Logo Logo
Cookiebot

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use Google Analytics to track your visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Google Analytics GDPR compliance

Updated September 4, 2020.


Google Analytics is by far the most popular tool for website owners to gain insight into how their site is being used.

In this article, we give an introduction to Google Analytics and GDPR’s requirements for using Google Analytics compliantly.

We also look at how you can use the Google Consent Mode to make your Google Analytics run based on the consent state of your end-user for maximized insights in full GDPR compliance.

Find out how to make your Google Analytics GDPR compliant with Cookiebot in this blogpost.


NEWS: Google Consent Mode for Google Analytics in GDPR compliance


The Google Consent Mode launched on September 3, 2020 is a huge step towards finding a balance for your website between data privacy compliance and analytics insights.

The Google Consent Mode is an open API that enables your website to run all its Google-services (such as Google Analytics, Google Ads, Gtag, Google Tag Manager and more) based on the consent state of your end-users in integration with a consent management platform (CMP) - like Cookiebot.

With the Google Consent Mode, you can manage your Google Analytics, cookies and user consent all in one to secure compliant and non-personalized advertisement for your website.

If users don't give their consent to statistics cookies, Google Consent Mode makes sure that you still get aggregate and non-identifying insights into your website’s performance, such as -

Google Consent Mode ensures full GDPR compliance simultaneously with optimized analytics data – respecting both end-user privacy and your website’s need for data and user insights.

By using a consent management platform like Cookiebot to ask for and obtain the prior consent for processing personal data from users, your website can use this consent state to let the Google Consent Mode run all your website’s preferred Google-services in a simple, streamlined way.

Try the Google Consent Mode on your website with Cookiebot for full balance between GDPR compliance and digital advertisement.

Read Google’s blogpost for more info on the Google Consent Mode

Try Cookiebot free for 30 days… or forever if you have a small website.

Scan your website for free to see what cookies and trackers you use



What is Google Analytics?


Google Analytics is Google’s powerful and widely used traffic analytics tool that allows website owners to get deep and real time insight into how their site is being used, how much, and by whom.

Google Analytics is like a map of your website that shows you where users travel to and from, and how they behave when on your domain. This gives you insight into your domain’s performance and lets you optimize it.

Technically, Google Analytics works through JavaScript tags that run in your website’s source code after implementation and is usually operated with Google Tag Manager.

When a user visits your website, the JavaScript tags of Google Analytics with load and place cookies on the user’s browser which contain ClientIDs – a string of numbers that is particular to that individual user.

This allows Google Analytics to recognize and track users and their behavior on your website, and across the Internet.

But this is not only how Google Analytics work, but also where the GDPR comes into play.

Try Cookiebot free for 30 days to make your website and its use of Google Analytics GDPR compliant.


What is the GDPR and how does it affect my website?


The General Data Protection Regulation is an EU law that governs the processing of personal data of individuals inside the European Union.

The GDPR requires websites who process personal data from inside the EU to obtain a legitimate legal basis for doing so prior to the processing.

This means that if your website processes personal data from visitors using cookies and trackers, you need to ask for and obtain the clear and affirmative consent prior to doing so.

Any processing of personal data (including IP addresses, search and browser history, unique IDs etc.) without the prior consent of the user is unlawful under the GDPR.

Only cookies that are strictly necessary for the basic function of your website is allowed to be activated and run without prior user consent.

However, Google Analytics and its personal data processing cookies cannot be classified as necessary cookies. They are third-party statistics cookies and therefore need the prior consent from users in order to be activated and run on your website.



Cookies, GDPR and Google Analytics

Cookies serve a range of different purposes from functionality and performance, over statistics, to targeted marketing.

Some are necessary for the website to work, and some are not. Some enhance the user experience, some serve for monitoring and user profiling, and some do both.

Some are set by the website itself, while the majority are of third party provenance, typically set by embedded third party plug-ins.

On top of that, cookies on websites tend to change, meaning that getting an overview once and for all will not suffice.

In general terms, though, cookies do track users’ actions and are therefore subject to the GDPR.

The regulation affects your use of cookies and online tracking, your cookie policy and privacy policy, and the manner in which you obtain consent from your users for setting the cookies.

Plugins, embedded content, and tools in use on your website all set cookies.

As a website owner, you are responsible for all of the data processing activities going on on your website, of first party and third party provenance unheeded.

Learn more about GDPR and cookie consent


Cookiebot and Google Analytics


Cookiebot is a consent management platform that deep-scans your website to detect and automatically control all cookies and trackers.

Cookiebot’s plug and play consent solution organizes your website’s cookies into four simple cookies categories that your users can activate or deactivate prior to any personal data processing.



Google Analytics and GDPR compliance with Cookiebot.

Cookiebot’s consent banner making your website and its use of Google Analytics GDPR compliant.



Using Cookiebot’s consent management platform can help ensure that your website’s use of Google Analytics is compliant with the GDPR.

Try Cookiebot free for 30 days… or forever if you have a small website.


Steps to make your Google Analytics GDPR compliant



1. Control how you are transmitting personal data to Google

It is not sufficient to filter out personal data via the Google Analytics filters.

The transmission must be stopped on code-level to prevent the data from ever being sent to Google Analytics.

Check your page url’s, page titles and other dimensions. Ensure that no personal data is being collected.

A common example of personal data collection is when you capture a page url that contains an “email= querystring” -parameter.

If this is the case, it is likely that you are leaking personal data to other marketing technologies in use on your site!


2. Turn on IP Anonymization in your Google Analytics account

The IP address is personal data according to the definition in the GDPR. IP addresses are by default never exposed in reporting, but Google uses them to provide geolocation data.

Therefore, it is a good idea to turn on the IP anonymization feature in Google Analytics.

This change will slightly reduce the geographic reporting accuracy of your Google Analytics account.

To turn on anonymization, you must make a change in the code.

If you use Google Tag Manager, adjust your tag or Google Analytics Settings variable by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.

If you don’t use Google Tag Manager, your tag management system may have this setting exposed as an option, or you may need to edit the code directly.

Once implemented, Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address before any storage or processing begins (your IP becomes 123.123.123.0 — where the last portion/octet is replaced with a ‘0’). Once this features is enabled, the full IP address is never written to the disk according to Google.


3. Go through the collection of Pseudonymous Identifiers in your Google Analytics

Your Google Analytics implementation may already be using pseudonymous identifiers. These may include the following:

User ID: Control that the user IDs are alphanumeric database identifiers, and not data written in plain text such as emails, usernames etc.

Hashed/Encrypted data such as email address:  Check, if you can do without hashed or encrypted data. Google has a minimum hashing requirement of SHA256. However, it is recommended to avoid collecting data in this manner.

Transaction IDs : Transaction IDs are technically pseudonymous identifiers, since when linked with another data source, it can lead to the identification of an individual. Make sure that this ID is an alphanumeric database identifier.


Steps to make your website’s use of Google Analytics and privacy policy GDPR compliant



1. Provide transparency about the data processing on your site in your privacy policy and / or cookie policy

Make sure that the actual data processing that is going on on your website is clearly stated, for example in your privacy policy. It is a requirement of the GDPR, that the information on the data collection…

Read more about the requirements and how to comply in our article Privacy policy.

Do you have a proper cookie policy in place? The cookie policy should be accessible for your users, and outline what cookies are in use, what purpose they serve, and how one may opt in and out of them.


Google Analytics and privacy policy

It doesn’t matter whether your cookie policy is an independent document or integrated in your privacy policy, as long as the information is easily accessible for your users.

Read more about the requirements for the cookie policy and how to comply with them.

With Cookiebot, the monthly report of the scan of your website can be published as an integrated part of your privacy policy and cookie policy.

Read more about our cookie scanner technology here.

That way, your information to your users is always specific and up to date with the actual data processing going on, no matter how your tools and cookies change.

Also, the declaration automatically provides the mandatory options of changing and revoking consent.


2. Google Analytics and GDPR consent to cookies and tracking

Getting a proper consent to the use of cookies from your visitors is a crucial part of rendering your website compliant with the GDPR. In order to be compliant, the consent has to be…

Read more in our article about cookie consents and the GDPR.

Cookiebot is one of the few cookie consent solutions that does all of that.

You can’t control Google. But by implementing Cookiebot, you can make your website’s use of cookies and online tracking GDPR compliant.

Try Cookiebot free for 30 days... or forever if you have a small website.


So, what has Google done to make Google Analytics GDPR ready?


On their blog, Google in Europe, Google has been sharing information about how they are preparing to meet the requirements of the GDPR since August 2017.

During the spring 2018, they have regularly released updates about their work to become GDPR compliant: they have updated their EU User Consent Policy, made changes to their contract terms, and made changes to their products in order to meet the requirements.


Google Analytics' GDPR updated EU User Consent Policy

In accordance to their advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy.Google's EU User Consent Policy is being updated to reflect the legal requirements of the GDPR.

It sets out website owners responsibilities for making disclosures to, and obtaining consents from end users in the European Economic Area (henceforth EEA).

For example, under that policy, advertisers will be required to obtain consent from users for the collection of data for personalized ads (e.g. remarketing tags to build audience lists) and for the use of cookies where legally required (e.g. conversion tags).

The policy is incorporated into the contracts for most Google ads and measurement products globally.


Germany: minimum requirements for using Google Analytics under GDPR


On May 12, 2020, Germany’s supervisory data protection committee DSK (Datenschutzkonferenz) issued guidelines on minimum requirements for the use of Google Analytics on websites in Germany.

The DSK minimum requirements are applicable on regular use of Google Analytics (i.e. standard settings from Google, so basically how most websites would use the analytics tool upon normal implementation).

The DSK minimum requirements for using Google Analytics in Germany include but are not limited to:

Read more about the DSK's minimum requirements for the use of Google Analytics under GDPR (blogpost in German)

Try Cookiebot free for 30 days... or forever if you have a small website and make your website and its use of Google Analytics GDPR compliant.


Google Analytics' GDPR contract changes

Google has been rolling out updates to their contracts for many products since August 2017, reflecting their status as either a processor or a controller under the GDPR (see full classification of Googles Ads products).

The new GDPR terms supplement your contract with Google and came into force on 25 May 2018.

In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.


Google Analytics' GDPR product changes

To comply, and support their customers compliance with GDPR, Google is:


Find out more about Google Analytics GDPR-readiness

See privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as their data processing terms and data controller terms.

Try Cookiebot free for 30 days... or forever if you have a small website.


What YOU should do to make your use of Google Analytics GDPR compliant

However, all of these steps unheeded, as the owner of the website, you are the responsible party for the personal data of your visitors that is being handled on your site.

See this useful article on how to prepare your use of Google Analytics for the GDPR.

To prepare your use of Google Analytics for the GDPR, there are basically two things you should do:

  1. Make changes in your Google Analytics account settings
  2. Make sure that your website’s use of Google Analytics and other tools is compliant.


FAQ


Is Google Analytics GDPR compliant?

Using Google Analytics on your website will set third-party cookies on your end-user’s browser. This is only legal in the EU if you have asked for and obtained the explicit consent of the end-user before activating the Google Analytics cookies.

Learn more about GDPR and cookie consent


Which cookies do my website use?

If you use Google Analytics on your website, third-party cookies from Google are in operation that contain unique IDs able to identify individual users. If you use social media links, other analytics tools or marketing software, these will also set third-party cookies that require the explicit consent of users to use.

Scan your website for free with Cookiebot to see what cookies you use


How can I control my website’s cookies?

By using a consent management platform that can scan your website and enable your end-users to give their consent to the specific processing purposes of each cookie category, you can gain control of your websites cookie and tracking setup – even of the third-party cookies that come with using analytics programs.

Try Cookiebot free for 30 days... or forever if you have a small website.


How can my website become GDPR compliant?

Your website must inform its users of all personal data processing that goes on, and enable users to activate and deactivate cookies and trackers based on their specific processing purposes (e.g. preference cookies, statistics cookies, marketing cookies). Your website must ask for and obtain the explicit consent from users prior to any personal data processing.

Try Cookiebot free for full GDPR compliance


Resources


GDPR Report: GDPR and Google Analytics


Shivarweb: What does Google Analytics do?


Google developers guide: Google Analytics cookie usage on websites


Stackoverflow: What data is collected by Google Analytics (by default)


Google's Privacy policy


Medium: Google Analytics and GDPR Compliance


Google Ads Data Protection Terms: Service Information


GOOGLE IN EUROPE Getting ready for Europe’s new data protection rules


Googles EU User Consent Policy


Full classification of Googles Ads products

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free