How to Get the Most From GA and Stay GDPR Compliant

It’s now time to explore how these personal data protection rules will affect your work with Google Analytics.

How to get the most from Google Analytics and stay GDPR compliant

Data analysts and marketers wonder whether they will use the full potential of Google Analytics (GA) when GDPR comes into effect. May 25 is almost upon us, and its imminent arrival is making business owners and data specialists nervous. However, there are actually not so many issues to solve and changes to make to be GDPR compliant, and still retain access to such a powerful data source.

You may have already read our GDPR Basics, a special checklist, and IO measures taken in the run-up to GDPR. Whether you have or you haven’t, it’s now time to dive deeper into the details and explore how these personal data protection rules will affect your work with Google Analytics.

Check What You Collect

1. GDPR states that only necessary data can be collected and processed. This means that if a person intends to sign up for your newsletter, he doesn’t need to give you his personal details like name/surname, age, gender, physical address, etc. So, you can minimize both the embedded forms and form fields.

2. Check to see if your websites currently collect personal, identifiable information (PII). If they do, that is against GA Terms of Service, no matter whether you use Standard GA or its 360 version. Check your Page URL’s that can contain ‘email=’ query string parameter and Page Titles. Note that filtering such information in GA is not allowed by GDPR, and you have to solve this issue on your website’s level.

Google’s guide to best practices of avoiding using PII is a must-read for every business.

3. Enable IP anonymization, as IP’s are also considered to be PII. The reason is that using IP by Google collects geo-location data.

Google Tag Manager users can turn on anonymization in ‘More Settings > Fields’ to set. Add a new field ‘anonymizeIp’ and set its value as ‘true’.

How to anonymize IP using Google Tag Manager

4. Don’t ask users for sensitive information unless you are dealing with a specific case allowed by GDPR. For example, you can’t conduct public surveys (even on Facebook pages) on political or religious topics, as if just one EU citizen votes for any option, you will no longer be GDPR compliant.

5. Audit your site for third-party add-ons and plugins which may collect data. Remove them if they do.

Minimizing Data Collection in GA

1. Check whether or not you need Remarketing and GA Advertising Features. They help perform remarketing, segmenting and customizing audiences, sharing them to your linked Google accounts, etc. Collecting data for these purposes and remarketing are set in the ‘Property Column > Tracking Info > Data Collection > Remarketing or Advertising Reporting Features’.

If you need them turned on, according to GA Terms of Service and GDPR rules, you must disclose this in your privacy policy.

Note, when you turn on Remarketing, the Advertising Feature will be automatically turned on. They can’t work separately.

Turning on and off Remarketing and Advertising Feature in Google Analytics

You can also set the length of time personal data will be stored. Note that GDPR restricts keeping users’ data longer than your business actually needs to.

User and event data retention in Google Analytics

2. Continuing the previous point, if you use Advertising Features, you will also need an AdWords account. However, if you don’t need it, just don’t connect your Google AdWords account to the GA account.

3. Limit your settings for data sharing in your account settings. There are five points:

  • Google products and services.
  • Benchmarking.
  • Technical support.
  • Account specialists.
  • Give all Google sales experts access to your data and account.

Head to the Admin panel, select ‘Account > Account settings’. Untick all the variants you don’t actually need.

Access preferences in Google Analytics

4. Blocking specific EU countries may be a severe measure to take. Still, it is possible if the EU market is not your target one. This measure will fully eliminate any risk of being fined by controlling authorities for non-compliance with GDPR. However, your organic traffic, brand visibility, and user experience quality will decrease.

To block specific country, go to the ‘Admin panel > Account > All Filters > Add Filter’. Then make your entries, as shown on the screenshot below, and save the changes.

Using country filters in Google Analytics

Privacy Policy Matters

Creating a GDPR compliant privacy policy requires putting the ‘Privacy by design’ idea at the top. It has to be understandable, clear, and exhaustive. Users have to see what personal data you collect and store, for how long, and for what purposes.

Check the following points:

  • Definitions of your privacy policy have to be clear to users.
  • What information is collected by your company?
  • How do you collect and store it, and which technologies do you use?
  • Do you cooperate with third-parties that use personal data?
  • What are your reasons for collecting and storing personal data?
  • How do you protect users’ data from unauthorized access, disclosure or loss?

Click here to find a detailed manual that will help you write a high-quality, extensive privacy notice that accords with GDPR.

When a new user comes to your website or signs up to a newsletter, he/she has to agree with providing you with his/her personal data.

Here are several examples of such blocks with tick boxes.

The Guardian

The Guardian GDPR compliant consent example


Royal Mail

Royal Mail GDPR compliant consent example

Check the detailed Dos and Don’ts from 1WL blog:

 GDPR compliant dos and don'ts inforgaphics

Also, as with every company eligible for GDPR, yours also needs to have a Data Protection Officer (DPO). Consulting a DPO, or even an EU representative, in case you cooperate with one regarding creating a concise policy, makes sense.

Finally, How Will Things Change for GA Users?

Although people tend to panic and exaggerate the scale of a tragedy, GA users will continue using the program in the same way they always have.

Be aware that marketing activities will become more narrow and focused. However, that doesn’t mean the end for segmenting audiences, precise customer targeting and, of course, market research.

You don’t need to have a separate consent to use Google Analytics, Remarketing, or Advertising Features.

The bottom line is that all you need to do is be respectful to users and their rights, to mention that fact in your privacy policy, and to narrow the focus of data collected by your company.

Keep in mind, this article is just a general overview of the changes that have to be implemented. Each separate business will have its own, specific activities and features. Please consult your DPO, or an EU representative, to make sure your work with Google Analytics fully aligns with GDPR.