The General Data Protection Regulation (GDPR) is a legal framework that includes various rules regarding the collection and processing of personal information and the data of individuals living in the European Union. 

The GDPR framework limits and regulates the collection and use of Personal Identifiable Information (PII). Since this regulation applies regardless of where the website is located, GDPR must be adhered to by all businesses targeting EU citizens with their marketing activities. 

Google Analytics and GDPR compliance

Google Analytics (GA) is a powerful web analysis tool that allows you to collect information related to your website data.

By using GA, you can get information about website visitors; where they’re coming from, their interests, on-site behaviour and more. You can also access the results of your site in real time and measure the engagement and interest of users.

This data can provide valuable insights to identify your website’s strengths and weaknesses.

GA provides this data by using different JavaScript tags in a website’s source code. In some cases, it can provide it using Google Tag Manager. These JS tags, which run Google Analytics, collect data using various cookies, and sometimes this data can contain sensitive and private information.

GA sets the cookies that process browser side visitor data. In accordance with the GDPR rules, the visitors’ consent must be obtained to use any cookies or trackers that process any personal data on the website.

Discussions about Google Analytics’ GDPR compliance continue to stay relevant. While some Europe-based organisations continue to use GA, some have turned to other alternatives due to privacy concerns.

The decision of the Austrian data protection authority regarding GA has revived this discussion.

In this article, you can find the details of how to adjust your Google Analytics account settings and website according to GDPR regulations. 

Before diving into Google Analytics' settings, there are a few things we should consider regarding GDPR and Google Analytics:

  • Permission from an end user is required for the activation and use of all Google Analytics cookies
  • Control and check Google Analytics cookie settings. Only activate the Google Analytics cookies which are allowed or approved by the visitors
  • Provide transparent information about your website's cookie policy and share the details of the information collected by Google Analytics cookies
  • Share information about how you process personal data on your website and share details about Google Analytics cookies and data processing in your privacy policy

Although there’s no direct access to private and sensitive information such as IP address information, administrators can configure some custom settings which may collect visitors’ personal data. 

We recommend avoiding any unnecessary data collection if you’re not using some advanced tracking features in Google Analytics. For example, you should consider turning off the Advanced Advertising option if you’re not running any Google Ads campaigns.

Alternatively, you may have some legacy pixels or tags on your website from a third-party tool which may be connected to your Google Analytics account. It’s critical from a GDPR perspective to consider unlinking them from Google Analytics or deleting the data you don’t use. 

Enjoying this article? Sign up to our newsletter

Our 6 steps to make your Google Analytics account GDPR compliant

  1. Review your analytics setup and data collection
  2. Check Google Analytics advertising features settings
  3. Check Google Ads link
  4. Check Google Analytics “User and Event Data Retention” feature settings
  5. Check data sharing settings to avoid unnecessary data sharing
  6. Check possible PII
illustration of man walking up steps
Image source: Freepik

1. Review your analytics setup and data collection

It’s critical to audit your analytics setup to check whether it's collecting unnecessary personal data or sharing it with third parties like Facebook etc. 

For example, this includes collecting some personal information through form submissions or events.

2. Check Google Analytics advertising features settings

Is Google Analytics Advertising Features enabled? When you enable this feature, the GA property can collect data about users from the Google Advertising Cookies in addition to data collected from standard GA.

You can check these settings by simply clicking Admin  > Tracking info > Data Collection. 

Screen grab from GA showining data collection settings
Image source: Google Analytics

3. Check Google Ads link

If you’re not actively using Google Ads or Display and Video 360 services, it’s recommended to unlink the Google Ads from the Google Analytics property. This avoids unnecessary data collection and sharing.

screen grab os ga ad link feature 
Image source: Google Analytics

4. Check Google Analytics “User and Event Data Retention” feature settings

The Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from analytics servers.

Turn off the Reset on Activity settings under this section if you don’t want a retention period of your website users’ data to be renewed with each new event from that user.

Access this feature at: Admin > Tracking info > Data Retention.

ga screen grab of data retention settings
Image source: Google Analytics

5. Check data sharing settings to avoid unnecessary data sharing

To avoid sharing unnecessary information with any service, technical support, or tool, check your Google Analytics account settings at Admin > Account Settings. Also, check your settings and avoid any unnecessary data sharing. 

google analytics screen grab of data sharing feature
Image source: Google Analytics

6. Check possible PII

You need to check available forms and events for possible PII collection. This includes User ID, Client ID setup.

Check whether form submissions or other requests are sending or including any PII information in the URLs.

Other things to consider include:

  • Remove site from wayback machine. web.archive.org. Even if you delete your content, it might still appear in web.archive.org results
  • Enable the IP anonymisation feature in Google Analytics. By adding a new field in GA settings, you can entirely anonymise IP collection
  • Not track/block some of the EU member countries in Google Analytics if there's any potential legal action against GA data collection or GA tracking

If you already have a website with Google Analytics setup and need help with being fully GDPR compliant, get in touch with our Google Certified experts.