CookiePro Knowledgebase

dot pattern banner

Knowledgebase Cookies and Integrations Google Analytics and GDPR


Google Analytics and GDPR

Last Updated: May 8, 2020

Due to strict regulatory guidance by the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR), there are many websites that may risk non-compliance from their use of Google Analytics.

Learn more about how these regulations may affect you as a website owner, and how you can continue using Google Analytics to track visitors from the EU in a compliant way.

Google Analytics, GDPR, and ePrivacy

Google Analytics is Google’s website analytics tool that provides insights about the demographics of visitors coming to your website, how they’re getting to your website, and how they’re interacting with your website.  Essentially, Google Analytics is a data processing tool.

The EU’s ePrivacy directive states that websites need to gain consent from the user for all cookies other than the ones that are strictly necessary for the site to work. Meanwhile, GDPR lays out the requirements for what constitutes valid consent.

Websites don’t need analytics software to function. Therefore, they need user permission to drop Google Analytics cookies.

Additionally, the ePrivacy Regulation is expected to be finalized at some point in 2019. These regulations will update the scope of the ePrivacy Directive and complement GDPR’s rules on personal data by focusing on the privacy implications of electronic communications.

The ePrivacy Regulation may allow cookies for website analytics, even if the website owner doesn’t gain consent first. However, this is unlikely to be the case for third-party tools such as Google Analytics.

None of this means website owners should not use Google Analytics. Google has done a lot of work to ensure its service works within the new regulations. This means staying compliant shouldn’t be a problem as long as websites put in place compliant processes.

What has Google done to ensure GDPR compliance?

Since GDPR came into effect, Google has done a lot of work to make sure Google Analytics is compliant. The company has made changes both to the way Google Analytics works and in the conditions users have to follow to use Google Analytics.

The changes Google has made to Analytics to ensure GDPR compliance include:

  • Analytics now has a feature that allows websites to delete the information of individual users if they make a deletion request. This is required under the GDPR’s “Right to erasure.”
  • Google introduced a feature that lets websites control how long Analytics stores data. By default, this is set to 26 months, although users can shorten this or turn the feature off.

  • Google will restrict the processing of data for children under the GDPR age of consent.

As well as these changes, Google has updated it’s EU user consent policy to reflect the new GDPR requirements. The policy relates to all Google products, including Google Analytics. Google states that any website using Google products must:

  • Obtain valid consent to use cookies or other local storage where legally required.
  • Get consent to collect, share, and use personal data for the personalization of ads.
  • Websites must retain records of this consent.
  • They must provide users with clear instructions about how to revoke consent.
  • Websites must tell users which parties may collect, receive, or use the data collected due to the Google product in use.

Google states that websites failing to conform to these standards may be banned or suspended from using the Google product.

How Can I ensure my use of Google Analytics is GDPR compliant?

Website owners that use Google Analytics and have visitors from the EU, must gain consent to drop the cookies required by this service

Should they not do this, site owners would not only be at risk of a fine from GDPR, but would also be at risk of losing access to Google Analytics. Steps website owners need to take include:

  1. Have a Cookie Policy that clearly explains which cookies are in use on your website and what the cookies do. The policy should be kept up-to-date and should be easy to understand, even by those without a technology background. The cookie policy on the CookiePro site is a good example of one.
  2. Display a cookie banner when a user first lands on your site in order to gain consent for the use of cookies. The banner should provide a simple explanation about what the cookies are used for and provide a way for users to accept or reject the use of cookies. In order to have the greatest chance of staying compliant with GDPR and ePrivacy, websites should not drop cookies—other than those deemed strictly necessary—until after they have received permission to do so.

  1. Provide a way for users of your website to revoke their permission to store cookies. Revoking permission should be as easy to do as it was to give permission in the first place.
  2. Have a form that allows users to request the deletion of personal information.

In addition, website owners should take steps to control the information they are sending to Google. For example:

  • Website owners have to ensure they are not accidentally sending any personally identifiable information to Google, including addresses, email address, etc. If this is happening, they will have to take steps to stop it.
  • GDPR considers IP addresses as online identifiers. Because of this, you should turn on IP anonymization. Website owners can do this using the Google Analytics Tag Manager

CookiePro can help your use of Google Analytics be GDPR and ePrivacy compliant

CookiePro provides helpful tools for website users to make their use of cookies compliant with the GDPR, including cookies used by analytics programs such as Google Analytics. Services CookiePro provides includes:

  • A cookie checker that scans your website for cookies and lets you know exactly which cookies your site uses.
  • The ability to easily set up a banner and capture consent for cookies. The banner can be customized based on a template.
  • An automatically generated cookie policy based on the information gained from the cookie scan.
  • The ability to customize the cookie consent depending on whether the user is based in the E.U. or outside.
Onetrust All Rights Reserved