The 2020 Guide to Google Analytics and GDPR Compliance

Google Analytics is used by over 30 million sites, so many marketers no doubt have the same question: is Google Analytics GDPR compliant?

The answer is "yes", but according to multiple 2019 rulings, you should ask for consent first.

To make your GA usage GDPR-compliant, then, there are a couple steps you need to take, which are detailed below. The information pertains specifically to Google Analytics browser/website tracking - not to Google’s Firebase SDK, a tool for in-app analysis.

Please note, we are not a law firm. Please view this as informational, not legal advice, and speak to a lawyer before coming to a conclusion.

Table of Contents:

1. Google Analytics and GDPR - what’s the issue?
2. Do you need consent for web analytics cookies?
3. Updating your privacy policy
4. Honoring the data rights
5. Limiting what you share with Google
6. {tl;dr}

---

What is GDPR, and why should I care?

The GDPR, or the General Data Protection Regulation, is a European privacy law approved by the European Commission in April 2016. The GDPR regulates, amongst other things, how organizations may obtain, use, and store the personal data of EU residents. For a detailed overview, read our GDPR summary. Its key highlights are:

1. It enables EU citizens, not online vendors, to have the final say on how their data is used
2. It imposes tighter restrictions on how companies handle PII
3. Users have privacy rights by default; companies can store/use data only if the person consents to it
4. It includes user data rights (such as access and deletion)

Google Analytics and GDPR - what’s the issue?

Google Analytics is a free website tool that collects anonymized data on site visitors, aggregates it, and offers reports on where the traffic is coming from, what pages they browsed, for how long, etc.

Integrating with GA involves dropping a JavaScript tag or using a Tag Manager. These tags place a first-party browser cookie that has a randomly-generated ClientID.

While GA’s JavaScript tag doesn’t collect PII like name or email, the GDPR defines PII to include such persistent IDs as this ClientID. Many marketers may also use the UserID feature, which involves sending anonymous IDs to Google for more accurate tracking. On top of that, GA’s tracking tag sends Google the user’s IP Address, which the GDPR considers to be PII.

As such, since you are sharing your visitors’ PII with a third-party, this is information you must disclose to users.

Do I need consent from EU residents for Google Analytics?

The answer is likely "yes" - but do know there's no 100% clear answer to this, as various EU regulators have issued competing stances.

Arguments for why you don't need consent

1. The GDPR has a clause, Article 6.1(f), around “legitimate interest”, which says that data collection and profiling (without consent) is allowed if the controller or third-party has a "legitimate interest" in doing so. Many businesses have argued that anonymous website analysis is critical to offering a better product.

2. The CNIL - France's data regulatory body - posted in 2017 that web analytic cookies did not need consent as long as they followed certain conditions.

3. The ePrivacy Regulation, a law that would repeal the current ePrivacy Directory and is a corollary to the GDPR, specifically lists web audience measurement cookies as exempt from needing consent.

Arguments for why you need consent

1. The GDPR is very much against websites sharing PII data with any third-party without a user's consent. Google Analytics does precisely this. Unless regulators officially say that analytic cookies are exempt, they fall under the scope of when consent is required.
2. In April 2019, the Conference of the Data Protection Authorities in Germany ruled that third-party analytic tools do not fall under legitimate interest, as it's possible to do analytics with a first-party solution or local implementation.
3. The Court of Justice of the European Union (CJEU) in November 2019 explitly buckets "analytics and tracking" into non-necessary cookies, meaning businesses would need to ask permission to drop the cookie.

The safest and most user-first approach would be to use a consent management tool that asks for consent before dropping the Google Analytics tracking code. There are plenty of third-party CMPs, and you could always build your own. Make sure you find a solution that is able to block the Google Analytics code if the user hasn't opted-in.

Regardless of whether you choose to ask for consent or not, there are still steps you need to take to be fully compliant. Those actions are listed below.

Step #1: Update your privacy policy

Your privacy policy needs to detail the GDPR’s consumer data rights: the right to notice, access, opt-in, rectify, request deletion, and get equal services.

It must also detail - for every data use case - what information is being collected, why, how, and to whom it’s sent.

In this case, your privacy policy will need to specifically call out Google Analytics and explain what it is and why you use it. There’s no specific template for doing so, but one option is:

"We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have - or ask us to delete any GA data - please delete your _ga cookies, reach out to us via this form, and/or install the Google Analytics Opt-Out Browser Add-On."

Step #2: Create a process for honoring the data rights

Understanding the GDPR’s data rights isn’t difficult: if they ask to delete or see their data, you must do it. This includes any Google Analytics data you or Google has on them.

What’s more complicated is figuring out how to honor that request from a technical standpoint. Even this is doable, though, and below lists multiple ways to delete or access their GA data.

To access the data Google Analytics has on the user:

First, ask the user to provide their Google Analytics ClientID. To find this, they’ll need to go to their browser’s settings and manually look at what cookies are stored. They should find one named _ga, which is the Google Analytics cookie, and within it is a string like GA1.2-2.318596131.1556642125.

The user’s ClientID are the numbers before and after the final period (in this case, 318596131.1556642125). If they have multiple _ga cookies on their browser, they should send all of the ClientIDs.

If you are relying on UserIDs instead of ClientIDs (the differences are here), then you must grab the ID yourself (for instance, if you know their email and have their UserID tied to it).

Next, use Google's User Explorer Report to pull any data associated with this ClientID or UserID, and then send that user this information.

Alternatively, you could use Google's User Activity API to pull the data. The API Response will look like:

To delete their data:

1. Tell them to clear any _ga cookies on their browser. This would delete their cookie’s ClientID
2. If you are storing a UserID tied to them, delete it
3. Ask them for their ClientID (see above) and use Google's User Explorer Report to see what data Google has stored on them. In the report you'll see a 'Delete User' button in the bottom left panel. Google says that after you press this, the user's data is removed from the report after 72 hours, but it could take up to two months for the data to be deleted from their servers.

Alternatively you could use Google's User Deletion API and their ClientID/UserID to delete any data Google has on them.

Without doing this step, Google would store that user's data for 26 months, violating the GDPR deletion request. So you must manually delete their data via one of these steps should they request it.

While you are at it, you could also direct them to some additional privacy controls that Google offers, including limiting ad personalization and auto-deletion of data.

To stop their data from being shared with Google at all:

This would be applicable if you are asking for consent before sending the user's anonymized data to Google. In this case, you would need to block the GA tag for non-consenting users.

• Use a third-party consent management platform: Work with a CMP that prompts for consent on page load, has a toggle option for Google Analytics, and can then block the GA tag if no consent is given.
• Use your own consent tool: Build your own prompt. If the person doesn't consent to GA, you could write custom code that prevents the GA code from appearing on the page. Alternatively, you could use Google’s User Opt Out instructions to dynamically block their data being sent to Google.
• Have them install the GA Opt-Out browser extension: Direct users to the Google Analytics Opt-Out browser extension. When enabled, the GA tag does not fire for the user across any site.

Step #3: Have a data breach plan

What happens if Google Analytics somehow gets breached? Google would send an email to you first, but it’s on you to then contact your affected users. If you don't already have a plan in place, the UK’s Information Commission Office has a great guide on what you need to do.

Step #4: Limit what you send Google and follow their privacy best practices

Fortunately, Google has been very proactive in regards to these laws, as noted in their security compliance page. Their actions include:

1. Updating their GA Terms of Service to explain how they are a data processor
2. Implementing a 24/7 Data Incident Response Process to assist with any potential data breaches
3. Getting all the major security certifications (full list here). They also are certified members of the Privacy Shield Frameworks
4. Writing up guidance on avoiding PII

Nonetheless, there are still actions to take to limit what data you send Google.

• Sign Google's DPA - Extremely important! Go to Admin → Account Settings and accept the Data Processing Agreement. DPAs are required from all Data Processors; otherwise, sharing data with them violates the GDPR
• Review your integration with Google Analytics for PII leakage - For instance, if you are sending internal UserIDs to Google, make sure they are anonymized and not actual PII, like an email. Also check that you aren’t appending PII to URLs, such as https://www.kevel.com/confirm?email=phenry@kevel.com after a form fill-out, as they would be sent to GA
• IP Anonymization - This removes the last octet of the IP Address before it’s sent to Google (aka 123.456.789.555 becomes just 123.456.789.0, which helps anonymize who it is)
• Reduce Data Retention Length - By default, Google Analytics stores data tied to an ID for 26 months. You can change this to 14 months in Admin → Tracking Info → Data Retention if you wanted to be more strict (the lowest option available)
• Turn 'Reset on New Activity' off - In the same spot as above, there is a toggle called 'Reset on new activity'. While this seems to be privacy-focused, it really just extends how long you track them, as every new time they visit your site, the 14 month retention period resets
• Disable Demographics and Interests Reports - Under Admin → Property Settings → Advertising Features, turn this off to prevent Google from making reports around user info
• Data Deletion Requests - Monitor your Data Deletion Requests tab in Admin. Google will flag any instances where it finds PII, and you’ll need to delete them as needed
• Turn Off Data Sharing - With Google Analytics, a lot of information is shared with other services. If you go into Account Settings -> Data Sharing, you can turn off these settings
• Unlink Google Ads / Ad Exchange - If you use Adwords/Adsense/Google Ads Manager, you may have set up linking between the two platforms. Under Admin --> Product Linking, you can turn this off, further limiting what data leaves GA (though this would impact your ad campaign efforts)
• Turn off Remarketing & Ad Reporting - Under Admin → Tracking Info → Data Collection, you could turn off Remarketing and Advertising Reporting Features, an additional way to limit what's shared
• Limit the Session Settings time - Under Tracking Seetings --> Session Settings, you can edit the timeout time for individual sessions and campaigns. For instance, if you set the session timeout to 5 minutes, that means that after five minutes of inactivity, that SessionID on the user is no longer tied to anything
• Reduce Cookie Expiration Time - Unless cleared, the _ga cookie lasts on the user’s browser for 24 months. Fortunately, you can set this expiration period to whatever you want via the cookieExpires parameter in the GA tag. For instance, hardcoding it to 0 turns it into a session-based cookie, and the ClientID will expire when they exit the site

What about Google Analytics and other privacy laws?

No fear - we also have you covered there. Please read our CCPA & Ad Tech and our CCPA & Google Analytics articles for info about the CCPA.

Our LGPD & Ad Tech and LGPD & Google Analytics articles offer more info about Brazil's LGPD.

Likewise, we have articles on PDPA & Ad Tech and PDPA & Google Analytics.

{tl;dr}?

To use Google Analytics and stay GDPR compliant, you'll need to:

1. Ask EU residents for consent before dropping the GA cookie
2. Update your privacy policy to describe how and why you use Google Analytics
3. Have a process for deleting/accessing the user’s Google Analytics data upon request (instructions above)
4. Have a data breach plan
5. Sign Google’s DPA
6. Limit the data you are sending Google by following the steps listed above

Of course, further rulings may make this information obsolete, so we’ll track and report on any obvious changes.