GDPR and Google Analytics – Privacy Concerns and Compliance Steps

Written by

Google Analytics is a popular analytics solution. The main concern with it is that it stores users' personal information, such as data on EU citizens, on its infrastructure hosted in the US.

As a US-based organization, Google is subject to US regulations in areas like monitoring and information access, which can be less stringent than GDPR. This creates a privacy concern for EU citizens who use Google Analytics, as their data is not being stored in accordance with GDPR.

The General Data Protection Regulation (GDPR) is a new EU data protection law that came into effect on May 25 2018. It strengthens EU data protection rules by giving individuals more control over their personal data and establishing new rights for individuals.

What Personal Information is Collected by Google Analytics?

In its terms, Google Analytics says that it works to avoid collecting PII (personally identifiable information). The information collected includes online identifiers (information that is indirectly related to a user's attributes to identify an individual) such as IP addresses, user ID, client ID, visited pages, browser fingerprints (browser software and version) and operating system version. Cookie identifiers are not considered PII by Google Analytics.

How to Ensure Google Analytics is GDPR Compliant?

To legally utilize Google Analytics as per GDPR compliance, follow the checklist below:

Update Your Policies

You must include specific information about any Google Analytics cookies and other tracking technologies in use on your website in your privacy policy.

A website's privacy policy is a statement or document that discloses how the website collects, uses, and shares PII from its users. The policy should also disclose the contact information of the website's data protection officer if one has been appointed.

In cases like this, you must reveal the data processor on your site. Ensure that your privacy policy fully discloses all data processors on your website, including the reasons you gather information and the types of information you collect and whom you share it with.

IP Anonymization

According to the EU/UK GDPR, an IP address is personal data. By default, IP addresses are not revealed in reports. However, Google uses them to provide geolocation information.

Enable IP anonymization in your Google Analytics account settings. This will replace the last octet of user IP addresses with zeroes in reports, which will protect their identities. Make sure you are familiar with the other ways to collect data from users that fall under 'special categories of personal data' (such as health information), as outlined in Article 9 of the GDPR.

"Make sure you are familiar with the other ways to collect data from users that fall under 'special categories of personal data'"

Pseudonymize Google Analytics User ID

User ID in google analytics is a unique, randomly generated number assigned to each user and stored in cookies. It allows you to track sessions and interactions across multiple devices.

To pseudonymize your User ID in Google Analytics, go to the admin panel of your account and, under ‘user management,’ select ‘user IDs.’ Click on ‘edit’ for the user you want to pseudonymize and check the ‘pseudonymize’ box.

Website Audit / GDPR Penetration Testing

Not just for Google Analytics processing, but overall website security and privacy concerns must be identified to ensure you can cover all gaps.

Penetration testing will uncover hidden vulnerabilities in your web applications, networks, systems or APIs. This will benefit your organization to comply with GDPR or related privacy compliance and help demonstrate a strong commitment to the security and privacy of data.

Google Analytics provides several options to eliminate PII from web requests using options to exclude URL query parameters, data retention settings or scheduling data deletion requests. The New GA4 default setting time is two months, whereas the default option for all properties in Universal Analytics is 26 months.

Add a Cookie Banner

Users must be given the option to accept or decline cookies before collecting data on their devices to track them. To get consent, Google Analytics uses cookies, which necessitates the installation of a cookie banner on your website.

Cookies must follow the provisions of the GDPR and the legislation in the countries where your website is accessible.

Disable the Data Sharing

Disable Google Analytics’ data sharing’ option through the service’s admin console.

Google may only access the website publisher’s Google Analytics data for “maintaining and preserving” Google Analytics with the setting switched off.

Limit Data Acquisition for Advertising

The most invasive form of internet privacy violation is third-party advertising. Google Analytics gathers information about your traffic to provide advertisement features, but you may turn it off if it’s not important by going to the administration panel.

Contract with Google Ireland

Another tip is to ensure your data processing agreement is signed with Google Ireland Limited, not Google LLC (US entity). Google LLC is a sub-processor of Google Ireland; I hope it makes sense now?

What About Google Analytics and GDPR Compliance in the UK?

The UK’s Information Commissioner’s Office (ICO), an independent authority from the EU, enforces UK data protection policies. The ICO is responsible for acting on the UK government’s decisions and procedures no longer associated with the EU.

There has been no reaction from the ICO yet. Still, if EU data protection authorities follow the Austrian DPA, it will be an exceedingly tricky choice for the ICO to take a position that is counter to the rest of the EU. Should you be interested in reading this in detail, please head to the Cyphere blog, where we discuss details of Google Analytics PII and how to comply with any ICO’s guidance.

What’s hot on Infosecurity Magazine?