google analytics and cookie banners

Google Analytics and Cookie Consent Banners

Last updated on July 27, 2021|Published on June 7, 2021

Google Analytics and GDPR can go hand in hand if you adopt some best practices and make some setting changes. The Analytics may not be GDPR compliant on its own, however, with some changes and updations, it certainly can be. It sets cookies on visitors’ devices to track their activities and generate reports. We will look into what cookies it uses and find out if it is GDPR compliant. We will also discuss the best practices for cookie consent banners for a website that uses Google Analytics.

What is Google Analytics?

Google Analytics is an analytics service by Google that collects visitor data and measures website traffic. It is a great tool that gives you insights into what channels are driving more traffic ono your website. It tracks the website activity of the visitors, such as average time per session, web pages per session, and bounce rate, and also gives you page views (total and unique). If you integrate it with Google Ads, you can track your online campaigns and set goals for ad conversion. You can track the analytics data based on segments, such as age, gender, geolocation, device, etc. 

How does Google Analytics track users?

When you register your website with Google Analytics, it will place a javascript code or tracking code on your website. When a user visits your website, it activates the code, which monitors and logs the necessary analytics data. The code tracks the users via cookies and hits, acquires their data, and sends it to the Google server.

Google Analytics tracking code (including cookies)

Google Analytics sets the following cookies to track the users:

  • _ga: this cookie is used to distinguish users on your website. It calculates visitor, session, campaign data and keeps track of site usage for the site’s analytics report. It has a default expiration time of two years.
  • _gid: this cookie is used to distinguish users on your website. It is used to store information on how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, their source, and the pages visited. It has a default expiration time of 24 hours.
  • _gat: this cookie limits the user requests and expires in one minute.
  • AMP_TOKEN: this cookie assigns a unique Client ID to each user visiting your website. Its expiration time is between 30 seconds to one year. 
  • _gac_<property-id>: this cookie collects information about ad campaigns if linked with Google Ads. It expires in 90 days.

These cookies collect data categorized as personal data under the GDPR. E.g. Google Analytics collects IP addresses of the users that can identify them unless you anonymize them from the Analytics settings. 

Is Google Analytics GDPR compliant?

GDPR strictly prohibits collecting personal data that can identify an individual without their consent. If your website uses Google Analytics, you are tracking and collecting user data, and for that, you require user consent. These users may not be aware that Analytics is tracking them and collecting data like the pages they visit, the time they spent on each page, location, age, country, and device information. So, here you are sharing your users’ information with a third party. They must be informed that Analytics sets cookies on their device to collect the required data.

While it is debatable that the GDPR allows data collection without consent if there is a legitimate interest at play. Many marketers see anonymous analytics reports as a legitimate interest. Also, data protection authority CNIL and the regulation, ePrivacy Regulation exempt analytics cookies from consent if it generates an anonymous report. However, there are many cases where website analytics require user consent. E.g. Germany’s DSK does not consider website analytics using a third-party tool as a legitimate interest. It says that websites that use Google Analytics must obtain freely given, informed and explicit user consent to use the Analytics cookies, and provide an option to withdraw it. They must also provide a clear privacy policy, be transparent about their data collection and process practices and anonymize users’ IP addresses.

Therefore, using Google Analytics without the user’s consent is risky and not the best GDPR compliant practice.  

How to make Google Analytics usage GDPR complaint?

If you adopt some best practices for handling user data along with some Google Analytics configuration, you can certainly make your Google Analytics usage GDPR compliant.

End-user consent

Google’s EU user consent policy states that you must get end users’ “legally valid consent” to use Analytics cookies use of cookies and collect, share and use personal data for personalized ads. While seeking consent, you must log the user consents you receive and give them a clear explanation of how they can withdraw it.

Do not send PII to Google

When collecting Analytics data, Google mandates that you must not send any personally identifiable information (PII) to Google. As per Google, PII is “information that could be used on its own to directly identify, contact, or precisely locate an individual. This includes:

  • email addresses
  • mailing addresses
  • phone numbers
  • precise locations 
  • full names or usernames”

Google excludes the following as PII:

  • pseudonymous cookie IDs
  • pseudonymous advertising IDs
  • IP addresses
  • other pseudonymous end user identifiers

However, these may be considered as personal data under GDPR, CCPA and other laws. 

Read how to avoid sending PII to Google here.

Exercising data rights

Google Analytics’  setting allows you to ensure the users can easily exercise their rights.

You can decide how long it must store the data before automatically deleting it. And, it provides an option to delete user data upon request. You can have a maximum of 250 active (pending) user requests.

IP anonymization

Google excludes IP addresses as PII. However, as per GDPR’s definition, it is considered personal data. Therefore, if you collect the users’ IP addresses, mask or anonymize them so that it is not possible to identify an individual using it.

Read how to anonymize IP addresses for GDPR compliance here.

Update privacy policy

A privacy policy is a legal statement on your website that discloses why and how you collect, use, share the personal data of the users. It should give the users adequate information so that they can take an informed decision on whether to let your website collect, use and share their data.

While creating or updating a privacy policy, there are many other factors that you should keep in mind as well. Read more about it here.

Cookie banners and Google Analytics – best practices

As already mentioned, obtaining end-user consent is crucial to making your use of Google Analytics GDPR compliant. Analytics uses cookies (and other trackers) to track users. Therefore, you need a cookie consent banner on your website to collect user consent. Considering the cookie guidelines from EDPB, CNIL and ePrivacy Regulation, let us see the best practices for using cookie banners for Google Analytics. 

  • Cookie messages about cookie usage in the website must be worded clearly and in plain language.
  • The information on the banner must detail that the users have the right to accept or reject the cookies.
  • There must be a user-friendly option for opting in and out of cookies. 
  • A link to privacy/cookie policy (that explains the Analytics usage of cookies and user data) on the banner is preferable.
  • There must be a button or link to cookie settings, where they can set the cookie preferences based on the categories or their purpose.
  • The purpose of each cookie or cookie category (including Google Analytics) must be clearly explained.
  • Each cookie category (such as analytics) must have a consent option so that users can selectively enable or disable them.
  • The website must not set any cookies (including Google Analytics) other than strictly necessary unless the users give their consent via the banner.
  • The users must be able to withdraw consent (or change it) at any time and the callback option should be easily accessible. 
  • The consent obtained via the banner must be logged.

Here is a quick overview of the best practices:

google analytics and cookie banners best practices to follow infographics

CookieYes’ cookie consent solution provides the best cookie consent tool for your website to comply with laws like GDPR, CCPA and ePrivacy Directive, to name a few. You can easily add a cookie consent banner on your website and manage cookie consent on your website.

If you use Google Analytics and want to be GDPR compliant, here is good news for you — CookieYes automatically blocks cookie scripts from third parties like Analytics before the users give their consent. So, you do not need to worry about having violating GDPR standards while tracking website analytics.

Click here to find out how CookieYes’ cookie banners work.

Other than that, CookieYes’ solution provides you with all the features discussed above and more.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.