Simple Guide to Google Analytics & GDPR Compliance

November 11, 2021·10 min read

Disclaimer: This article is for informational purposes only. You're fully responsible to ensure you're compliant with any laws and regulations that may apply to you. This is not legal advice, and we don't accept any legal liability.

As the general public becomes more aware of their data security, and how their information is being used online – privacy has never been a bigger concern for businesses across the world as it is today.

One of the toughest data protection laws in recent history is the General Data Protection Regulation (GDPR). Many countries around the world are adopting regulations which are partly inspired by the GDPR, so it's important to at the very least be informed about it, or risk facing fines for non-compliance.

The GDPR affects those who hold data about people in the European Union, even if the company or website itself is not based in the EU. That means simply by promoting your stuff online to people in the EU may be enough so that it applies to you too.

In this article, we’ll explore whether the popular analytics tool Google Analytics complies with GDPR and some measures you can consider to further protect your website visitor's data.

At Panelbear, a simpler and privacy-friendly alternative to Google Analytics, we’ll explore what GDPR compliance means for small-to-medium businesses (SMBs), how to make Google Analytics compliant, and why Panelbear may be a better option if you’re looking for a website analytics tool that has your data privacy in mind.

What is GDPR?

General Data Protection Regulation (GDPR) is a landmark European Union privacy law that regulates the collection, use and disposal of personal data. Personal data refers to any piece of information that can be used to identify an individual – whether directly or indirectly.

Examples of personal data can include full names, email addresses, IP addresses, cookie identifiers, device identifiers, client identifiers, database identifiers, advertising identifiers, and many other forms of online identifiers.

Some of the core principles of GDPR are as follows:

  • Personal data should be processed in a fair, lawful, and transparent manner.
  • Before collecting personal data you should receive genuine consent.
  • You should only collect personal data for the specific, legitimate purpose you were given consent - and not for any other purpose.
  • Personal data should only be kept for as long as necessary and only for the specific purpose it was collected.
  • The data subjects have rights about their personal data. This includes the right to access, correct, erase, object and transfer their personal data.
  • Personal data should be protected and secured at all times. It should be safeguarded from unlawful processing, data loss or data breaches.

Does GDPR apply to me?

If you operate in the EU – for example, if you are a French website – then, you are legally obligated to adhere to the GDPR regulations. However, GDPR also affects you if you have any clients or offer your services to people from the EU, even if you're based outside the EU.

Let's say you run a small e-commerce website from the US and you have visitors from EU countries. That means you’ll need to make sure you collect data in a way that is GDPR compliant plus any applicable local laws too.

Some US websites have, for this reason, restricted access in Europe to avoid privacy compliance issues or because their business model is incompatible with the requirements.

What are the consequences of non-compliance?

A GDPR breach can result in heavy consequences that can devastate businesses of all sizes. Since the UK left the EU, there are two versions of the GDPR guidelines, with the UK government passing a modified version of the legislation for their country.

In the UK, the maximum penalty is £17.5 million or 4% of annual global turnover. The EU GDPR sets a maximum fine of €20 million or the same 4% of annual global turnover – whichever is greater.

A data breach could also lead to other consequences, such as reputational damage and loss of trust.

How does Google Analytics work?

Google Analytics is a free digital analytics tool that allows you to analyze how your visitors use your website. It measures your site's performance and helps segment your audience based on demographics (like age, location, and interests).

Once enabled, Google Analytics uses page tags and cookies to collect information about your users and track a visitor’s session. While tracking anonymous statistics is very useful for website owners and on its own is not harmful, Google is notorious for creating user profiles for advertising purposes and often collecting far too detailed data about your visitors.

This particular form of online tracking allows marketers to tailor advertisements to specific segments of users based on their interests and behavior, and could be a violation of GDPR.

That's why it's important to consider why Google Analytics is free in the first place. While processing data at scale is very expensive, the online advertising industry is huge. For example, Google alone reported a $53.1 billion revenue from advertising in 2021.

Websites with less than 10 million visitors a month can get Google Analytics for free in exchange for the data collected about your website’s visitors. Once you exceed more than 10 million hits per month, you'll need to upgrade to Google Analytics 360, which costs $150,000 per year (that's not a typo).

How to make Google Analytics GDPR Compliant

Google Analytics in its default configuration is not GDPR compliant. However, with some changes, it is possible to follow GDPR guidelines with Google Analytics and increase the level of protection against processing personal data.

Also, due to the "Schrems II" decision on data transfers between the US and the EU you should conduct a case-by-case analysis to determine if the transfer of personal data to the US meets the same standards as those in the EU.

Turn on IP Anonymization

IP addresses are protected under GDPR as personal data. Google Analytics has an IP anonymization feature that allows you to restrict the collection of IP addresses.

Please keep in mind that enabling IP Anonymization may affect certain features. For example, without collecting IP addresses, Google Analytics’ location data is around 30% less accurate at the city-level.

If you're using Google Analytics 4, IP-address anonymization is enabled by default. However, most sites were created with the legacy Google Analytics tags, so be sure to double check if this setting is enabled.

Method 1: Google Tag Manager

  1. Open Google Tag Manager.
  2. Click on "More Settings".
  3. Click on "Fields to Set"
  4. Add a new field called anonymizeIp with a value of true.

Method 2: Configuring the analytics script

  1. Open your website's source code in your favorite editor.
  2. Locate where your Google Analytics tag or script is being loaded.
  3. Place the following code snippet after the one from step 2. (don't forget to replace the tracking ID with yours):
gtag('config', 'YOUR_GA_TRACKING_ID', { 'anonymize_ip': true });

Allow users to opt in and opt out of tracking

To adhere to GDPR, you must gain explicit consent from your users to collect their personal information. To do this, you could build an opt-in system for cookies relating to Google Analytics.

This shouldn’t be an opt-out system – and the tick box shouldn’t be pre-ticked (would not count as genuine consent). To achieve this, you could use a variety of different plugins or third-party consent platforms.

Consent mode is a feature Google is currently developing to meet these criteria. If you are eligible to use Consent Mode Beta, you can use its framework to collect user consent.

Adjust retention policy

To meet the storage limitation principle of GDPR, it may be useful to adjust how long personal data is retained by Google Analytics.

To do this, you’ll need to log in to Google Analytics’ admin panel, select your web property and navigate to Tracking Info (or Data Settings). There will be a tab titled Data Retention. Here, select the retention period you want and hit Save.

It's generally a good practice to limit how long data is kept and reduce your liability. If you only need analytics data for the past 24 months, then by setting up a retention policy Google should automatically delete the old data for you.

Keep an up-to-date privacy policy

As part of the transparency and fairness condition, your website must have an accessible, well-structured and easy to understand privacy policy.

Your privacy policy should clearly state what information is being collected, for what purpose, and with whom is it being shared with. Your users must be able to understand that by visiting your site and providing consent, they are agreeing to share information with Google Analytics.

This privacy notice should also tell your visitors why their personal information is being collected. That way your visitors should be able to make an informed decision about whether or not to disclose their personal data to Google Analytics.

For example, some visitors might be happy to support your site and provide you with anonymous analytics to help you improve the experience. However, the same visitors might not be so happy if this data contains sensitive information and is sold to third parties. That's why it's important to obtain consent before collecting personal data.

Users have the right to be forgotten

If your visitors would no longer like their personal information to be held by Google Analytics, they should be able to make data deletion requests. Websites should have a mechanism to receive and accept these requests.

Once a visitor has indicated they’d like their data removed, you can submit this request to Google Analytics. There is a seven-day grace period from when you make the request, where any administrator can cancel the request. This is useful if the visitor revokes the deletion request or if a mistake has been made.

Are there alternatives to Google Analytics that are GDPR compliant?

It can be quite difficult to make the necessary changes to Google Analytics to achieve the minimum requirements for GDPR compliance. That's why many websites have found it easier to opt for a more privacy-focused analytics service.

There are many out there to choose from, with a great option being Panelbear, a tool which we're building.

Panelbear traffic insights dashboard Panelbear traffic insights dashboard.

Like Google’s offering, Panelbear collects metrics about your website and helps you understand what’s currently trending. However, we store the analytics data within the EU, do not track IP-addresses or personal data, do not use tracking cookies, and we do not sell any personal data to third parties. Your data remains in your control.

As a privacy-first company, we operate on an entirely different pricing model. Google is first and foremost an advertising company and Google Analytics a marketing analytics product

At Panelbear, our business model is charging a monthly subscription to use our service, we do not sell any personal data to third parties in order to monetize our product. Instead, we focus entirely on building a great product for our customers.

While many of our customers tell us they switched to Panelbear because of its privacy focus, this is by far not the only reason.

Here's why we think you'll love it too:

  • Simple to use: Panelbear is a great tool if you just want to get a bird's eye view on your website's most important metrics - without complicated dashboards or expert knowledge on how to use it properly.
  • Real time visitor analytics: Everything you see on your dashboard is up-to-the-minute real time. You can see your website traffic as it's happening.
  • Built-in performance monitoring: Nobody likes a slow website. In addition to traffic analytics, you also get insights about your site's true performance, as experienced by your visitors anywhere in the world.
  • Actionable alerts: Setup notifications for traffic spikes or slow pages and be the first to know when something's up. That way you can ensure you always deliver a great experience on your site.

Want to take Panelbear for a spin? You can try it out for free, and see if it's right for you. You can upgrade or cancel your subscription anytime - no questions asked - but you can of course always talk to a friendly human by sending us an email at support@panelbear.com

Does GDPR affect websites outside of the EU?

GDPR compliance is important for any website offering their services to people in the EU. Many businesses mistakenly assume that as they aren’t from the EU, they don’t need to worry about GDPR.

If you have any visitors in the EU, you should ensure all third-parties (not only analytics) adhere to GDPR’s strict guidelines. The consequences of a GDPR breach are too great to ignore.

It is possible to shape Google Analytics to be more privacy-friendly. However, the nature of Google’s objectives as a business means that it is inherently difficult to use Google Analytics without compromising visitor privacy.

Privacy-focused alternatives exist for this very purpose. Services like Panelbear better adhere to data protection guidelines, do not sell any personal data to third parties, and keep your visitors anonymous by default.

Panelbear analytics charts

Ready to try Panelbear?

Try it free

No credit card required