Google Analytics GDPR Compliance Guide For Businesses

Teodor Stanciu, CIPP/E, CIPM

written by Teodor Stanciu, CIPP/E, CIPM June 28, 2023

Comply With the GDPR for Free
GDPR-Compliance-for-Google-Analytics-Users-01

In today’s digital marketplace, web analytics data is essential for online businesses, and Google Analytics (GA) is the most widely used web analytics platform.

But GA tracks data that qualifies as personal information under the General Data Protection Regulation (GDPR), a data privacy law from Europe, including cookie identification numbers or other online identifiers.

To avoid penalties for violating the regulation, your use of GA must comply with the data privacy requirements of the GDPR. So in this comprehensive guide, I’ll walk you through the steps you need to take to be on the right path regarding your GDPR compliance while using GA4, the current iteration of Google Analytics.

Table of Contents
  1. What Is the GDPR?
  2. What Is Google Analytics?
  3. Is Google Analytics (GA4) GDPR-Compliant?
  4. How Is Google Making GA4 GDPR-Compliant?
  5. How Do I Use GA4 In a GDPR-Compliant Way?
  6. How Does Google Consent Mode Work with Google Analytics?
  7. How Can Termly Help?
  8. Google Analytics and GDPR FAQ
  9. Summary

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a data protection and privacy law from the European Union (EU) that took effect on May 25, 2018. It gives individuals in the EU and the European Economic Area (EEA) new rights over how businesses, public authorities, agencies, or even other natural persons handle their personal data.

Although the GDPR is an EU regulation, it applies to companies worldwide because it centers on the consumer’s location (or data subject as it is referred to in the GDPR), not the company.

This means the GDPR applies to businesses in the US and the rest of the world, and the fines for violating the GDPR are just as severe elsewhere as they are in Europe.

For more in-depth information, check out this thorough GDPR guide. Or, if you want a simplified summary, here’s our GDPR Guide for Dummies.

What Is Google Analytics?

Google Analytics is a free platform from Google that website or app owners can use to track the data and behavior of visitors.

The tracking process involves collecting data such as page views, what users clicked on, and how long they remained on your site. These essential statistics about how your users interact with your platform can assist with site optimization, increased sales, and other goals.

The current version is called Google Analytics 4 or GA4, but there have been different iterations of this Google service, which you can learn about in the table below.

Version Name Code Snippet Ended
Google Analytics 1 (GA1) Urchin Analytics urchin.js May 9, 2007
Google Analytics 2 (GA2) Classic Analytics ga.js April 2, 2014
Google Analytics 3 (GA3) Universal Analytics analytics.js July 1, 2023
Google Analytics 4 (GA4) Google Analytics 4 gtag.js Current version

Google Analytics places internet cookies on users’ browsers containing a unique identifier or cookie ID. Under the GDPR, cookie IDs qualify as personal data because they can be used to directly or indirectly identify an individual.

Past versions of the service also tracked and logged IP addresses, another piece of personal information according to the GDPR.

By default, GA4 anonymizes IP addresses and only provides coarse geo-locations. However, some Member State Data Protection Authorities (DPAs) are still investigating if this provides adequate protection (I’ll talk more about Member State adequacy decisions later in this guide).

Either way, if you use Google Analytics, you’re considered the data controller under the GDPR, and Google is your data processor. Both data controllers and processors are subject to numerous legal obligations, which we discuss in the next section.

Is Google Analytics (GA4) GDPR-Compliant?

Although Google designed its Analytics platform to be GDPR-friendly, you can unintentionally or intentionally use it in a manner that violates the regulation. However, it seems that Google has taken steps to ensure that GA4, as a platform, satisfies GDPR rules.

I’ll focus on how Google Analytics cookies can either comply with or violate parts of the GDPR and mention some Member State ruling on the matter throughout this next section.

Google Analytics and Internet Cookies

Google Analytics 4 leaves cookies on your users’ browsers, and those cookies are subject to the strict data processing requirements outlined by the GDPR.

However, GA4 relies on fewer cookies than other iterations of this service. It only uses the following:

  • _ga — this cookie is used to distinguish users and has a 2-year default expiration time
  • _ga_<container-id> — this cookie is used to persist the user’s session state and has a 2-year default expiration time

Still, implementing these Google Analytics cookies must comply with the GDPR if you target individuals in the EU/EEA.

This means you must obtain opt-in consent from each individual before these cookies get placed on their browsers, or else you’re violating the regulation.

If users opt out of the cookies, this preference must be respected; therefore, you cannot put them on their browsers.

GDPR Rulings About Google Analytics

Data Protection Authorities from several EU Member States have already made statements regarding the legality of using Google Analytics under the GDPR.

Let’s discuss the compliance rulings from those countries in greater detail.

Austria

In 2022, the Austrian Data Protection Authority (DPA), Datenschutzbehörde, announced that a website’s use of Google Analytics violated the Schrems II ruling from 2020.

The Schrems II case invalidated the EU-US Privacy Shield Framework, which had previously fostered the international transfer of personal data between the US and EU/EEA Member States.

This decision was based on the potential for the US government to access personal data after it’s transferred to US servers without adequately informing individuals from the EU/EEA and no real control of the latter over the processing of their personal data, a direct breach of the GDPR.

While no new framework has been approved or agreed upon, the ruling upholds contractual obligations. It now requires companies to determine on a case-by-case basis whether adequate protections in place meet the GDPR standards regarding the transfer of personal data to a country outside the EEA. What is more important, companies must also assess whether the applicable law in the country of destination is against the GDPR requirements.

In the case of the Austrian website, anonymizing the data was called insufficient because the process likely happened after the data reached US servers, not before.

They also found data encryption insufficient because the US government could gain access to the key.

Denmark

In Denmark, the DPA, Datatilsynet, announced in 2022 that they’re monitoring the Austrian decision against Google Analytics.

The group investigated Universal Analytics and GA4 and later released guidelines regarding using the service.

France

France’s DPA, the Commission nationale de l’informatique et des libertés (CNIL), determined that a website’s use of Google Analytics violated Article 44 of the GDPR in February 2022.

This ruling was again due to transferring of data internationally to a country without adequate privacy protections.

CNIL later updated its guidelines for using Google Analytics and suggested using a proxy server, which is available here in French.

Italy

In June 2022, Garante, the Italian DPA, found that a website’s use of Google Analytics violated the GDPR due to the international transfer of data to a country without adequate privacy protections.

The decision directly referenced IP addresses, which Universal Analytics collected at the time.

However, since then, GA4 has replaced Universal Analytics, and Google has stated that GA4 doesn’t track or log IP addresses.

But, like the other Member States, it also references the US government’s ability to access the information without properly informing the EU/EEA data subjects.

The Netherlands

In the Netherlands, at least two separate complaints regarding international data transfers and Google Analytics are under investigation by the data protection authority, the Autoriteit Persoonsgegevens.

Both complaints reference the same issues that Austria, Italy, and France brought up, and the investigations are ongoing.

Norway

In March 2023, the Norwegian DPA, Datatilsynet, also found the international transfer of personal data via Google Analytics violated the GDPR.

The DPA recommends websites seek an alternative to the service and say to expect a formal decision regarding Google Analytics sometime later in 2023.

How Is Google Making GA4 GDPR-Compliant?

Google has expressed its commitment to compliance with privacy laws such as the GDPR and has detailed how it practices this commitment.

They’ve also introduced and fully implemented Google Analytics 4, a privacy-focused analytics approach that replaced the previously available Universal Analytics — Universal Analytics 360 properties will stop processing new hits as of October 1, 2023.

I’ve summarized Google’s privacy practices for you here:

  1. The GDPR mandates a legal relationship between the data controller and processor. Google Analytics provides this through its terms and conditions, which explain the data processing terms and the controller–processor relationship.
  2. The GDPR has strict data security requirements, which Google strives to achieve through state-of-the-art data protection systems and by maintaining internationally recognized security certifications.
  3. The GDPR stipulates that data processors must help controllers identify and report any data breach to the relevant supervisory authority and their users. Google facilitates this through its 24/7 incident management program.
  4. The GDPR requires Privacy by Design as the default approach to building sites and software and necessitates Data Protection Impact Assessments. Google incorporates both of these concepts into its privacy practices.
  5. The GDPR lists data minimization as one of its core tenants. You should only collect essential data and retain it only as long as necessary for the original purpose it was collected. Google Analytics complies with this data retention requirement by affording website owners control over how long user data is stored.

How Do I Use GA4 In a GDPR-Compliant Way?

In the context of the GDPR, you, the website owner collecting personal information from users, are the data controller. This means it’s your responsibility to ensure that your use of Google Analytics complies with the GDPR.

To legally achieve this, you must take all of the following steps.

Step 1: Obtain Consent to Collect Personal Data

Obtaining user consent is one of the lawful bases for processing personal data under the GDPR, and you’ll need explicit opt-in consent from your users to use Google Analytics in a compliant way.

Google acknowledges this directly in their Analytics Help section, screenshotted for you below.

Google-Analytics-Help-section

For user consent to be valid under the GDPR, it must meet the legal definition as described by the regulation and be:

… “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

To comply with the GDPR consent rules, you must obtain affirmative, opt-in consent and provide opt-out options regarding your use of GA4 so your users can easily change their minds at any time.

To achieve this, set up a properly configured pop-up consent banner on your website that includes a live link to your privacy and cookie policies. Ensure that your privacy policy clearly explains that you use Google Analytics using language that is easy to read and understand.

You should also list all cookies GA4 places on users’ browsers in your cookie policy.

Give your users the option to agree to your use of Google Analytics or to deny the cookies altogether and the possibility to withdraw their consent at any time. You can also allow them to customize what they opt into and out of, more specifically, if you’d like. But don’t use pre-checked boxes, as those aren’t compatible with the GDPR.

For complete compliance, ensure no data processing occurs unless your users agree to it, and ensure the processing occurs only after consent is obtained.

Step 2: Pseudonymize Google Analytics User IDs

Another method of complying with the user privacy recommendations of the GDPR is to pseudonymize user IDs.

It is, however, important to underline that pseudonymized data still falls under the definition of “personal data” under the GDPR. In other words, compliance with GDPR is still necessary and of utmost importance.

Pseudonymization is a process in which a data item gets scrambled so that it can no longer link to the associated individual without additional data. You can achieve this by using an algorithm to replace the actual data with other details (i.e., pseudonyms).

Within Google Analytics, you can use an element named “user-id” to track and link a single user’s data across several sessions and devices. Combining such data associated with a single user improves the accuracy of GA data and analysis.

However, this accurate tracking relies on user IDs that qualify as personal data, as you can use them to identify individual users.

While pseudonymizing these IDs may lead to slightly less accurate conversion data, it’s worthwhile to comply with the GDPR and avoid receiving hefty fines.

Step 3: Don’t Retain Data for Longer Than Necessary

Like many data privacy laws, the GDPR mandates that you only store personal data for as long as necessary for the original collection purpose. So your data retention policy when using GA must comply with this facet of the regulation.

Fortunately, this feature is built into GA4, as you can choose between two retention options:

  • 2 months
  • 14 months

Review and set your data retention period to the lowest required for your operations.

Step 4: Provide a Privacy and Cookie Policy

The GDPR provides users in the EU/EEA with several fundamental rights, including the right to be fully informed. This means you’ll need to provide those users with an accurate GDPR- compliant privacy policy and cookie policy so they can read through your data processing practices.

Specifically, the GDPR data subjects have the right to know what personal information is collected from them, how it’s used and for how long, who it’s shared with, and the legal basis for doing so.

You must also explain how users can act on these rights and what data you share with Google (plus any other third parties).

Since cookies are also considered personal information, you must mention them in your privacy and cookie policies to comply with the GDPR.

GA4: Not Necessary to Anonymize IP Addresses?

When Universal Analytics was still around, it was necessary to anonymize IP addresses to remain compliant with the GDPR.

However, GA4 took over Universal Analytics as of July 1, 2023. According to Google, GA4 does not log or store any IP addresses, making IP masking unnecessary.

An IP address is a unique code that identifies each device connected to the internet.

Technically, the GDPR considers IP addresses to be personal data, so processing this information would otherwise be subject to all requirements explained in the regulation.

In 2020, Google introduced Google Consent Mode to give website owners more control over their ad and analytics cookies concerning user consent choices.

To access all of its features, you must use a compatible Consent Management Platform (CMP) on your website like Termly’s — we’re officially a Google CMP Partner.

Here’s how it works — when consumers visit your website for the first time, a consent banner asks if they’ve read and agree to your privacy policy and cookie policy. The individual’s choice is then communicated to GCM via g-tags.

If users opt in and give consent, the analytics cookies are placed on their browsers as usual. However, if they deny consent, the g-tags update, and no cookies are placed on their browsers. Instead, GCM applies smart AI data mapping technology to prevent gaps in your conversion data.

Consent Mode currently works with the following Google services:

  • Google Analytics
  • Google Ads
  • Floodlight
  • Conversion Linker

What Will Happen to Google Analytics After the Cookiepocalypse?

If you haven’t heard, the Google Chrome browser will stop supporting third-party cookies sometime in 2024, an event the internet is calling the cookiepocalypse.

How will this impact Google Analytics 4, especially since it uses cookies to provide accurate data about how consumers interact with your site?

I think it’s pretty apparent that Google Consent Mode is Google’s answer to the cookieless future.

The fact that it uses g-tags (not cookies) to communicate an individual’s consent preference setting and applies AI-data mapping technology to fill in data gaps suggests that this is the future of analytics technology online.

How Can Termly Help?

Termly can help you use Google Analytics and comply with the GDPR by offering you our lawyer-vetted tools, including:

When appropriately configured, our CMP seamlessly integrates with Google Consent Mode so you can use Google Analytics while still honoring the consent choices of your users.

Plus, our policy generators ask you the appropriate questions to ensure that adequate clauses and details appear in your privacy and cookie policies so you fully comply with the regulation.

The best part? You can manage everything all in one place, right from your Termly Dashboard.

We take care of the complex parts of privacy compliance so you can provide your consumers with a safe, legally compliant experience online.

Google Analytics and GDPR FAQ

Below, I answer some of the most frequently asked questions Termly gets about Google Analytics and GDPR compliance.

Is Google Analytics GDPR-compliant?

Google Analytics is not necessarily GDPR-compliant by default — you’ll have to take some extra steps, like providing a compliant privacy policy and cookie policy and obtaining explicit, opt-in user consent before any of the GA cookies activate. It is also important to highlight that compliance with GDPR is a continuous work in progress.

Does Google Analytics collect personal data?

Google says Google Analytics does not collect “personally identifiable information” or PII. However, it does leave cookies on browsers, which the GDPR considers personal information.

So you’ll need to take steps to obtain user consent and adequately communicate your use of cookies to achieve full GDPR compliance.

What cookies does Google Analytics Use?

Google Analytics 4 uses the following first-party cookies:

  • _ga — this cookie is used to distinguish users and has a 2-year default expiration time
  • _ga_<container-id> — this cookie is used to persist the user’s session state and has a 2-year default expiration time

Can Google Analytics work without using cookies?

Yes, if you enable Google Consent Mode, you can use Google Analytics without relying on cookies, as it will allow your website to run based on the consent state of your users. This is because g-tags, not cookies, communicate the consent choices of your users to GCM.

What are the alternatives to Google Analytics?

Some alternatives to Google Analytics include the following:

  • Adobe Analytics
  • Matomo Analytics
  • Plausible Analytics
  • Fathom Analytics
  • Hotjar
  • Clicky

Does Google Analytics comply with other data privacy laws?

Yes, you can use Google Analytics and comply with other data privacy laws. However, you must communicate about using GA in your privacy policy. Under laws like the California Consumer Privacy Act (CCPA), you must also respond to consumer opt-out and data limitation requests.

Do other analytics platforms comply with the GDPR?

When configured properly, you can use other analytics platforms in a compliant way under the GDPR, including:

  • Simple Analytics
  • PostHog
  • Fathom Analytics
  • Matomo Analytics

Summary

Google Analytics is an essential data tool for businesses, but using it in a way that complies with the GDPR means taking some extra steps.

Data Protection Authorities in the EU/EEA are still debating the legality of international data transfers regarding Google Analytics and whether GA4 adequately anonymizes IP addresses.

So it’s vital you take all necessary actions to prove that you’re using this service in a GDPR-compliant way.

At the very least, you’ll need to present your users with an accurate privacy and cookie policy, explain your use of GA4, and ask for consent before placing any analytics cookies on their browsers and, at the same time, give users the possibility to withdraw their consent at any point in time.

You could do it all yourself, but why not let Termly help? We offer a Privacy Policy Generator and a comprehensive Consent Management Solution to help you stay on the right side of the GDPR and several other major data privacy laws.

Teodor Stanciu, CIPP/E, CIPM
More about the author

Written by Teodor Stanciu, CIPP/E, CIPM

Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).

More about the author

Related Articles

Explore more resources