How To Make Your Google Analytics Implementation GDPR Compliant

We have outlined how there are many aspects of website management that may potentially require your attention during the process of becoming fully GDPR-compliant, and this may include updating your implementation of various third-party services. If your website uses Google Analytics, it is recommended that you review how your website provides data to Google and whether or not you need to ask your visitors for consent to track their activity.

Check The Data You Send To Google

Collecting personally identifiable information via Google Analytics has always been against their Terms of Service so the chances are you were not doing so. However, with the introduction of GDPR it is important to be sure of this so that you can inform your website's visitors appropriately:

  • Make sure you are not intentionally or accidentally providing Google Analytics with any personally identifiable information. This could be the case if, for example, any of your page URLs are dynamically updated with user data - such as the name of a user who has logged-in to your website.
  • Check whether you are intentionally or accidentally providing Google Analytics with any pseudonymous data identifiers. For example, if a user is redirected to a confirmation page after making a purchase on your website, does the URL of that page contain the user's order number or transaction ID? If so, this data could be used to identify that user when combined with data from other sources, which means that you must inform your users of this in your privacy policy.

Consider Enabling IP Anonymization

The IP address of a user could, in theory at least, be used to identify them, and while IP addresses of your users are not exposed in Google Analytics reports, they are used to provide geo-location data. It is therefore recommended that you update your JavaScript tracking code to enable the "IP Anonymization" feature by setting the "anonymizeIp" field to "true". You can set this to either apply to all users or, in case you want to request consent from your visitors to track their IP address, just users that have not yet consented. Here's an example of applying anonymization to all users (where "UA-XXXX-XX" represents the property ID):

  ga('create', 'UA-XXXX-XX', 'auto');
  ga('set', 'anonymizeIp', 'true');
  ga('send', 'pageview');

Please note that using this feature will reduce the accuracy of geographic reporting, although only slightly since only the last octet of the IP address is anonymized.

Update Your Data Retention Settings

The GDPR specifies that you should not keep any data longer than required, and that you should inform your visitors how long you keep their data for. Therefore, you should update your Google Analytics settings to reflect how long you want visitor and event data "that is associated with cookies, user identifiers, or advertising identifiers" retained, and then update your privacy policy with your choice. Since most standard reports in Google Analytics are based on aggregate data, they won't be affected by your selected retention period, and your settings won't take effect until 25th May 2018.

You will find your data retention settings under "Tracking Info" for the website property in question:

How To Make Your Google Analytics Implementation GDPR Compliant

You will then also have the option of whether or not to reset the data retention period on each visit by a specific user. This means that if someone visits on 1st January 2019 and you want Google Analytics to retain data for 12 months, but they visit again on 1st June 2019, none of their data will be deleted until 1st June 2020:

How To Make Your Google Analytics Implementation GDPR Compliant

Consider Asking For Consent

If you have found that your website is providing Google Analytics with any pseudonymous data identifiers, you must seek explicit consent from your website visitors before Google Analytics is used, and must also provide them with a way of easily opting-out of this tracking in future. There are conflicting opinions on whether or not explicit opt-in is required when no personally identifiable information or pseudonymous data identifiers are being sent to Google. However, should it be decided that explicit opt-in is required for all Google Analytics implementations, a lot of user data will become unreliable and incomplete, rendering the service less useful. We expect there to be an ongoing debate regarding this until the regulation is clarified.