The Definitive Guide to Google Analytics And GDPR Compliance
How do you make Google Analytics and GDPR work together and obey the law at the same time? Find out in this handy guide.
May 25 2022 ● 16 min read
Table of Contents
- Firstly… What is GDPR?
- How GDPR affects Online Business
- Does GDPR Apply to Non-EU-Based Businesses?
- What Fines Are Associated with Breaching GDPR?
- How is Google Analytics Affected by GDPR?
- Does Google Analytics Need Consent?
- So What Should You Do?
- Simple Steps for Keeping GDPR Compliant
- Include the Right Information in Your Cookie Banner
- Don’t Overlook the Cookie Policy
- Be Ready for Data Breaches
- Be Ready to Share and Delete Data
- Anonymize IP Addresses
- Be Aware of What You Are Sending to Google
- Don’t Hold on to Data for An Extended Period
- Don’t Forget the Importance of GDPR
By now, every successful online business is familiar with Google Analytics (GA). The software is a must for any organization that wants to learn more about their audience. Today, running an online business without GA is the equivalent of driving a car without wheels; you aren’t likely to get very far.
After all, GA provides us with many reports and metrics to learn about our audience. What country is a visitor from? What is their demographic? What are their interests? All these questions can be answered in GA.
Data plays a part in almost every modern business. Using data driven attribution, for instance, helps to fine-tune advertising. Another example, heat mapping, can improve website design.
But with businesses having access to all this data, consumers are becoming more and more concerned about where data is going and how it is being used. For a long time, businesses could collect data with few restrictions. But as data-related concerns became more and more prevalent, new legislation came on the scene.
Enter the General Data Protection Regulation (GDPR). It’s fair to say that this legislation had many businesses worried. Even now, there are organizations that do not fully understand GDPR. This isn’t without reason; the regulation is extremely complicated and headache-inducing.
So, what should you do? Luckily, this guide is here to show how you can continue to get the most out of GA and remain GDPR compliant!
Firstly… What is GDPR?
GDPR was introduced as a way of modernizing data-related legislation. Before 2018, data laws were massively outdated, some dating back as early as 1990. It’s not hard to see why these laws needed to be updated.
Over the last 20 years, the Internet has exploded, there are now 5 billion people online worldwide. People sign up for different accounts, input personal details, and leave behind huge digital footprints. The legislation was no longer sufficient to regulate this data. GDPR unified and updated different laws under one banner.
This meant new rules for the ways businesses collected and used data relating to their customers.
How GDPR affects Online Business
The full GDPR legislation is huge – a 90-page document laying down the law. Obviously, we can’t summarize the full 90 pages here. Instead, here are the most important factors that you’ll need to consider.
A visitor must consent before you collect any data – it doesn’t matter what the information is, if it relates to the visitor, you’ll need their permission to collect it. A cookie consent pop-up will help with this. If you have a contact form, be sure to include a tick box to confirm that a user has read your privacy policy.
Your website must show how it is GDPR compliant – Don’t try and write your own privacy policy. You’ll need the help of a professional that is familiar with GDPR. Or you can find templates online.
Make sure that a customer ‘opts in’ to your marketing – Before sending any digital marketing materials to a customer, they need to agree to receive them. Similarly, a customer should be able to easily ‘opt out’ at any time.
You might be panicking slightly reading this information. The reality is that this is only a small piece of the legislation. For more detailed information, take a look at this summary of GDPR.
Does GDPR Apply to Non-EU-Based Businesses?
You might be reading the above and thinking ‘Great! I’m not in the EU so the law doesn’t apply to me’. Well, sadly no such luck. Even if your organization isn’t based in the EU, your website will still receive visitors that are. You’ll need the consent of these visitors before you can collect their data.
What Fines Are Associated with Breaching GDPR?
Before I get into this, I want to establish that there are multiple entities that enforce GDPR for different companies in Europe. Given that the EU laid down the rules, and I don’t want to list every governing board, I’ll just refer to the EU as the entity that enforces these rules.
If you aren’t already, you might want to sit down for this one. The maximum fine for breaking GDPR is €20 million or 4% of annual turnover (whichever is higher). Even Google was not able to escape the wrath of GDPR, incurring a huge fine of €50 million.
It’s worth noting that most fines will not reach anything close to this number. But the fine does illustrate how serious the EU is about tackling the data issue.
Aside from issuing a fine, the EU could do any of the following:
- Issue a warning to an organization
- Ban data processing (either temporarily or permanently)
- Order a business to delete user data
How is Google Analytics Affected by GDPR?
When activating Google Analytics on your website, you are also integrating a tracking tag. As well as sending data to your GA reports, this tag sends the IP addresses of your website users to Google along with other information.
Part of GDPR legislation is that if you send user data to a third party, you must inform users first. This means that you’ll need to include information on your site that lets users know how GA handles their data.
If you haven’t already, it might be a good idea to set up Google Tag Manager for greater control over tagging.
Does Google Analytics Need Consent?
One of the most frustrating aspects of GDPR is that many areas remain ambiguous. We’ve already looked at the painful fines associated with GDPR – illustrating why it’s always best to air on the side of caution.
So What Should You Do?
The easiest answer is to use a consent management tool. This seeks a user’s permission before deploying any GA tracking code. There are many consent management options to choose from:
The above are some that I recommend. Although not all options include features to prevent the GA tracking code. Make sure you carry out research before choosing an option.
Simple Steps for Keeping GDPR Compliant
The sheer number of measures contained within GDPR is enough to keep you up at night. But if you stick to the following basic steps, you can stay out of trouble.
Include the Right Information in Your Cookie Banner
Remember, GDPR focuses on the issue of consent. A user needs to give their consent for you to be able to collect and analyze their data. But first, a user needs to understand what they’re consenting to. To be GDPR compliant, your cookie banner needs to contain all the information that a user needs to know to make an informed decision.
This means you should explain how you are using Google Analytics to collect their data. This should include what you are doing with a user’s information, and why data collection is important for your website.
Don’t Overlook the Cookie Policy
A privacy policy is extremely important in laying out the way you use customer data. But this shouldn’t mean that you neglect a cookie policy. Cookies can be extremely detailed in themselves; you will need a section for each cookie that you use. This should include third party cookies.
Once again, you might be tempted to cut costs by writing your policy yourself. Don’t. To be accurate and compliant, your policy will need to have been constructed by an expert. Or, again you can find templates online.
Be Ready for Data Breaches
Unfortunately, cyberattacks are something that businesses are learning to live with. Between 2020 and 2021, cybersecurity-related attacks increased by 31%. This rise doesn’t seem to show any sign of slowing. When attacks result in data breaches you need to consider GDPR.
After any data breach, you’ll need to notify users within 72 hours. It’s better to prepare for this before it happens rather than floundering if an attack did occur. Remember that data breaches also apply to your GA account. Google will send an email to notify you if your account has been compromised.
Be Ready to Share and Delete Data
A big part of GDPR is about being transparent with the ways you collect and analyze data. This means that if a customer requests to see their data, you’re obliged to show it to them. Just as with cybersecurity issues, you should have a process for sharing customer data when requested.
Equally, a user may decide that they want their data deleted. If you receive a request for deletion, you must comply. Being able to use data for retargeting is really great and should be integral to your paid marketing efforts. But people’s privacy does mean more.
Accessing and Deleting Data in Google Analytics
Luckily, it is possible to find an individual user’s data within GA. Unfortunately, doing so is a bit of a chore. Firstly, the user requesting a change will need to share their GA client ID. This is a cookie placed by GA to track individual users.
Data collected from IDs can help us in many ways. For example, by learning about user behavior, we can improve micro funnels and increase the likelihood of sales.
To access this, they’ll need to access cookies stored on their browser. From here they’ll need to locate the GA cookie and look for the identifier _ga. Below is an example of a GA cookie.
GA1.2.456731348.6436758325
In this situation, the numbers ‘456731348.6436758325’ would be the user’s client ID. Once an ID has been sent to you, you can identify it within your GA records and delete it. You should also instruct a user to delete any GA cookies from their browser. For more information on deleting data within GA, Google has created a detailed guide.
If you familiarize yourself with this process now, you’ll have a much easier time dealing with data-related queries.
Anonymize IP Addresses
As already mentioned, GA collects the IP addresses of all users. It’s worth noting that this is entirely for geographical purposes, and IP addresses aren’t included in reports. Despite this, IP addresses are still classed as a form of identification and fall into the jurisdiction of GDPR.
Happily, Google offers a handy workaround within GA to avoid this problem. You can use a feature called IP Anonymization, which masks the IP address of users during collection. Masking can be done even when using the most secure VPN services from different providers.
Be Aware of What You Are Sending to Google
As mentioned above, some data that you collect in GA is also shared with Google. There are some steps you’ll need to take to make sure that this data is not violating GDPR. Below are some important steps to make sure that you are staying on the right side of the law.
Accept Data Processing Terms – Google have created a detailed document about how they process and share GA data. You’ll need to sign this document to avoid violating GDPR. To do so, go to Admin, select Account Settings and scroll down to Data Processing Terms.
Make Sure That Shared Data is Anonymous – When you share data with Google, it’s important that it does not include any identifiable information about a user. This means that data such as email addresses should not be included. As mentioned, Anonymizing IP addresses is an important part of this.
Turn Off Data Sharing – By default, Google shares GA data with other services. This can be disabled by going into Account Settings and choosing Data Sharing.
Don’t Hold on to Data for An Extended Period
GDPR doesn’t stipulate how long an organization should hang on to data, only that information should not be kept any longer than needed. Within GA you choose the amount of time that you store data. The default setting is 24 months, but this can be reduced to 14 months. To do so, head to Admin, choose Tracking Info and Data Retention.
Don’t Forget the Importance of GDPR
Like it or not, GDPR is here to stay. The mammoth legislation can be difficult to get your head around; as illustrated here, GDPR covers many areas and requires new measures. But don’t give up on data analytics - the fact is data is essential in the modern world.
But GDPR doesn’t mean that your data operation has to be any less effective. GA continues to become more and more powerful; the latest version called google analytics 4, adds a whole new range of features.
Take time to familiarize yourself with GDPR. With the right measures in place, the legislation shouldn’t need to be a worry. GA even comes with tools to make compliance easier. With GDPR concerns out of the way, you can get back to making the most of your data and taking your business to the next level.
Bio: Phil Pearce is an analytics expert, author, and web analyst. He's also the Analytics Director & Founder of Google Analytics, Google Tag Manager, Google Ads and CRO agency, MeasureMinds Group. Over the past 20+ years, Phil has helped clients improve their analytics and search engine marketing through the introduction of new tools and disruptive techniques. He has written for websites such as Hubspot and BambooHR.
Published on May 25 2022
WRITTEN BY
Mile ZivkovicMile is the head of content at Whatagraph in charge of all content and communications for Whatagraph’s marketing data platform. A marketing heavy with almost a decade of SaaS industry experience, Mile has managed multiple content marketing teams without losing an ounce of his writing passion. The author behind some of the most-read pieces on our blog.