In May 2018, GDPR introduced legal guidelines concerning the collection and processing of personally identifiable data by a website on its visitors. Many websites use Google Analytics (GA) to collect their visitors’ data for analytic purposes. This allows them to understand how visitors behave on their site and use this information to increase engagement. It also leads to compliance issues between Google Analytics and GDPR.

In this article, we explore 4 actionable steps you can take to help ensure your website collects analytic data in compliance with GDPR.

What is the relationship between GA and GDPR? Why Should You Care?

The relationship between GDPR and the way that Google Analytics (GA) collects data is complex. Websites can accidentally collect data in a way that is non-compliant with GDPR.

You have to make sure your website’s GA is configured with GDPR in mind or you may incur heavy penalties. The organisation responsible for enforcing the GDPR is the ICO. It has said,

“Failure to comply with the principles may leave you open to substantial fines…This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.”

Three principles within GDPR are particularly important regarding GA. They are:

  1. The Right to be informed: your visitors have a right to know what information you are collecting and how you process it.
  2. Right to restrict processing: your visitors can choose what personal information you collect and how you process it.
  3. Right to erasure: your visitors have a right to have their personal data deleted from your records.

You must take necessary steps to provide visitors with control over these rights. The following information will help you do this.

Step 1: Google Analytics and GDPR – Right to Be Informed, Right to Restrict Processing, & Seeking Consent

The first step is to ensure you request permission from your visitors to collect and analyse their personal data. People must explicitly opt-in to personal data collection.

If your CMS allows plugins, then GDPR Cookie Consent is a simple, elegant, and reliable option that can help you gain permission. Features include allowing visitors to opt-in to data collection and allowing them to select data processing options.

Cookie Consent has an upgrade option where you can create databases for advanced analytic purposes. Here, visitors are given a unique identification (that does not identify them personally). This allows you to track individual users so you can generate better analytic reports, but in a way that is GDPR compliant.

If you do not use CMS, or your CMS does not have a relevant plugin, then you (or your website designer) will have to create and add relevant consent forms yourself.

Gaining consent does not mean that your site is fully compliant with GDPR, but it is the first step in the process.

Step 2: Google Analytics and GDPR – Right to Erasure

Next, you must ensure that GA is retaining data appropriately. The GDPR does not expressly state how long you can retain data. Instead, it says,

You must not keep personal data for longer than you need it.

You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.

You must set your GA “Data Retention Controls” so they align with GDPR Principles.  

This means restricting the length of time that Google keeps information on visitors to your site. To do this, use the process outlined below.

Step 1a: Login to your GA account. On the Home screen, navigate to “Admin”:

Screenshot of GA dashboard with an arrow pointing to admin button

Step 2a: Navigate to “Tracking Info”:

Make sure you are navigating under the property heading, rather than your account heading.

Dashboard in GA about site property with arrow pointing to "Tracking Info"
Step 3a: Select “Data Retention”:
Step 4a: This will take you to the next screen.An image of the data retention selection screen in GA

Here, you can complete the form as needed.

There are a few things to note:

First, the shortest length of time that you can retain data for is 14-months. Unless you have a valid reason for retaining your data longer, select “14 months”.

Second, you’ll notice GA says, “These controls do not affect most standard reporting, which is based on aggregated data.” Aggregated data is not personalised data; it cannot identify individuals. Therefore, aggregated data does not fall under the remit of the GDPR.

However, you may inadvertently be collecting data that can be cross-referenced in  a way that accidentally identifies individuals. This can happen if you use third-party analytics software (more on this below) or advanced analytics within GA (IP anonymisation can help here).

If you do, you may need to have your site audited by a GDPR specialist. If you don’t, then following the steps outlined in this blog should remove any personally identifiable data from your analytic packages.

Third, selecting the blue icon so it says “On” will restart the countdown on retention for each new event the visitor makes on your website. E.g., if they follow a link and you have retention set to 14-months, it will keep details of the click for 14-months, but discard information on previous events at their appointed time. If you select “Off”, it will delete all information 14-months after the first event. An “event” is any hit on your website.

Step 3: Google Analytics and GDPR – IP Anonymization

GDPR classifies IP addresses as personalised data. If you are using GA, and you want to remove personalised data, then you need to carry out IP anonymization.

If you’re somewhat savvy about the way GA collects data, you might assume that they don’t track IP addresses; after all, you can’t see IP addresses in any GA analytic reports…

…but, even though you don’t have access to your visitors IP address, Google does. They collect the IP of every visitor to your site (and strip the data in your reports). Enabling IP anonymization ensures that Google does not record your visitors’ IP addresses. Therefore, it can help to seal vulnerable gaps where you may be inadvertently collecting personal data. This is the safest option for compliance with GDPR.

IP anonymization is useful for those of you who do not want to risk issues with consent, even if you receive explicit consent. You will also need to use IP anonymization for visitors who do not consent (opt-in) to your personal data collection processes.

How to activate IP Anonymization

You need to change the code that your website uses to collect data for GA. You can find the HTML tracking code you currently use by navigating to the “Tracking Info” section in your GA account (see Steps 1a to 3a), but this time selecting “Tracking Code”:

An image of the GA tracking code in HTML

There are two ways to change the code in WordPress, depending on how you set up your account (If you use an alternative CMS, it should work in a similar manner. If you code your own site, you probably don’t need this article!).


First Way: If You Use the Google Analytics Plugin

Step 1b: On your dashboard, navigate to “Google Analytics”, select the “Advanced Settings” tab, and select the “Anonymise IPs while tracking” – change it to “On”.

An image of GA's wordpress plugin where the anonymise IP selection can be found


Second Way: If you add tracking codes manually to your CMS (WordPress example)

Step 1c: Navigate to “Appearance” then to “Editor”.
An image of the WordPress menu bar on the home screen, with an arrow pointed to "editor"
Step 2c: On the right hand side, you’ll see a heading that says “Theme Footer” or “Footer”.

Select “Theme Footer” or “Footer”

It will take you to the part of the HTML where you insert the “Tracking Code” for your site. Note: I have obscured our site ID in the above image. Where the @@@@@ are, that would normally be a number and it is your site’s personal identification for your GA account:

An image of the WordPress HTML editor where the GA tracking code is placed

Step 3c: Edit your tracking code by adding a line of code that will anonymise visitor IP addresses.

This part of the code is

{ ‘anonymize_ip’:true }

You add it to line 96 after the semi colon following your site ID and close bracket, and before “</script>”. N.B. In your CMS, it is unlikely to be on the same line in your HTML editor as it is above, i.e. not necessarily line 96.

Next, change the semicolon to a comma and add a semi colon to the end of the new line. So, the line in your HTML editor should look like this:

gtag(‘config’, ‘UA-1@@@@@@@@@-1’), { ‘anonymize_ip’:true });

Your HTML code should now look like this:

An image of the WordPress HTML editor where the GA tracking code is placed with the updated IP anonymisation code included

Step 4c: Don’t forget to press “Update File”.

Step 4: Disable Third-Party Tracking Plugins That May Identify Users

Google’s data management policies mean that they do not track personalised data through the sales funnel.  However, some webmasters will have added third-party lead-tracking software to enable personalised data tracking. One example is “Convertible”.

Unless you understand exactly how to request consent for this type of tracking, you should disable it for now and seek the services of a GDPR specialist to help you use the plugin so it is GDPR compliant.

Conclusion

The key to understanding Google Analytics and GDPR is to understand that they are seeking to ensure a separation between people and their data.

For an in-depth understanding of GDPR compliance, consult the guidelines issued by the ICO. They have a useful Data Protection Self-Assessment Toolkit that you can use to assess your website for GDPR compliance.

Disclaimer: The legislation around GDPR is complex. The content of this article is for general information purposes only and does not constitute legal advice or give rise to a solicitor/client relationship. If you have doubts about GDPR compliance and data collection, legal advice should be sought from a GDPR specialist. Whilst we endeavour to ensure the information in this article is accurate, no guarantee, express or implied, is given to its accuracy and we do not accept liability for any error or omission. We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising from the use of any material or suggestion contained in this article, or an action taken as a result of using this material.