Google Analytics is used by over 30 million sites, so many marketers no doubt have the same question: is Google Analytics GDPR compliant?
To make your GA usage GDPR-compliant, then, there are a couple steps you need to take, which are detailed below. The information pertains specifically to Google Analytics browser/website tracking - not to Google’s Firebase SDK, a tool for in-app analysis.
Please note, we are not a law firm. Please view this as informational, not legal advice, and speak to a lawyer before coming to a conclusion.
Table of Contents:
The GDPR, or the General Data Protection Regulation, is a European privacy law approved by the European Commission in April 2016. The GDPR regulates, amongst other things, how organizations may obtain, use, and store the personal data of EU residents. For a detailed overview, read our GDPR summary. Its key highlights are:
Google Analytics is a free website tool that collects anonymized data on site visitors, aggregates it, and offers reports on where the traffic is coming from, what pages they browsed, for how long, etc.
Integrating with GA involves dropping a JavaScript tag or using a Tag Manager. These tags place a first-party browser cookie that has a randomly-generated ClientID.
While GA’s JavaScript tag doesn’t collect PII like name or email, the GDPR defines PII to include such persistent IDs as this ClientID. Many marketers may also use the UserID feature, which involves sending anonymous IDs to Google for more accurate tracking. On top of that, GA’s tracking tag sends Google the user’s IP Address, which the GDPR considers to be PII.
The answer is likely "yes" - but do know there's no 100% clear answer to this, as various EU regulators have issued competing stances.
The GDPR has a clause, Article 6.1(f), around “legitimate interest”, which says that data collection and profiling (without consent) is allowed if the controller or third-party has a "legitimate interest" in doing so. Many businesses have argued that anonymous website analysis is critical to offering a better product.
The CNIL - France's data regulatory body - posted in 2017 that web analytic cookies did not need consent as long as they followed certain conditions.
The ePrivacy Regulation, a law that would repeal the current ePrivacy Directory and is a corollary to the GDPR, specifically lists web audience measurement cookies as exempt from needing consent.
The safest and most user-first approach would be to use a consent management tool that asks for consent before dropping the Google Analytics tracking code. There are plenty of third-party CMPs, and you could always build your own. Make sure you find a solution that is able to block the Google Analytics code if the user hasn't opted-in.
Your privacy policy needs to detail the GDPR’s consumer data rights: the right to notice, access, opt-in, rectify, request deletion, and get equal services.
In this case, your privacy policy will need to specifically call out Google Analytics and explain what it is and why you use it. There’s no specific template for doing so, but one option is:
"We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga)
with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have - or ask us to delete any GA data - please delete your _ga
cookies, reach out to us via this form, and/or install the Google Analytics Opt-Out Browser Add-On."
What’s more complicated is figuring out how to honor that request from a technical standpoint. Even this is doable, though, and below lists multiple ways to delete or access their GA data.
First, ask the user to provide their Google Analytics ClientID. To find this, they’ll need to go to their browser’s settings and manually look at what cookies are stored. They should find one named _ga
, which is the Google Analytics cookie, and within it is a string like GA1.2-2.318596131.1556642125
.
The user’s ClientID are the numbers before and after the final period (in this case, 318596131.1556642125
). If they have multiple _ga
cookies on their browser, they should send all of the ClientIDs.
If you are relying on UserIDs instead of ClientIDs (the differences are here), then you must grab the ID yourself (for instance, if you know their email and have their UserID tied to it).
Next, use Google's User Explorer Report to pull any data associated with this ClientID or UserID, and then send that user this information.
Alternatively, you could use Google's User Activity API to pull the data. The API Response will look like:
_ga
cookies on their browser. This would delete their cookie’s ClientIDAlternatively you could use Google's User Deletion API and their ClientID/UserID to delete any data Google has on them.
Without doing this step, Google would store that user's data for 26 months, violating the GDPR deletion request. So you must manually delete their data via one of these steps should they request it.
While you are at it, you could also direct them to some additional privacy controls that Google offers, including limiting ad personalization and auto-deletion of data.
This would be applicable if you are asking for consent before sending the user's anonymized data to Google. In this case, you would need to block the GA tag for non-consenting users.
What happens if Google Analytics somehow gets breached? Google would send an email to you first, but it’s on you to then contact your affected users. If you don't already have a plan in place, the UK’s Information Commission Office has a great guide on what you need to do.
Fortunately, Google has been very proactive in regards to these laws, as noted in their security compliance page. Their actions include:
Nonetheless, there are still actions to take to limit what data you send Google.
https://www.kevel.com/confirm?email=phenry@kevel.com
after a form fill-out, as they would be sent to GA _ga
cookie lasts on the user’s browser for 24 months. Fortunately, you can set this expiration period to whatever you want via the cookieExpires
parameter in the GA tag. For instance, hardcoding it to 0
turns it into a session-based cookie, and the ClientID will expire when they exit the siteNo fear - we also have you covered there. Please read our CCPA & Ad Tech and our CCPA & Google Analytics articles for info about the CCPA.
Our LGPD & Ad Tech and LGPD & Google Analytics articles offer more info about Brazil's LGPD.
Likewise, we have articles on PDPA & Ad Tech and PDPA & Google Analytics.
To use Google Analytics and stay GDPR compliant, you'll need to:
Of course, further rulings may make this information obsolete, so we’ll track and report on any obvious changes.
Chris has worked in ad tech for over fourteen years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.