GDPR Compliance for Google Analytics : How To

By digitalSRC
In Google analytics
May 25th, 2018

Google Analytics is by far the most popular web analytics application that is used across the world. It is used both by individuals and small companies to large Fortune 500 brands. As per this study in 2015, almost 70% of Fortune 500 used Google Analytics as their web analytics platform. If you are one of those millions of Google Analytics users and you are in Europe or deal with clients/ visitors from EU, you need to ensure that you are GDPR compliant.

While we love to rely on Google and think that they will take care of everything for proper GDPR compliance there are few things that you need to do too.

At a very broad level GDPR asks you not to collect and process any personal data without the consent of the data subject (user). Now before you tell me that Google Analytics data is anonymized and aggregated, let me show you couple of personal data points that could be captured in Google Analytics and put you on the wrong side of GDPR.

  • Google Analytics captures IP addresses which is considered as Personal Data under GDPR
  • Also, if you are passing any PII through your URLs ( typically happens when you are using GET method to submit form data or you are trying to personalize user experience) you might end up with URLs looking like www.yourdomain.com/?name=x&email=abc@gmail.com . Now all these URLs are captured in Google analytics and you are necessarily sharing this PII with Google. This is against Google’s T&C as well as could mean serious trouble for you from GDPR perspective.

So how to make Google Analytics GDPR Compliant

Anonymize IP Address
Google Analytics does provide you an option to anonymize IP addresses. If done properly Google will anonymize the users IP address while still in memory and the data will be written to disc for processing only after the IP addresses have been anonymized. If you are interested in the technical details, you can read the technical explanation here.

How to Anonymize IP Address in Google Analytics for GDPR Compliance

This again will depend on the version of Google analytics code you are using. There are three versions that most people are using. You are either using universal analytics using ANALYTICS.JS or GA.JS or the latest GTAG.JS.

Anonymize IP for analytics.js

<script>
(function(i,s,o,g,r,a,m){i[‘GoogleAnalyticsObject’]=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,’script’,’//www.google-analytics.com/analytics.js’,’ga’);
ga(‘create’, ‘UA-XXXXXXX-X’, ‘auto’);
ga(‘set’, ‘anonymizeIp’, true);
ga(‘send’, ‘pageview’);
</script>

Your analytics code probably looks like the one given above. Look at the highlighted line. You need to add that one line of code to anonymize IP address and it is important that the line is set before the ga(‘send’, ‘pageview’); line.


Anonymize IP for gtag.js

This is the latest Google analytics code and if you are already using gtag.js, you can follow the below process to anonymize IP for GDPR compliance.

In your gtag code you will notice the following line –

gtag(‘config’, ‘UA-XXXXXX-XX’);

This needs to be replaced with

gtag(‘config’, ‘UA-XXXXXX-XX’, { ‘anonymize_ip’: true });


Anonymize IP for ga.js

In case you are still using the old ga.js Google analytics library, you can try using the below code. Note the line highlighted, you will need to add that to the script.

<script type=”text/javascript”>
// Old Script
var _gaq = _gaq || [];
_gaq.push([‘_setAccount’, ‘UA-XXXXXX-XX’]);
_gaq.push([‘_gat._anonymizeIp’]);
_gaq.push([‘_trackPageview’]);
( function() {
var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true;
ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’;
var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

How to Remove Personal Data from Google Analytics for GDPR Compliance

Now let’s talk about how to remove the personal data that we might send to Google through URL parameters. It is not just important for GDPR compliance but it is also important for ensuring that you are compliant with Google Analytics’ terms of service.

You should ideally try to remove any PII right at the collection level of Google analytics and this requires some coding skills. Two excellent solutions for this has been given below and you can use any one of them that works for you.

Simo Ahava’s Solution to Removing PII from GA

Brian Clifton’s Solution to redact PII from GA

If you have anonymized all IP addresses and are not capturing any PII in Google analytics, you should be ok with GDPR compliance.

If you are a marketer like me and looking to ensure proper GDPR compliance across your marketing function, you can refer to this GDPR Checklist for Marketers Infographic.

This is not a legal advise about GDPR and if you have any doubts or concern, please consult with a legal professional.

About "" Has 241 Posts

Check out the About SRC Page for more details about Saptarshi Roy Chaudhury.

Leave a Reply

Your email address will not be published. Required fields are marked *