Simple Guide to Google Analytics & GDPR Compliance

November 11, 2021·8 min read

Disclaimer: This article is for informational purposes only. You're fully responsible to ensure you're compliant with any laws and regulations that may apply to you. This is not legal advice, and we don't accept any legal liability.

As the general public becomes more aware of their data security, and how their information is being used online – privacy has never been a bigger concern for businesses across the world as it is today.

One of the toughest data protection laws in recent history is the General Data Protection Regulation (GDPR). Many countries around the world are adopting regulations which are partly inspired by the GDPR, so it's important to at the very least be informed about it, or risk facing fines for non-compliance.

The GDPR affects those who hold data about people in the European Union, even if the company or website itself is not based in the EU. That means simply by promoting your stuff online to people in the EU may be enough so that it applies to you too.

In this article, we’ll explore whether the popular analytics tool Google Analytics complies with GDPR and some measures you can consider to further protect your website visitor's data.

Table of Contents

What is GDPR?

General Data Protection Regulation (GDPR) is a landmark European Union privacy law that regulates the collection, use and disposal of personal data. Personal data refers to any piece of information that can be used to identify an individual – whether directly or indirectly.

Examples of personal data can include full names, email addresses, IP addresses, cookie identifiers, device identifiers, client identifiers, database identifiers, advertising identifiers, and many other forms of online identifiers.

Some core principles of GDPR are as follows:

  • Personal data should be processed in a fair, lawful, and transparent manner.
  • Before collecting personal data you should receive genuine consent.
  • You should only collect personal data for the specific, legitimate purpose you were given consent - and not for any other purpose.
  • Personal data should only be kept for as long as necessary and only for the specific purpose it was collected.
  • The data subjects have rights about their personal data. This includes the right to access, correct, erase, object and transfer their personal data.
  • Personal data should be protected and secured at all times. It should be safeguarded from unlawful processing, data loss or data breaches.

Does GDPR apply to me?

If you operate in the EU – for example, if you are a French website – then, you are legally obligated to adhere to the GDPR regulations. However, GDPR also affects you if you have any clients or offer your services to people from the EU, even if you're based outside the EU.

Let's say you run a small e-commerce website from the US and you have visitors from EU countries. That means you’ll need to make sure you collect data in a way that is GDPR compliant plus any applicable local laws too.

Some US websites have, for this reason, restricted access in Europe to avoid privacy compliance issues or because their business model is incompatible with the requirements.

What are the consequences of non-compliance?

A GDPR breach can result in heavy consequences that can devastate businesses of all sizes. Since the UK left the EU, there are two versions of the GDPR guidelines, with the UK government passing a modified version of the legislation for their country.

In the UK, the maximum penalty is £17.5 million or 4% of annual global turnover. The EU GDPR sets a maximum fine of €20 million or the same 4% of annual global turnover – whichever is greater.

A data breach could also lead to other consequences, such as reputational damage and loss of trust.

How does Google Analytics work?

Google Analytics is a free digital analytics tool that allows you to analyze how your visitors use your website. It measures your site's performance and helps segment your audience based on demographics (like age, location, and interests).

Once enabled, Google Analytics uses page tags and cookies to collect information about your users and track a visitor’s session. While tracking anonymous statistics is very useful for website owners and on its own is not harmful, Google is notorious for creating user profiles for advertising purposes and often collecting far too detailed data about your visitors.

This particular form of online tracking allows marketers to tailor advertisements to specific segments of users based on their interests and behavior, and could be a violation of GDPR.

That's why it's important to consider why Google Analytics is free in the first place. While processing data at scale is very expensive, the online advertising industry is huge. For example, Google alone reported a $53.1 billion revenue from advertising in 2021.

Websites with less than 10 million visitors a month can get Google Analytics for free in exchange for the data collected about your website’s visitors. Once you exceed more than 10 million hits per month, you'll need to upgrade to Google Analytics 360, which costs $150,000 per year (that's not a typo).

Is Google Analytics GDPR compliant?

Update: In the next sections we'll discuss some typical measures to increase data protection with Google Analytics. However, they may no longer be considered enough due to a recent decision from the Austrian Data Protection Authority.

Google Analytics in its default configuration is not GDPR compliant. However, with some changes, it may be possible to increase the level of protection against processing personal data.

Due to the "Schrems II" decision on data transfers between the US and the EU you should conduct a case-by-case analysis to determine if the transfer of personal data to the US meets the same standards as those in the EU.

The Schrems II decision not only affects Google Analytics but most service providers too (even outside the scope of analytics). We encourage you to seek professional legal advice to ensure you're getting the right set of recommendations for your own circumstances.

Turn on IP Anonymization

IP addresses are protected under GDPR as personal data. Google Analytics has an IP anonymization feature that allows you to restrict the collection of IP addresses.

Please keep in mind that enabling IP Anonymization may affect certain features. For example, without collecting IP addresses, Google Analytics’ location data is around 30% less accurate at the city-level.

If you're using Google Analytics 4, IP-address anonymization is enabled by default. However, most sites were created with the legacy Google Analytics tags, so be sure to double check if this setting is enabled.

Method 1: Google Tag Manager

  1. Open Google Tag Manager.
  2. Click on "More Settings".
  3. Click on "Fields to Set"
  4. Add a new field called anonymizeIp with a value of true.

Method 2: Configuring the analytics script

  1. Open your website's source code in your favorite editor.
  2. Locate where your Google Analytics tag or script is being loaded.
  3. Place the following code snippet after the one from step 2. (don't forget to replace the tracking ID with yours):
gtag('config', 'YOUR_GA_TRACKING_ID', { 'anonymize_ip': true });

Allow users to opt in and opt out of tracking

To adhere to GDPR, you must gain explicit consent from your users to collect their personal information. To do this, you could build an opt-in system for cookies relating to Google Analytics.

This shouldn’t be an opt-out system – and the tick box shouldn’t be pre-ticked (would not count as genuine consent). To achieve this, you could use a variety of different plugins or third-party consent platforms.

Consent mode is a feature Google is currently developing to meet these criteria. If you are eligible to use Consent Mode Beta, you can use its framework to collect user consent.

Adjust retention policy

To meet the storage limitation principle of GDPR, it may be useful to adjust how long personal data is retained by Google Analytics.

To do this, you’ll need to log in to Google Analytics’ admin panel, select your web property and navigate to Tracking Info (or Data Settings). There will be a tab titled Data Retention. Here, select the retention period you want and hit Save.

It's generally a good practice to limit how long data is kept and reduce your liability. If you only need analytics data for the past 24 months, then by setting up a retention policy Google should automatically delete the old data for you.

Keep an up-to-date privacy policy

As part of the transparency and fairness condition, your website must have an accessible, well-structured and easy to understand privacy policy.

Your privacy policy should clearly state what information is being collected, for what purpose, and with whom is it being shared with. Your users must be able to understand that by visiting your site and providing consent, they are agreeing to share information with Google Analytics.

This privacy notice should also tell your visitors why their personal information is being collected. That way your visitors should be able to make an informed decision about whether or not to disclose their personal data to Google Analytics.

For example, some visitors might be happy to support your site and provide you with anonymous analytics to help you improve the experience. However, the same visitors might not be so happy if this data contains sensitive information and is sold to third parties. That's why it's important to obtain consent before collecting personal data.

Users have the right to be forgotten

If your visitors would no longer like their personal information to be held by Google Analytics, they should be able to make data deletion requests. Websites should have a mechanism to receive and accept these requests.

Once a visitor has indicated they’d like their data removed, you can submit this request to Google Analytics. There is a seven-day grace period from when you make the request, where any administrator can cancel the request. This is useful if the visitor revokes the deletion request or if a mistake has been made.

Does GDPR affect websites outside the EU?

GDPR compliance is important for any website offering their services to people in the EU. Many businesses mistakenly assume that as they aren’t from the EU, they don’t need to worry about GDPR.

If you have any visitors in the EU, you should ensure all third-parties (not only analytics) adhere to GDPR’s strict guidelines. The consequences of a GDPR breach are too great to ignore.

In short, it is possible to increase data protection measures in Google Analytics. However, due to the nature of Google’s objectives as a business and taking into account the Schrems II decision on the use of Google Analytics, it may be difficult to use this service without compromising visitor privacy.


Share article

Website traffic and performance insights.

Free plan available · No credit card required

Start for free
Panelbear dashboard