Web analytics data is an essential component in a website owner’s arsenal, and Google Analytics (GA) is the most widely used web analytics platform.
Because typical Google Analytics implementation tracks personal data such as IP addresses, it’s crucial that your use of GA complies with the strict data privacy requirements of the General Data Protection Regulation (GDPR).
This article lists actions that you can take to ensure that your website does not run afoul of GDPR enforcement agencies, which can result in massive penalties, such as the €50 million ($56 million) Google GDPR fine and the £183 million ($230 million) British Airways GDPR fine.
1. Google Analytics and GDPR: An Overview
This section discusses the basics of GA and the GDPR. If you are well acquainted with both, skip to the next section to learn how you can make your Google Analytics use GDPR-compliant.
General Data Protection Regulation
The GDPR is a European Union (EU) data protection and privacy law that took effect on May 25, 2018. It gives residents of the European Economic Area (EEA) new rights over how businesses handle their personal data.
Although the GDPR is an EU regulation, it applies to companies worldwide, including the US. This is because the law centers on the location of the consumer or user, and not the company.
Therefore, even US-based businesses with consumers in the EEA are subject to comply with the GDPR, making the noncompliance consequences for GDPR in the US as severe as they are in Europe.
Google Analytics, the web analytics platform from Google, is used extensively by website owners to track the data and behavior of website visitors. This data is then used by those owners to optimize their sites for specific goals, such as to improve sales or blog and newsletter subscriptions.
This tracking process involves the collection of personal data, such as IP addresses.
If you use Google Analytics, then in the context of the GDPR, you are the data controller and Google is the data processor. Data controllers and processors have numerous obligations under the GDPR.
In fact, a good portion of the 99 articles of the GDPR is dedicated to the roles and responsibilities of the data controller and processor.
Is Google Analytics GDPR-Compliant?
Google has taken steps to ensure that GA, as a platform, satisfies GDPR rules.
However, although the Google Analytics platform is designed to be GDPR-friendly, it can be unintentionally or intentionally used in a manner that violates GDPR rules.
Therefore, if you use Google Analytics and target or serve users in the EU or EEA, then it is your responsibility as the data controller to ensure that your use of Google Analytics adheres to GDPR requirements.
2. Google Analytics GDPR Compliance: Google’s Efforts
Google has a stated commitment to compliance with privacy laws such as the GDPR and has detailed how it practices this commitment. We’ve summarized their practices here:
- The GDPR mandates a legal relationship between the data controller and processor. Google Analytics provides this through its terms and conditions, which explain the data processing terms and the controller–processor relationship.
- The GDPR has strict data security requirements, which Google achieves through state-of-the-art data protection systems, and by maintaining internationally recognized security certifications.
- The GDPR stipulates that data processors must help controllers identify and report any data breach to the relevant supervisory authority and their users. Google facilitates this through its 24/7 incident management program.
- The GDPR allows the transfer of data out of the EEA only to regions with “adequate” data protection measures. Two such data transfer frameworks are the EU–US and Swiss–US Privacy Shield Frameworks. Google is a certified participant of both frameworks.
- The GDPR requires Privacy by Design as the default approach to building sites and software, and necessitates Data Protection Impact Assessments. Google incorporates both of these concepts into their privacy practices.
- The GDPR lists data minimization as one of its core tenants. Only essential data should be collected, and that data should only be retained so long as it’s necessary for the original purpose it was collected. Google Analytics complies with this data retention requirement by affording website owners control over how long user data is stored.
3. Google Analytics GDPR Compliance: What You Need To Do
As a website owner who collects personal information, you are the data controller in the context of the GDPR. Therefore, making your use of Google Analytics GDPR-compliant is your responsibility, in addition to that of the data processor (Google, in the case of GA).
The cornerstone of the GDPR is the treatment of users’ personal data. Here’s how you can comply with the GDPR as a GA data controller:
Obtain Consent for Collection of Personal Data
To comply with GDPR consent rules, you must follow one of the six lawful bases for processing personal data (for example, user consent).
Per the GDPR, for consent to be valid, it must be:
freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Consent is obtained through the opt in opt out system — two ways which primarily differ in whether consent is actively sought from the user or not.
Are IP addresses and data obtained through tracking cookies personal data? The answer depends on which regulatory authority you ask. European laws tend to be stricter on the definition of personal data.
Google Analytics GDPR Consent — Opt In
The GDPR makes it essential for data controllers to provide users the choice to opt in to data collection, whereas some modes of opting out, such as pre-checked boxes, are deemed invalid forms of consent.
With this understanding of consent, let’s look at the data collection processes typical to a Google Analytics implementation that may require user consent:
We recommend that you set an expiry date of 6 months for collected consent, and then ask users to re-consent.
Google Analytics Cookies
The GA platform deploys cookies to track user behavior on a website. According to Google, “[Google Analytics] may use a set of cookies to collect information and report website usage statistics without personally identifying individual visitors to Google.”
Therefore, your implementation of Google Analytics cookies needs to comply with the GDPR if you target users in the EEA.
A note on Google Analytics Advertising Features, which is a special set of features within the GA platform that enables additional analytics services: You must similarly obtain user consent if you’re using this feature, in order to comply with the GDPR as well as with Google’s product policy.
Our What are cookies guide provides insights on cookies, the major cookie-related laws, and how you can comply with these laws.
Pseudonymize Google Analytics User ID
Within Google Analytics, you can use an element named “user id” (different from “client ID”) to track and link the data of a single user across several sessions and devices. Combining such data associated with a single user improves the accuracy of GA data and analysis.
However, this accurate tracking means that user IDs are considered personal data, as they can be used to identify individual users.
One method of complying with the user privacy recommendations of the GDPR is to pseudonymize user IDs.
Pseudonymization is a process after which a data item is scrambled in such a way that it can no longer be linked to the associated individual without additional data.
This is typically achieved by using an algorithm to replace the actual data with other data (i.e., pseudonyms).
The International Association of Privacy Professionals has identified several other GDPR-related impacts and benefits of pseudonymization.
Anonymize IP addresses
An IP address is a unique code that identifies each device connected to the internet.
Although Google states that GA does not collect personally identifiable information (PII), the GDPR considers IP addresses (which Google Analytics collects) personal data, meaning that even default GA use can break GDPR rules.
Therefore, to comply with the GDPR, IP addresses must be anonymized.
Google Analytics has a built-in function, named anonymizeip, that you can enable to anonymize IP addresses.
According to Google, “The IP anonymization/masking takes place as soon as data is received by the Analytics Collection Network, before any storage or processing takes place.” This makes anonymizeip an essential feature in your GDPR compliance efforts.
Using anonymizeip may affect the accuracy of the geolocation data you collect using Google Analytics.
Don’t Retain Data for Longer Than Necessary
Similar to many data privacy laws, the GDPR mandates that personal data be stored only as long as is necessary for the original purpose for which it was collected.
Your data retention policy when using GA needs to comply with the GDPR.
Google Analytics affords website owners the functionality to set how long user data can be stored. The data retention period varies depending on the data collected and the purpose of collection, so review and set your data retention period to the lowest required for your operations.
The GDPR provides residents of the the EEA (“data subjects”) several fundamental rights, one of which is the right to be fully informed: GDPR data subjects have the right to know what personal information is being collected from them and how it is, or will be, used.
You should also describe what data you share with Google and with any other third parties.
4. Don’t Worry — Termly Can Help