Products   ▾Why Scale8   ▾Community   ▾
← All posts

How to make Google Analytics GDPR compliant

21/04/2022 - written by: David Gondelle
GDPR

It won’t surprise anyone to hear that the Google Analytics tool is the most popular web analytics tool by a long shot. However, what may be surprising is that using it can cause you quite a few headaches and potentially worse if you’re not careful.

This is due to the fact that the Google Analytics tool isn’t automatically GDPR compliant. To make the tool compliant, there’s a few changes you’ll need to make yourself.

Some people may find it preferable to search for other alternatives to Google Analytics so that they can avoid making so many changes. But if you decide that you’d rather stick with the Google Analytics tool, read on to find out how to keep up to GDPR standards, and avoid any unnecessary fines.

What obligations do you have as a site owner

As a site owner, you are the data controller in the eyes of GDPR law. This means that you have a number of responsibilities when it comes to protecting the subjects (aka site visitors) data. This includes making sure that any data processors (such as Google Analytics) that you use on your site are also being used in a GDPR compliant manner.

There are several articles in the GDPR legislation that state the rights of the subject and their data. These rights must be respected by both the data controller and data processor. These rights include:

  • Article 15 (right to access): subjects can ask you for a copy of any personal data that you’ve collected from them. You must supply this within 30 days of receipt of the request
  • Article 16 (right to rectification): If the subject finds that the personal data you keep on them is incorrect, incomplete or outdated, they can request that you rectify this.
  • Article 17 (right to erasure, aka right to be forgotten): The subject can ask that you delete all of their data.
  • Article 18 (right to restriction of processing): The subject can ask you to not track their behaviour, such as opening emails, and can rescind previously given consent.
  • Article 20 (right to data portability): The subject could ask you to transfer their data elsewhere, even to one of your competitors.

Why isn’t Google Analytics GDPR compliant in the first place?

Since GDPR came into effect in 2018, Google has been accused by several European data protection authorities of not meeting the expected standards. Google was even handed fines on several occasions. Reasons for these fines included:

  1. Not properly gaining the consent of users to use their data for personalised advertising.
  2. Not removing search result listings after being requested to do so, and so violating the “right to be forgotten”.
  3. Not making it sufficiently easy for users to refuse cookies when implementing its cookie consent on youtube.

Since being given these fines and other warnings from many data protection authorities, Google has made some changes to try and make it easier to use their analytics tool in a GDPR compliant manner.

Steps to be GDPR compliant when using Google Analytics

With the responsibilities of the data controller and the accusations of the data protection authorities against Google in mind, we can start to see where the data controller needs to make changes to Google Analytics to stay compliant with GDPR.

Below are the steps you can take to make your use of Google Analytics more GDPR friendly. But beware, some of these steps may affect the functionality of the analytics tool.

Changing your Account settings

Under Admin, go to Account Settings. From there, you’ll need to

  1. Disable all data sharing options.
  2. Read and accept the Google Ads Data Processing Terms.

Editing Property settings

Under Admin, go to Property Settings. From there, you’ll need to:

  1. Disable all the Advertising Features, including the Demographics and Interest Reports.
  2. Disable User Analysis, including Users Metric under Reporting

Editing Tracking Info settings

Under Admin, go to Tracking Info. From there, you’ll need to:

  1. Click on the Data Collection section and disable all the Data Collection for Advertising Features, as well as the Remarketing and Advertising Reporting Features
  2. Also under the Data Collection Section, go to “Advanced Settings to Allow for Ads Personalisation” and disable all regions from Ads Personalisation
  3. Go to the “Data Retention” section and reduce the “User and event data retention” to the minimum possible amount of time.
  4. Also under the “Data Retention” section, disable “Reset on new activity”.
  5. Click on the “User-ID” section and disable User-ID features

Product linking settings

Under Admin, go to the Product Linking section. From there, disable all the product linking including Google Ads linking, Adsense and Ad Exchange linking

You should read over your privacy policy to ensure that it’s clear to the site visitor why you use Google Analytics on your site, how it’s being used, and what the visitor is consenting to. This includes specifying exactly which cookies you’re using.

Disable Google Analytics Cookies

Alternatively, you can disable cookies altogether. Cookies are used to track site visitors across your website, meaning that you can follow the path they take throughout your website, and can even allow you to retarget them with advertisements once they’ve left your site.

By disabling cookies, you won’t be able to track each user as they navigate through your site. Instead, every time a page is opened, it will be seen as a new unique user, even if one user has clicked on several pages. So there are some drawbacks to disabling cookies altogether.

To disable cookies in Google Analytics, you have to create the following command that sets storage to none in the analytics.js:

ga('create', 'UA-XXXXX-Y', { 'storage': 'none'});

IP anonymisation

GDPR views a person's IP address as personal data. This makes it a good idea to enable IP anonymisation. You can do this by:

  1. Going to “More Settings”
  2. Going to “Fields to Set”
  3. And then add a new field named “anonymizeIp”, with a value of “true”:
ga('set', 'anonymizeIp', true);

Alternatives to Google Analytics

As we mentioned at the start of this blog, some people might prefer to look for alternatives to Google Analytics, especially after seeing all of the necessary steps you’ll need to take if you want to use the tool and be GDPR compliant. If you’re one of these people who decide that all that hassle isn’t for you, why not try out an open-source alternative from Scale8?

← Previous Post
An Open-source alternative to Google Analytics
Next Post →
Hello from Scale8