I took some time to explore different options and settings in order to try and make Google Analytics GDPR compliant so you don't need to ask for visitor consent. There are many steps! Here's the summary.
Is Google Analytics GDPR compliant?
Google Analytics is not GDPR compliant out of the box. This is what Google says about what you need to do if you’re using Google Analytics:
“You must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement”.
You must obtain legally valid consent from your website visitors to:
- the use of cookies or other local storage
- the collection, sharing, and use of personal data for personalization of ads
How to make Google Analytics GDPR compliant
So what if you don’t want to remove Google Analytics and you don’t want to worry about obtaining consent from your visitors but you still do insist on using Google Analytics?
You can try to make Google Analytics GDPR compliant. Go into the “Admin” section of your Google Analytics account and take these steps:
In “Account Settings”, disable all the data sharing options. Stop sharing your visitor data with Google products & services, for Benchmarking purposes, for Technical support, to Account specialists and Google sales experts.
In “Account Settings”, review and accept the Google Ads Data Processing Terms.
In “Property Settings”, disable all the Advertising Features including Demographics and Interest Reports.
In “Property Settings”, disable User Analysis including Users Metric in Reporting.
In “Tracking Info” click on the “Data Collection” section and disable all the Data Collection for Advertising Features. Disable Remarketing and Advertising Reporting Features.
In “Tracking Info” click on the “Data Collection” section and within “Advanced Settings to Allow for Ads Personalization” disallow all regions from Ads personalization.
In “Tracking Info” click on the “Data Retention” section and reduce the “User and event data retention” to the minimum amount of time possible (14 months).
In “Tracking Info” click on the “Data Retention” section and disable “Reset on new activity”.
In “Tracking Info” click on the “User-ID” section and disable the User-ID feature.
In “Product Linking” section, disable all the product linking including Google Ads linking, AdSense linking and Ad Exchange linking.
Update your privacy policy with clear information on how and why you use Google Analytics.
Enable Google Analytics IP anonymization feature by adding this to your Google Analytics code: ga('set', 'anonymizeIp', true);
Disable Google Analytics cookies. Disabling cookies leaves Google Analytics with a broken functionality. Pretty much every pageview will be counted as a unique visitor.
You need to replace Google Analytics cookies with your own storage mechanism such as localStorage or a service worker in order to fix the breakage of unique visitor counting. Here’s a guide from Google on how you can do that.
What's the alternative?
You could save yourself all this hassle and time by simply asking your visitors for consent first before loading the Google Analytics script. Many visitors may say "no" to that but at least you will be complying with the regulations.
Alternative is not to use any analytics tracking at all if you don't really need any data.
If you really want to get some stats but don't want to go through the process above, you can use a web analytics tool that doesn't use cookies and doesn't track any personal data. I'm working on Plausible Analytics with privacy in mind:
- It's quick, simple to use and understand with all the metrics displayed on one page
- Lightweight script of <1 KB so sites load fast. Our script is 45 times smaller script than the Google Analytics script
- Doesn't use cookies so there's no need to worry about cookie banners
- Doesn't track personal data so you don't need to worry about asking for data consent
- It's open source with the code available on GitHub
Take a look at our live demo to see the traffic stats from our own website!
Top comments (7)
Google is sneaky, right? I really wonder why Cookies are being asked for everywhere, and there are almost always no button to opt out. What's the purpose of GDPR, then?
Google and several other advertising companies use these cookies to track your activities across websites you visit without your knowledge or consent. GDPR makes it mandatory for them to ask this explicit consent. TLDR : termly.io/resources/articles/gdpr-...
Yeah it's not really enforced right now so some sites do these illegal implementations such as not giving clear opt out.
It can be enforced but unless you report it they wouldn’t find out unless high profile. enforcementtracker.com/
Nice link! Thanks for sharing Chandra!
thank you Dominic, glad to hear that!