also, the declaration automatically provides the mandatory options of changing and revoking consent.
2. Implement a GDPR compliant cookie consent
- Obtained prior to the setting of the cookies on the user’s browser (strictly necessary cookies are excepted from this rule)
- Given on the basis of clear and specific information about what the consent is given to
- Based on a true choice. The user must be able to opt out of all but the strictly necessary cookies and still use the site.
- Retrievable. The user must have access to their settings and make changes to what cookies they want to accept and reject.
- Kept as documentation that the consent has been given.
Read more in our article about cookie consents and the GDPR.
Cookiebot is one of the few cookie consent solutions that does all of that.
GDPR Report: GDPR and Google Analytics
Digital Third Coast: How does Google Analytics actually work?
Shivarweb: What does Google Analytics do?
Google developers guide: Google Analytics cookie usage on websites
Stackoverflow: What data is collected by Google Analytics (by default)
Medium: Google Analytics and GDPR Compliance
Google Ads Data Protection Terms: Service Information
GOOGLE IN EUROPE Getting ready for Europe’s new data protection rules
Googles EU User Consent Policy
Full classification of Googles Ads products