The General Data Protection Regulation (GDPR) is a legal framework that includes various rules regarding the collection and processing of personal information and the data of individuals living in the European Union.
The GDPR framework limits and regulates the collection and use of Personal Identifiable Information (PII). Since this regulation applies regardless of where the website is located, GDPR must be adhered to by all businesses targeting EU citizens with their marketing activities.
Google Analytics and GDPR compliance
Google Analytics (GA) is a powerful web analysis tool that allows you to collect information related to your website data.
By using GA, you can get information about website visitors; where they’re coming from, their interests, on-site behaviour and more. You can also access the results of your site in real time and measure the engagement and interest of users.
This data can provide valuable insights to identify your website’s strengths and weaknesses.
GA sets the cookies that process browser side visitor data. In accordance with the GDPR rules, the visitors’ consent must be obtained to use any cookies or trackers that process any personal data on the website.
Discussions about Google Analytics’ GDPR compliance continue to stay relevant. While some Europe-based organisations continue to use GA, some have turned to other alternatives due to privacy concerns.
The decision of the Austrian data protection authority regarding GA has revived this discussion.
In this article, you can find the details of how to adjust your Google Analytics account settings and website according to GDPR regulations.
Before diving into Google Analytics' settings, there are a few things we should consider regarding GDPR and Google Analytics:
- Permission from an end user is required for the activation and use of all Google Analytics cookies
- Control and check Google Analytics cookie settings. Only activate the Google Analytics cookies which are allowed or approved by the visitors
Although there’s no direct access to private and sensitive information such as IP address information, administrators can configure some custom settings which may collect visitors’ personal data.
We recommend avoiding any unnecessary data collection if you’re not using some advanced tracking features in Google Analytics. For example, you should consider turning off the Advanced Advertising option if you’re not running any Google Ads campaigns.
Alternatively, you may have some legacy pixels or tags on your website from a third-party tool which may be connected to your Google Analytics account. It’s critical from a GDPR perspective to consider unlinking them from Google Analytics or deleting the data you don’t use.
Our 6 steps to make your Google Analytics account GDPR compliant
- Review your analytics setup and data collection
- Check Google Analytics advertising features settings
- Check Google Ads link
- Check Google Analytics “User and Event Data Retention” feature settings
- Check data sharing settings to avoid unnecessary data sharing
- Check possible PII
1. Review your analytics setup and data collection
It’s critical to audit your analytics setup to check whether it's collecting unnecessary personal data or sharing it with third parties like Facebook etc.
For example, this includes collecting some personal information through form submissions or events.
2. Check Google Analytics advertising features settings
Is Google Analytics Advertising Features enabled? When you enable this feature, the GA property can collect data about users from the Google Advertising Cookies in addition to data collected from standard GA.
You can check these settings by simply clicking Admin > Tracking info > Data Collection.
3. Check Google Ads link
If you’re not actively using Google Ads or Display and Video 360 services, it’s recommended to unlink the Google Ads from the Google Analytics property. This avoids unnecessary data collection and sharing.
4. Check Google Analytics “User and Event Data Retention” feature settings
The Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from analytics servers.
Turn off the Reset on Activity settings under this section if you don’t want a retention period of your website users’ data to be renewed with each new event from that user.
Access this feature at: Admin > Tracking info > Data Retention.
5. Check data sharing settings to avoid unnecessary data sharing
To avoid sharing unnecessary information with any service, technical support, or tool, check your Google Analytics account settings at Admin > Account Settings. Also, check your settings and avoid any unnecessary data sharing.
6. Check possible PII
You need to check available forms and events for possible PII collection. This includes User ID, Client ID setup.
Check whether form submissions or other requests are sending or including any PII information in the URLs.
Other things to consider include:
- Remove site from wayback machine. web.archive.org. Even if you delete your content, it might still appear in web.archive.org results
- Enable the IP anonymisation feature in Google Analytics. By adding a new field in GA settings, you can entirely anonymise IP collection
- Not track/block some of the EU member countries in Google Analytics if there's any potential legal action against GA data collection or GA tracking