Google Analytics is the most popular web analytics service that you can use to track traffic, conversions, and plenty of other useful data. It’s free, it provides vital statistics, and it’s easier than ever to get started. Like any technology, it can also be used in a non-compliant way that could get your business into trouble. Google Analytics may not be GDPR-compliant on its own, however, it is possible to adjust your analytics settings in a way that will comply with the requirements of GDPR and make the most of your website traffic data. We will tell you how.

If you already know the basics of Google Analytics and GDPR, you may skip to:

How does Google Analytics work?

The way it works is quite simple. You register your website with Google Analytics, then paste the tracking code into the source code of your website. When a visitor accesses your site and views a page, the tracking code runs in the visitor’s browser. It collects and sends data to the Google Analytics server identifying the pages viewed and giving information like how long a visitor stays at your site and which links they clicked on.

The tracking code relies on internet cookies on the visitor’s browser to collect information. The (Universal) Analytics sets the following first-party cookies:

  • _ga: This cookie is used to distinguish users on your website. It calculates visitor, session, and campaign data and keeps track of site usage for the site’s analytics report. It has a default expiration time of two years.
  • _gid: This cookie is used to distinguish users on your website. It is used to store information on how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, their source, and the pages visited. It has a default expiration time of 24 hours.
  • _gat: This cookie limits the user requests and expires in one minute.
  • AMP_TOKEN: This cookie assigns a unique Client ID to each user visiting your website. Its expiration time is between 30 seconds to one year. 
  • _gac_<property-id>: This cookie collects information about ad campaigns if linked with Google Ads. It expires in 90 days.

Since the cookies collect data, the Analytics will not work on a user browser that has blocked such cookies.

What personal data is collected by Google Analytics?

Google Analytics, as per its terms, does not collect any personally identifiable information (PII), such as name, email address, mailing address, precise location, or phone number. However, it does use persistent identifiers like IP addresses – which are not stored in your database, but in the Google server – and UserID and ClientID to track sessions across devices and store them in reports. 

Analytics does not consider persistent identifiers and cookie identifiers as PII. However, as per GDPR,  personal data is any data that can be used to identify a living individual – either directly or indirectly. This includes common identifiers like name and email address, but also extends to online identifiers like IP address and cookie identifiers.

How does GDPR affect Google Analytics?

Since Analytics does collect personal data, the GDPR applies to websites that use the tool to track users, including those in the EU/EEA region.  

The GDPR requires that a website that uses analytics tools to hold information about user data must obtain freely given, explicit, informed consent from users. In contrast, France’s CNIL and ePrivacy Regulation exempt analytics cookies from consent if it generates aggregated statistics. 

However, there are many cases where website analytics require user consent. Let’s look at the EU Member States that have regulated or published their rulings for the use of Analytics.

Germany

Germany’s DSK does not consider website analytics using a third-party tool as a legitimate interest. It says that websites that use Google Analytics must obtain freely given, informed and explicit user consent to use the Analytics tracking technologies, and provide an option to withdraw it. They must also provide a clear privacy policy, be transparent about their data collection and process practices and anonymize users’ IP addresses. 

Austria

In January 2022, the Austrian data protection authority rejected Google Analytics’ claim that persistent identifiers do not immediately identify an individual, and concluded that the Standard Contractual Clauses (SCCs) between the website and Google were insufficient to ensure adequate protection of European personal data per the Schrems II judgment.

France

On February 10, 2022, France issued a formal notice to several organizations using Analytics due to illegal data transfer to the US. The French DPA suggests that the use of a properly configured proxy can mitigate the risk to users.

Italy

On June 23, 2022, the Italian DPA, Garante, also released a press statement that the transfer of Google Analytics data collected through cookies is illegal.

Denmark

On September 21, 2022, Denmark’s Datatilsynet declared that Google Analytics is not GDPR-compliant as it transfers personal data to the US, which does not provide adequate data protection. Companies using Google Analytics must assess their compliance with EU data protection law and take remedial measures or stop using the tool if they are not compliant. Datatilsynet recommends using technical supplementary measures, such as pseudonymization by “reverse proxy,” and has published a Google Analytics FAQ.

Norway

The Norwegian Data Protection Authority has preliminarily concluded that the use of Google Analytics by a Norwegian website is in breach of GDPR transfer rules. This is in response to a complaint by noyb about several European websites’ use of the tool. Other European data supervisory authorities have already decided that the use of Google Analytics violates privacy rules. The Norwegian Data Protection Authority has given the parties involved three weeks to comment on the preliminary conclusions. This is a cross-border case, so a draft decision will be sent to other affected data supervisory authorities in the EEA before a final decision is made. The Authority recommends exploring alternatives to Google Analytics. A final decision may not be made until the end of April 2023 at the earliest.

Therefore, using Google Analytics without careful planning and adherence to EU Member State laws may be risky and could lead to crippling GDPR fines.  

How to make Google Analytics GDPR compliant?

When you use Google Analytics, note that Google is the data processor. Your website or company is the Data Controller, meaning that you decide why and how your website’s data should be used. As stated by Google support:

Google Analytics is data processor - stated by Google Support
Google support states that Google Analytics acts as the data processor

Since the enforcement of the Regulation, Google has made many changes to its policies, Analytics features, and settings to be in line with it. Combining some best practices and Google updates, you can make your use of Analytics GDPR-compliant.

Here is a quick look at the key steps you can follow to ensure Google Analytics is GDPR compliant:

checklist for Google analytics gdpr compliance

Let’s look at these steps in detail.

#1 Update privacy policy

If you use Google Analytics, it’s important to update your privacy policy.

Google’s terms state:

You must disclose the use of Google Analytics, and how it collects and processes data. This can be done by displaying a prominent link to the site “How Google uses data when you use our partners’ sites or apps”, (located at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time).

You must disclose the information collected by Google Analytics, including the details of cookies, in your privacy policy. You need to explain how users can opt out of the tool and disallow their data from being collected.

E.g. CookieYes’ Privacy Policy explains what Analytics cookies we use and why, and how users can opt out of them. 

Create Privacy Policy for FREE

Generate a privacy policy for your website in just a few clicks.

CREATE YOUR FREE PRIVACY POLICY

*no credit card required

#2 Accept Google’s Terms

The General Data Protection Regulation requires data controllers to sign agreements with data processors to process personal data, without which it will be a violation. Google’s Data Processor Terms are one such legal agreement that a data controller must adhere to in order to legally share data with Google.

Go to Admin > Account Settings > Data Processing Terms 

Google's Data Processing Terms
Google Analytics Data Processing Terms

#3 Audit your web pages for PII

You must audit your web page to ensure that it does not transmit PII to Analytics. As per Google’s policy, you are prohibited from sending any data to Google Analytics that Google could use or recognize as personally identifiable information. This includes, but is not limited to:

  • email addresses
  • mailing addresses
  • phone numbers
  • location
  • full names or usernames

Note: It excludes identifiers like IP addresses and cookie identifiers from PII, which are, however, recognized as PII under GDPR. 

Google suggests some best practices to avoid sending PII when collecting Analytics data, such as: making page URLs PII-free, removing PII from user-entered information, or avoiding precise location data. 

Here are some in-built Analytics settings that will allow you to exclude PIIs from URLs:

  • Exclude URL Query Parameters: This feature allows you to exclude parameters from your website URLs before sending them to Google Analytics. You can enter the parameters you want to eliminate by entering each of them, separated by a comma.

Admin > View (column) > View Settings Exclude URL Query Parameters

Exclude URL Query Parameters in Google Analytics
Exclude URL Query Parameters in Analytics
  • Filters: This feature allows you to filter out the  PII parameters from your URLS.

Got to Admin > View (column) > Filters > Choose Custom under Filter Type > select Search and Replace

Search and Replace feature in Google Analytics
Search and Replace filter in Analytics

#4 Anonymize IP addresses

Google ensures that it does not store any personally identifiable information (PII) and that it only stores non-personal information such as IP addresses and device identifiers in its database. The IP addresses are used to track the location of the users so that Google can provide better services targeted at the user’s geographic location.

However, according to GDPR, IP addresses are considered PII as they are capable of identifying individual users. Therefore, it is necessary to anonymize the IP address before Google Analytics stores them. Here is how you can achieve it.

Note

 In Google Analytics 4, IP anonymization is not necessary because it does not store IP addresses.

An anonymized IP has its address altered so that it is no longer possible to identify the person using it. You can mask IP by modifying your Analytics tracking code.

For analytics.js

If you use the analytics.js library, add the following code to the tracking code:

ga(‘set’, ‘anonymizeIp’, true);

The modified Google Analytics tracking code would look like this:

<!– Google Analytics ->
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-XXXXXXXXX-Y', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');
</script>
<script async src='//www.google-analytics.com/analytics.js'></script >
<!– End Google Analytics –>

Note

 Replace UA-XXXXXXXXX-Y with your Tracking ID (Property ID).

Using gtag.js

If you use the gtag.js library, add the following code to the tracking code:

{'anonymize_ip': true}

The modified Google Analytics tracking code would look like this:

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-XXXXXXXXX-Y">
</script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-XXXXXXXXX-Y', {'anonymize_ip': true});
</script>

Note

 Replace UA-XXXXXXXXX-Y with your Tracking ID (Property ID).

The modified code will replace the last octet of IPv4 addresses and the last 80 bits of IPv6 addresses with zeros, making them unidentifiable. 

If you want to test whether you’ve successfully anonymized IP address in Google Analytics, try this:

Step 1: Head on to your website for which you have enforced the IP address anonymization.

Step 2: Open the Google Developer Console window.

To open the developer console, you could use the following keyboard shortcuts accordingly.

On Macs: Press Command+Option+J

On WindowsLinux, and Chrome OS: Press Control+Shift+J

Step 3: Click on the Networks tab and reload your web page.

Step 4: Enter collect in the search text box.

Step 5: Click on the listing which includes www.google-analytics.com.

Step 6: Check whether you can find the IP anonymization parameter (aip=1).

If you find the parameter in the URL, that means your Google Analytics stores anonymized IP addresses of your website users.

For detailed information about IP anonymization for GDPR compliance, click here.

#5 Set data retention settings

Google Analytics allows you to control how long the data is stored before Google Analytics automatically deletes them. This feature is called “data retention” and allows you to set a time for automatically deleting user and event data associated with cookies, user identifiers, or advertising identifiers.

You can control this setting at the property level in the Property Settings section of your Admin panel: Admin > Property (column) > Data Settings (Tracking info in Universal Analytics) > Data Retention.

Data retention in Google analytics for GDPR
Data Retention feature in Google Analytics

The default setting time in GA4  is 2 months. You can change it to 14 months.

In Universal Analytics (UA), the default setting for all properties is 26 months. You change it to 14 months, 38 months, 50 months, or “Do not automatically expire”.

#6 Set data deletion requests

Google Analytics released a new Data Deletion option that enables you to delete your data from the analytics servers. You can request a deletion for all of the properties within the account or individual properties.

Once you schedule the request, it takes 72 hours for Google to remove data associated with the user from the Analytics reports and then the server during the next deletion cycle (every 2 months).

You can create deletion requests by accessing the setting in the admin panel: Admin > Property (column) > Data Deletion Requests > Schedule data deletion request (Create Data Deletion Request in UA):

Data deletion request in Google analytics for GDPR
Data Deletion Request setting in Google Analytics

Select the appropriate deletion type, date, and other relevant details and schedule the request. Once scheduled, you can cancel the request within the first 7 days.

#7 Add a cookie banner

You must obtain the consent of your website users before placing a cookie on their devices to track them. Google Analytics uses cookies, which require that you have a cookie banner on your site to collect consent. A cookie banner is a notice that appears on a web page (usually in the footer) when a user visits it, informing them that the site uses cookies and providing instructions for how to refuse or accept those cookies.

Cookie banners should follow the necessary guidelines stated in the GDPR and the laws of jurisdictions applicable to your website.

Here are the best practices for using cookie banners for Google Analytics:

  • Make the banner clearly visible to the user. Place it on every page of your website, where it uses Analytics cookies (and other non-necessary cookies) to collect data.
  • Use simple, clear language for the cookie banner text. Avoid using jargon.
  • Tell users what cookies are being used on your site, and for what purposes.
  • Give ways to accept (opt-in) and reject (opt-out) cookies.
  • Allow users to consent separately to each category of cookies, which includes Analytics.
  • Do not enable cookies for your website by default without consent.
  • Give an easily accessible way to withdraw consent.
  • Closing on the banner or not selecting any option means opting out by default.
  • Provide a link to the Privacy Policy or Cookie Policy for more information about cookies, including what cookies are, how they work, and why they’re useful.
  • Wait at least six months (depending on the applicable national laws) before re-requesting consent from previously opted-out users.
  • Log all cookie consent (opt-in and opt-out) received from users.

Make your website GDPR compliant for cookies

Sign up on CookieYes and manage consent for Google Analytics cookies.

Try Free Cookie Consent

Free 14-day trial. *Cancel anytime

 

Additionally, you can also configure Analytics as discussed below for GDPR compliance.

#8 Limit data sharing 

Using the Google Analytics setting, you can limit sharing of user data to Google. For that go to the admin panel: Admin > Account Settings > uncheck relevant checkboxes under Data Sharing Settings (UA).

#9 Restrict data collection for advertising features

Third-party advertising is arguably the most privacy-intrusive part of online browsing. Google Analytics collects data about your traffic for implementing its advertising features, but you can turn this off if this feature is not required.

Admin > Property (column) > Tracking Info > Data Collection > Turn off Remarketing and Advertising Reporting Features.

Turn off advertising features in Google Analytics
Turning off data collection for advertising features

This is how you set up GDPR in Google Analytics.

As a website owner, it is important to know how your site is used by your visitors. However, depending on what we have heard about the GDPR, using such tools may pose challenges for businesses serving EU audiences.

Circling back to our primary concern: is Google Analytics GDPR-compliant? There is no simple yes or no answer. Google Analytics has taken many measures to comply with the law, but ultimately, it is up to the users of this service to set their accounts up in a way that they avoid any repercussions for non-compliance.

Read how to make Google Analytics CCPA compliant.

Frequently asked questions

Is Google Analytics GDPR compliant?

Google Analytics, by default, is not GDPR compliant. Sure it does have made policy changes and modified its settings to enable compliance. Website operators still need to make the necessary changes and utilize the Analytics features to make their use of the tool comply with GDPR. For example, obtaining end-user consent to collect their data, updating privacy policy, and removing or anonymizing PII before sending them to Analytics. 

How do I make Google Analytics 4 GDPR compliant?

You can make Google Analytics 4 GDPR compliant by:

  • obtaining consent from end-users to collect their personal data;
  • updating privacy policy about how why you use Analytics and what data it collects and how users can opt out of it;
  • removing or masking PII, such as IP addresses before sending them to Analytics; and 
  • utilizing Analytics data settings such as Data Retention and Data Deletion to help users exercise their GDPR rights.

Do I need consent for Google Analytics?

Yes, it’s essential to obtain the end user’s consent to use Google Analytics. The tool uses tracking technology like cookies to collect information about how users interact with your site. This includes identifiers like IP addresses, UserIDs, and ClientIDs, which are considered PII under GDPR, so you need to get consent to collect them.

Do I need a Privacy Policy for Google Analytics?

Yes. If you are using Google Analytics, you must include a privacy policy on your website that states the use of the service and what data it collects, and the purpose of collection. It must also list down the technologies using which Google collects data for Analytics, such as cookies and their duration.

Is it legal to use Google Analytics?

It is legal to use Google Analytics if it is made to be in line with privacy laws. Using it with default settings might not guarantee legal compliance. There are things, as a website owner, that you must do to ensure your use of Analytics is legal. You should update your privacy policy, anonymize IP addresses, allow users to exercise their rights, and most importantly, get end-user consent to collect their data.

Is Google Analytics banned in the EU for GDPR violation?

As of now, some EU Member States have ruled that the use of Google Analytics may be a privacy violation. Other countries in the EU may follow suit and have already suggested alternatives. Websites providing services to those nations must consider their use of Analytics GDPR compliantly.

What data is collected by Google Analytics?

By default, Google Analytics collects:

  • IP address
  • Traffic source
  • Pages visited 
  • Day and time of visit
  • Time spent on web pages
  • Type of browser
  • Type of Operating System
  • Screen resolution
  • Type of device

What is IP Anonymizer?

IP anonymizer is a tool or feature to anonymize IP addresses, i.e. to make them unidentifiable to protect user privacy. It usually sets the last octet of IP address to zero. E.g. 92.168.12.144 will be set to 92.168.12.0.

Hey,
are you an agency?

Deploy cookie banners on multiple client websites with our agency platform.

Partner with CookieYes

Up to 50% off on licenses