Google Analytics and GDPR can go hand in hand if you adopt some best practices and make some setting changes. The Analytics may not be GDPR compliant on its own, however, with some changes and updations, it certainly can be. It sets cookies on visitors’ devices to track their activities and generate reports. We will look into what cookies it uses and find out if it is GDPR compliant. We will also discuss the best practices for cookie consent banners for a website that uses Google Analytics.
What is Google Analytics?
Google Analytics is an analytics service by Google that collects visitor data and measures website traffic. It is a great tool that gives you insights into what channels are driving more traffic ono your website. It tracks the website activity of the visitors, such as average time per session, web pages per session, and bounce rate, and also gives you page views (total and unique). If you integrate it with Google Ads, you can track your online campaigns and set goals for ad conversion. You can track the analytics data based on segments, such as age, gender, geolocation, device, etc.
How does Google Analytics track users?
Google Analytics sets the following cookies to track the users:
- _ga: this cookie is used to distinguish users on your website. It calculates visitor, session, campaign data and keeps track of site usage for the site’s analytics report. It has a default expiration time of two years.
- _gid: this cookie is used to distinguish users on your website. It is used to store information on how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, their source, and the pages visited. It has a default expiration time of 24 hours.
- _gat: this cookie limits the user requests and expires in one minute.
- AMP_TOKEN: this cookie assigns a unique Client ID to each user visiting your website. Its expiration time is between 30 seconds to one year.
- _gac_<property-id>: this cookie collects information about ad campaigns if linked with Google Ads. It expires in 90 days.
These cookies collect data categorized as personal data under the GDPR. E.g. Google Analytics collects IP addresses of the users that can identify them unless you anonymize them from the Analytics settings.
Is Google Analytics GDPR compliant?
GDPR strictly prohibits collecting personal data that can identify an individual without their consent. If your website uses Google Analytics, you are tracking and collecting user data, and for that, you require user consent. These users may not be aware that Analytics is tracking them and collecting data like the pages they visit, the time they spent on each page, location, age, country, and device information. So, here you are sharing your users’ information with a third party. They must be informed that Analytics sets cookies on their device to collect the required data.
Therefore, using Google Analytics without the user’s consent is risky and not the best GDPR compliant practice.
How to make Google Analytics usage GDPR complaint?
If you adopt some best practices for handling user data along with some Google Analytics configuration, you can certainly make your Google Analytics usage GDPR compliant.
Do not send PII to Google
When collecting Analytics data, Google mandates that you must not send any personally identifiable information (PII) to Google. As per Google, PII is “information that could be used on its own to directly identify, contact, or precisely locate an individual. This includes:
- email addresses
- mailing addresses
- phone numbers
- precise locations
- full names or usernames”
Google excludes the following as PII:
- pseudonymous cookie IDs
- pseudonymous advertising IDs
- IP addresses
- other pseudonymous end user identifiers
However, these may be considered as personal data under GDPR, CCPA and other laws.
Read how to avoid sending PII to Google here.
Exercising data rights
Google Analytics’ setting allows you to ensure the users can easily exercise their rights.
You can decide how long it must store the data before automatically deleting it. And, it provides an option to delete user data upon request. You can have a maximum of 250 active (pending) user requests.
Google excludes IP addresses as PII. However, as per GDPR’s definition, it is considered personal data. Therefore, if you collect the users’ IP addresses, mask or anonymize them so that it is not possible to identify an individual using it.
Read how to anonymize IP addresses for GDPR compliance here.
Cookie banners and Google Analytics – best practices
- Cookie messages about cookie usage in the website must be worded clearly and in plain language.
- The information on the banner must detail that the users have the right to accept or reject the cookies.
- There must be a user-friendly option for opting in and out of cookies.
- There must be a button or link to cookie settings, where they can set the cookie preferences based on the categories or their purpose.
- The purpose of each cookie or cookie category (including Google Analytics) must be clearly explained.
- Each cookie category (such as analytics) must have a consent option so that users can selectively enable or disable them.
- The website must not set any cookies (including Google Analytics) other than strictly necessary unless the users give their consent via the banner.
- The users must be able to withdraw consent (or change it) at any time and the callback option should be easily accessible.
- The consent obtained via the banner must be logged.
Here is a quick overview of the best practices:
CookieYes’ cookie consent solution provides the best cookie consent tool for your website to comply with laws like GDPR, CCPA and ePrivacy Directive, to name a few. You can easily add a cookie consent banner on your website and manage cookie consent on your website.
If you use Google Analytics and want to be GDPR compliant, here is good news for you — CookieYes automatically blocks cookie scripts from third parties like Analytics before the users give their consent. So, you do not need to worry about having violating GDPR standards while tracking website analytics.
Click here to find out how CookieYes’ cookie banners work.
Other than that, CookieYes’ solution provides you with all the features discussed above and more.