Over 30 million sites use Google Analytics, so many brands no doubt have the same question: is Google Analytics PDPA compliant?
To make your GA usage PDPA-compliant, then, there are a couple steps you need to take, which are detailed below. The information pertains specifically to Google Analytics browser/website tracking - not to Google’s Firebase SDK, a tool for in-app analysis.
Please note, we are not a law firm. Please view this as informational, not legal advice, and speak to a lawyer before coming to a conclusion.
Table of Contents:
Thailand’s new PDPA, or Personal Data Protection Act, is a comprehensive, opt-in data privacy law that guarantees individual rights to more than 48M Thai internet users (70% of its total population). It’s Thailand’s first consolidated privacy law and shares many of the same principles as the GDPR.
For a detailed overview, read our PDPA summary.
Google Analytics is a free website tool that collects anonymized data on site visitors, aggregates it, and offers reports on where the traffic is coming from, what pages they browsed, for how long, etc.
The answer is likely "yes" - since it involves the collection/sharing of PII - but do know there's no 100% clear answer to this, as Google Analytics is not mentioned in the text.
What’s more complicated is figuring out how to honor that request from a technical standpoint. Even this is doable, though, and below lists multiple ways to delete or access their GA data.
First, ask the user to provide their Google Analytics ClientID. To find this, they’ll need to go to their browser’s settings and manually look at what cookies are stored. They should find one named
_ga, which is the Google Analytics cookie, and within it is a string like
The user’s ClientID are the numbers before and after the final period (in this case,
318596131.1556642125). If they have multiple
_ga cookies on their browser, they should send all of the ClientIDs.
If you are relying on UserIDs instead of ClientIDs (the differences are here), then you must grab the ID yourself (for instance, if you know their email and have their UserID tied to it).
Next, use Google's User Explorer Report to pull any data associated with this ClientID or UserID, and then send that user this information.
Alternatively, you could use Google's User Activity API to pull the data. The API Response will look like:
_gacookies on their browser. This would delete their cookie’s ClientID
Alternatively you could use Google's User Deletion API and their ClientID/UserID to delete any data Google has on them.
Without doing this step, Google would store that user's data for 26 months, violating the PDPA deletion request. So you must manually delete their data via one of these steps should they request it.
This would be applicable if you are asking for consent before sending the user's anonymized data to Google. In this case, you would need to block the GA tag for non-consenting users.
|Use a third-party consent management platform||Work with a CMP that prompts for consent on page load, has a toggle option for Google Analytics, and can then block the GA tag if no consent is given.|
|Use your own consent tool||Build your own prompt. If the person doesn't consent to GA, you could write custom code that prevents the GA code from appearing on the page. Alternatively, you could use Google’s User Opt Out instructions to dynamically block their data being sent to Google.|
|Have them install the GA Opt-Out browser extension||Direct users to the Google Analytics Opt-Out browser extension. When enabled, the GA tag does not fire for the user across any site.|
What happens if Google Analytics somehow gets breached? Google would send an email to you first, but it’s on you to then contact your affected users. If you don't already have a plan in place, the UK’s Information Commission Office has a great guide on what you need to do. It was created for the GDPR but is just as applicable to the PDPA.
Fortunately, Google has been very proactive in regards to these laws, as noted in their security compliance page. Their actions include:
Nonetheless, there are still actions to take to limit what data you send Google.
https://email@example.com a form fill-out, as they would be sent to GA
_gacookie lasts on the user’s browser for 24 months. Fortunately, you can set this expiration period to whatever you want via the
cookieExpiresparameter in the GA tag. For instance, hardcoding it to
0turns it into a session-based cookie, and the ClientID will expire when they exit the site
To use Google Analytics and stay PDPA compliant, you'll need to:
Of course, further rulings may make this information obsolete, so we’ll track and report on any obvious changes.
Chris has worked in ad tech for over fourteen years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.