Setting up Google Analytics GDPR friendly
According to the General Data Protection Regulation (GDPR), websites that use Google Analytics must request permission to place so-called 'tracking cookies'. Without permission, 'analytical cookies' may be used to monitor the behaviour of website visitors. But then make sure that:
- Visitors are informed why and how this happens. For example in a privacy statement.
- Google Analytics is set up to anonymise visitor data.
Privacy statement
Inform visitors that:
- Google Analytics cookies are used
- A data processing agreement has been concluded with Google
- The last octet of the IP address is masked
- The 'data sharing' function has been turned off
- No other Google services (such as AdWords or Optimise) are used in combination with the Google Analytics cookies.
Google Analytics
Google Analytics 4 is the successor to Google Universal Analytics and is more GDPR compliant and is based on user events (events) rather than pageviews.
Google Analytics 4
In Google Analytics 4, some things have changed with regard to the GDPR mainly to make it easier and more defined.
The following 3 steps must be done in Google Analytics 4 to comply with the GDPR:
1. Enter into a data processing agreement with Google
Under Admin > Account Settings you will find the amendment if you scroll down. You must accept this as you are responsible for the website. If you have already accepted this in the previous version of Google Analytics, you will see that a new version is ready for you. You can read this and then accept it.
- Log in to Google Analytics
- Navigate to Admin
- Choose Account Settings
- Now scroll down the page to the heading “Conditions for data processing”
- Click View customisation if it is present. A dialog box opens. Read the conditions
- Click Agree
- Click Save to make it final
2. Anonymise IP address in Google Analytics 4.
The anonymisation of IP addresses is done automatically. So you no longer have to take any steps for this yourself. In fact, you can't turn it off either.
3. Remarketing in Google Analytics 4.
Google Signals is used for remarketing. You can reach people who have given permission to receive personal ads in this way. By default, Google Signals is off. You can enable this setting under Admin > Property > Data settings > Data collection (more info).
If you scroll a little further down this page, you can also activate the “Recognition of user data collection”.
Optional: Data collection retention period
Within Google Analytics 4 personal/event data is also stored. In the Universal Analytics you had several options, including the option to never have data deleted. This will disappear in Google Analytics 4. You then only have the choice to store the data for 2 or 14 months. You can set this up under Admin > Property > Data settings > Retention of data.
Do not forget to adjust the privacy statement.
Google Universal Analytics
The following 5 steps must be done in Google Universal Analytics to comply with the GDPR:
1. Enter into a data processing agreement with Google
The website owner is responsible for accepting the data processing amendment. You can accept the amended agreement within Google Universal Analytics by following the steps below:
- Sign in to Google Analytics
- Navigate to Admin
- Choose Account Settings
- Now scroll down the page to the heading “Adjustment of data processing”
- Click View customisation. A dialog box opens. Read the conditions
- Click Agree
- Click Save to make it final
2. Turn off data sharing with Google
By default, you share data with Google and these options are enabled. To disable this follow the steps below:
- Navigate to Admin
- Choose Account Settings
- Here are 5 options, uncheck them all
3. Turn off data sharing with Google for advertising purposes
Despite turning off sharing with Google in the previous step, you still share data with Google. This time for advertising purposes.
- Navigate to Property Settings
- Click on Tracking info
- In the new screen choose Data collection
- Now there are two options: Remarketing and Advertising Reporting Features. Turn both of these off
- Then click on Save
4. Check if the User IDs option is disabled
By enabling User ID, a visitor's surfing behaviour can be tracked across multiple devices and sessions and they can be linked. This may only be activated if a visitor has given permission.
- Navigate again to Property Settings
- Select Tracking info
- Now choose the heading User ID
- Make sure you don't agree with "User ID Policy" and that it is disabled
5. Anonymise IP address in Google Universal Analytics
The GDPR aims to protect personal data. The IP address is also personal data according to the Dutch Data Protection Authority. Therefore, the last part of the IP address must be removed before Google Universal Analytics stores it. You do this by adding an extra line to your tracking code. This means that the last octet is not included in Universal Analytics and therefore cannot be traced back to one person. An octet is part of the IP address. In total, the IP address consists of four octets.
A Creational website? Then we add this code. Contact us!
- Add “, { 'anonymize_ip': true }” to the Google Analytics script on the website so that it is anonymised
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-xxxxxxx-x"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-xxxxxxx-x', { 'anonymize_ip': true });
</script>
(UA-xxxxxxx-x is your identifier id)
Optional: Data retention period Google Universal Analytics
Something that is not necessary for making it privacy-friendly, but can be important, is the retention of the data within Google Universal Analytics. The retention period can be adjusted. This setting affects user level and event level.
- Navigate again to Property Settings
- Select Tracking info
- Now choose the heading Data retention
- Now select the desired retention period
- Turn the switch on or off as to reset to new activity