GDPR and Google Universal Analytics (UA)

Editor's Note: Google Analytics 4 will phase out Univeral Analytics on July 1, 2023, and Univeral Analytics 360 on October 1, 2023. For more information on GA4 features and how this will affect you, check out our article: GDPR and Google Analytics 4 (GA4)

The General Data Protection Regulation (GDPR) is very clear that any collection or processing of personal data from residents of the EU is to be regulated by its rules.

A common point of confusion when it comes to GDPR compliance is the use of third-party services that collect or use personal data, such as Google Analytics.

Some website owners think that since it's Google Analytics, not their website itself, which is collecting and using personal data, that the website itself need not be compliant with the GDPR.

This couldn't be further from the truth, and here's why:

By using a third-party service that collects or processes personal data on your website, your website is collecting and processing the personal data of its users. This means you must be fully compliant with the GDPR.

So, if you use Google Analytics (or other similar services) and have users within the EU, you must be compliant with the GDPR.

In this article we will discuss the relationship between Google Analytics and the GDPR, including what has changed for those who used Google Analytics prior to the enforcement of the GDPR.

Changes to Google Analytics with the GDPR

While Google Analytics itself has had to make changes in order to remain compliant, the ways in which you use Google Analytics likely also need to change.

Here are some of the changes and what you'll need to do to comply with them:

IP Addresses under the GDPR

While anonymizing IP addresses has always been best practice, the GDPR is turning that into a requirement for the first time in many countries.

The reason why is because although IP addresses are not stored in Google Analytics or accessible by normal clients, employees within Google could access this information. As such, even though you yourself do not have access to this information, you must anonymize it so that it is not accessible by anyone else, either.

Fortunately, Google is aware of this technicality and provides a simple JavaScript solution that can be used to anonymize the IP addresses of your users immediately after the IP address is received.

The last several digits are replaced by zeros, making the IP address less specific, without losing much accuracy in geographic reporting. Here's how Google shows this in a helpful diagram:

It is possible that this specific technicality could be solved by upcoming ePrivacy Regulations, but for now it is safest to anonymize IP addresses in Google Analytics with the JavaScript tag.

Long URLs under the GDPR

Long URLs are a type of web address that may result from certain data being entered in a form or registration.

Say, for example, a user registers for a sweepstakes on your website with the following information:

• Age
• City
• Automobile make and model

The resulting URL that user is redirected to may look something like this:

This URL could potentially be used in Google Analytics to link with the user who visited it and deduce the identity of that anonymous user. Even though it would take some detective work to use that information to identify a person, the fact that it is possible is enough to warrant protection under the GDPR.

Therefore, long URLs such as these should be shortened so that they do not contain such information in any decipherable form.

Client ID in Google Analytics

Client ID is an option in Google Analytics that is used to track browser instances to distinguish between repeat and new visitors. Similar to IP addresses, this seemingly non-important piece of information could in some cases be used to identify specific data subjects.

Under the current ePrivacy Regulations and the GDPR, it is safest to turn this option off.

User ID in Google Analytics

The User ID feature in Google Analytics is a more obvious no-no which can be used to track a data subject across multiple devices and visits. This optional feature could be used as a unique identifier and should not be used.

If you currently have this feature activated, you should deactivate it and clear your data that includes it. Again, this is the safest option to avoid any potential repercussions under the new regulations of the GDPR.

Opting-in and opting-out

Under the GDPR, it is now required that you obtain clear consent from your users before using cookies or collecting their data.

It is no longer acceptable to simply inform them that you have a Privacy Policy and expect them to go read it before using your site. They must confirm they accept your policies by clicking or checking a box or button that says they agree or consent.

Google Analytics relies on cookies for much of its functionality. This means that if you use Google Analytics and fall under the jurisdiction of the GDPR, you must acquire consent from your users before allowing Google Analytics to send cookies to them.

The methods of obtaining consent are more specific and strict under the GDPR than under previous privacy laws, so make sure your website and your third-party services are obtaining proper consent from your users.

Here's an example of a cookies consent notice from HPE. Note how it requires users to click a Continue link to consent to the use of cookies. It also provides information for how to change preferences or opt out:

Storage of Personal Data in Google Analytics

According to both the Google Analytics Terms of Service and the GDPR, you must not store personally identifiable information within Google Analytics.

Google discusses these requirements in a Privacy clause within its Terms of Service:

Google Analytics is intended to provide you with general information about your traffic and users, but should not be used to collect information that could identify individuals by their activity on your website.

Your account should not have usernames, email addresses, or phone numbers that could be used as custom identifiers. Your custom dimensions should also not include information such as zip codes, as this could be used to identify relatively small groups of users.

Account information should be anonymous and used to get a big picture of your business, not as a way to specifically target individuals or small groups.

You could face a deletion of your Google Analytics account for breaching the Terms of Service in addition to fines for breaking the GDPR if you are not compliant with these rules.

In short, do not store personally identifiable information within Google Analytics. This data should be anonymous and certain features should not be used if you have users in the EU as they conflict with the guidelines of the GDPR.

Data Erasure

Under the GDPR your users have the right to data erasure. What this means is, your users have a right to request that you delete and cease processing any personally identifiable information that you have about them.

Similar to opting-out, this gives users the right to change their mind about allowing the collection and use of their data.

If you've done things right up to this point, you should be unable to determine the identity of any of your data subjects within Google Analytics, thus making it impossible and unnecessary to delete that user's information as it is completely anonymous and non-identifiable.

This is the goal. By not storing any personally identifiable information within Google Analytics, you are compliant with their Terms of Service and avoiding potential conflicts with the new standards of the GDPR.

Subject Access Requests

As you now know, your Google Analytics account should contain only anonymous information, making it impossible to fulfill a subject access request from a specific individual. If your data in Google Analytics is truly anonymous and free of any identifying information, yyou should be unable to link a real person to an anonymous data subject within your account, which is the goal.

Note that the right to data erasure and subject access requests may still apply to other facets of your business or organization, but your Google Analytics account should not contain any information that could be used to identify an individual or small group.

Remember, even seemingly nondescript information like IP addresses or zip codes, as discussed previously, could be used to narrow down a data subject to a single person or small group. The new regulations under the GDPR are more strict and unambiguous about what information is considered identifiable.

Simply put, if a piece of information could be used to connect an anonymous data subject to a real person, it qualifies as identifying information. This is true no matter how hard it would be to make the connection. If it is at all possible to make that connection, it qualifies as personally identifiable information which should not be included in Google Analytics.

Conclusion

If you're using Google Analytics, make sure to familiarize yourself with the Terms of Service, as well as GDPR requirements. While Google Analytics is still a strong tool for keeping track of website metrics, you'll likely have to make some adjustments to the way you use the service if you fall under the scope of the GDPR. The focus should be on keeping the analytical information you collect as anonymous and minimal as possible.