By now, you’ve probably heard all about GDPR, or the General Data Protection Regulation. This law, although governed by the European Union (EU), affects any business that collects data from people within the EU. Your business outside of the EU could still fall under the law, and if you operate online, it probably does.
And if you do have a website for your business, it’s probably one of the more than 28.8 million websites using Google Analytics to track website traffic. But if Google Analytics operates by tracking people coming to your website, is it compliant with GDPR rules?
Is Google Analytics GDPR Compliant?
Google has worked to ensure compliance with GDPR since the law’s beginning in 2018. Does that mean if you only use Google Analytics (GA) and no other data processors, you’re 100% safe? Probably not.
GA has several tools you can utilize to ensure compliance, including privacy settings and consent tools for visitors. Still, it’s up to you to ensure that every aspect of your site is compliant with GDPR, including how you use the information GA collects for you. Most importantly, you must obtain consent from your visitors to collect cookies before doing so.
You can learn more about the third-party auditing process for Google and its commitment to data protection here.
GDPR and Google Analytics Checklist
Compliance with GDPR falls mostly on the shoulders of the data controller (that’s you). You’re the one responsible for the tools you use on your site and making sure that you understand their compliance. With GA among one of the most popular tools for website owners, it’s crucial to learn how to set up your account to protect your visitors’ data.
Fortunately, Google Analytics has several protections in place for website owners to control how the system collects and processes data. Use this checklist to get your site up to speed:
- Check Your Privacy Controls
Screenshot via Google Analytics
Google Analytics offers several privacy settings that you have full control over. For example, you can log into your account to disable data collection for advertising features and advertising personalization. You can also alter your GA tag to keep all IP addresses that visit your site anonymous. There are also settings for data sharing, customizing cookies, and deleting user data. Whatever data you collect on your site visitors via Google Analytics should be disclosed in your privacy policy. Fortunately, there are many templates and tools you can use to create a compliant privacy policy for your website.
If you’re not sure where to start with Google Analytics privacy settings, it’s best to consult a GA expert. They’ll be able to configure your settings based on what you’re looking for to still allow the minimum requirements for analytics while keeping your site compliant.
- Use Consent Mode If Eligible
Screenshot via Google
Consent Mode is a newer offering from Google. This beta feature is currently available to Google users who operate and/or advertise to consumers in Europe and would, therefore, be affected by GDPR. If you have it, use it.
The feature allows you to have two new tag settings that changes the way GA behaves with your site based on user preference or for users in specific regions. Someone can choose not to consent to the use of cookies while they’re on your site, and your tag will pick up that preference and alter how GA tracks the visitor without harming your analytics. It just won’t gather any identifying data.
- Understand How to Delete Data Upon Request
Screenshot via Google Analytics
Your privacy policy should outline how you plan to delete data by request and how someone can go about requesting a deletion of the data you collect. Google Analytics allows you to delete data it stores, but not everyone knows how to do that.
If someone requests a deletion, you can log into your GA account and follow these steps to remove data from a specific timeframe during which you would’ve collected that person’s data:
- Click Admin > Relevant property
- Look in the Property column and click Data Deletion Requests
- Click Create Data Deletion Request
- Select the dates for the timeframe you’d like to delete
You can delete data for a specific user instead, but the process is a bit more complicated. Consult Google’s instructions for its User Deletion API to delete single-user data.
- Check and Recheck Your Privacy Policy
Screenshot via The Walt Disney Company
Your privacy is ultimately the most important part of GDPR compliance. Check with your attorney to make sure it outlines any type of collection you do, including data collected by Google Analytics. Keep it updated regularly, perhaps even setting a reminder to check and update it quarterly and any time in between that you begin using a new service that collects or stores user data.
Ensuring GDPR Compliance for Your Business
Making your business GDPR compliant can take some time and an eye for detail to ensure that all your visitors are protected. ShareThis can help simplify the process with our free and easy to install Consent Management Platform. The tool allows your visitors to give their consent or rejection for cookie collection and edit their preferences at any time.