How the New EU GDPR Law Affects Google Analytics and Your Business

As you have probably noticed, many websites are updating their privacy policies, and they’re letting you know! These emails are being sent out in response to new laws in the EU regarding data protection that affect any organization associated with the EU or its residents.

The GDPR (General Data Protection Regulation) that went into effect on May 25, 2018, has many implications for people in and outside of the EU. Many companies operate across borders and must alter their policies to reflect the new regulations. Google Analytics is one of the many programs that is affected by these new laws. If you use Google Analytics for your business, stay tuned to see how new regulations affect you and the steps you can take to become GDPR compliant while using Google Analytics.

  • TLDR; What is GDPR?
  • How does this Apply to Google Analytics?
  • Steps to Become Compliant

TLDR; What is GDPR?

GDPR went into effect on May 25, 2018, in order to protect user data in the EU. This means that personal data cannot be harvested and used to target specific users. Companies and websites found guilty of this will be subject to a fine of €20 million or 4% of worldwide revenue.

GDPR has effects even outside the EU if you provide goods or services to any EU citizens.

The reason analytics tools are particularly affected by GDPR is because the definition of “personal data” has expanded to include IP addresses, cookie identifiers, and GPS location. Although this data could technically be nonspecific, it could be used in conjunction with other methods to identify users.

Websites have to be transparent about what data they would be receiving from a user, and the consent has to obtained actively. All EU users now have a right to request that their personal data be erased and therefore forgotten by a website.

Basically, laws regarding data and tracking are changing, and it is important to make sure your website is GDPR compliant.

How does this Apply to Google Analytics?

While Google Analytics does not technically collect personal data, the new definition under GDPR means that a lot of their tracking can be considered to be in violation. If you want to continue having access to the same data you were offered before through Google Analytics, you will have to provide a notice to your visitors and gain explicit permission.

Data processing is changing, so new data processing agreements, or DPAs, need to emerge.

While GDPR is affecting what data can be gathered from users, it also affects data retention. Now, users have the opportunity to request that their data be deleted, and companies must comply. This means that Google Analytics will soon be coming out with a new tool to facilitate the process of deleting user data.

The changing nature of analytics means that programs that can target people based on their prior searches are also affected. While Google can control data processing of its search, YouTube, and Gmail features, individual websites are responsible for obtaining consent for third-party applications such as Adwords, AdMob, etc.

Google is proposing that they will begin using non-personalized ads for people who refuse to have their data tracked.

Overall, Google Analytics can technically still be used as long as data is being used purely for tracking website performance. Data cannot be used, however, for commercial purposes such as user profiling, targeting ads, etc.

Steps to Become Compliant

Most people are intimidated by the hefty fines proposed for violations. If you are concerned about whether or not your website is compliant with GDPR, you can seek out a lawyer for help. Here are some steps you can take on your own to make your website align with GDPR:

1) Filter Your Current Data

While Google Analytics agreements always prohibited collection of personally identifiable information (PII), this transition into new data processing agreements could be a great time to go through your existing data. Some things to look out for during this process:

  • Page URLs, titles, and data dimensions: If you capture a page URL with “email= querystring,” then you could be collecting emails and accidentally leaking them to other parties. Emails are considered personal data, and while it is still okay to have an email list for subscribers who personally consented to it, it is a violation to store email information and leak it to other programs.
  • Forms: If you have forms that users can fill out on your website, make sure that information collected is not PII.

Google Analytics offers filters to filter out PII, but that is not enough to be compliant. You must program your website to not collect the information in the first place and send it to Google Analytics.

2) IP Anonymization

IP addresses are now considered PII since they can be used for geo-location data. Google Analytics offers an IP anonymization option, and it requires that you make changes to your website code.

The feature functions by removing the last octet of an IP address before it is stored and processed. This will reduce the accuracy of any geographic data reporting, but it is necessary to become GDPR compliant.

3) Pseudonym Identifiers and Updating Privacy Policies

Through Google Analytics, you already had the option of using pseudonym identifiers. These are:

  • User ID: This is usually an identifier that is never in plain text.
  • Hashed or encrypted data
  • Transaction ID

These identifiers are technically GDPR compliant, but it is important that you update your Privacy Policy to inform users about what kind of data is being collected and how it is going to be used. You must gain explicit permission from users, which means you cannot use overly technical terms and must be straightforward about what information you have access to.

Here are some questions to consider when writing your new, clearer Privacy Policy:

  • What information are you collecting?
  • Why are you collecting it?
  • How is it going to be used?
  • Who will have access to it?

4) Allow people to opt in or out

If you are planning on collecting information beyond what is permissible through GDPR, you have to gain explicit consent. Unlike the notices that pop up notifying people about cookies, newer consent practices involve more active measures.

Some of the most common ways this has been implemented is through a notification that asks for permission and then reloads the page if permission is granted. There are also other widgets you can download that would install these pop-ups for you.

If you are using your Google Analytics to generate user profiles or targeted advertisements, you must give users the option to opt out.

Every time you do get consent from a user, make sure to use Google Analytics to track it as an event so you can prove your GDPR compliance.


GDPR may seem intimidating, but you can take your own steps to ensure you are being GDPR compliant.

Schenley Banner Ad, Grow Your World