How to Update Google Analytics to Meet GDPR Requirements

Google Analytics is a part of almost every marketing stack, so updating Google Analytics for GDPR is something that every business needs to be concerned about. This blog will walk you through the steps you need to take to update Google Analytics to prevent collection of personally identifiable information (PII) in order to align with GDPR requirements. Keep in mind, this is written from a marketing perspective and the steps below are meant as guidance only, not legal protection. You should talk with your legal advisors and IT team to make sure that these steps are part of your larger GDPR readiness strategy.

Let’s clear something up right away: whether you’re a business large or small, in the EU or not: GDPR will affect your business. Here’s a very real scenario: you run a successful local restaurant and focus your marketing locally and enjoy a number of favorable reviews from locals. One day, an EU citizen is planning a trip to your area and finds your restaurant on the review site, and follows a link to reach your site directly. Upon reaching your website, your Google Analytics cookie “fires” and collects personal information on your visitor from the EU, such as an IP address. You are now in violation of the GDPR and can be fined.

You might comfort yourself by saying, “Well, I don’t use that info in any targeted marketing towards EU citizens so they’ll never find out.” You might be right, but, let’s say the review site gets audited, and, in that audit, you’re listed as one of the partners in the review site’s network with whom they share data. Now the audit extends to your business. Even if you can defend against the audit, is that really how you want to spend your time, resources and money? If not, then this blog can help.

1. The first step actually has nothing to do with Google Analytics, but it’s so important that we’re putting it in every piece we write: ensure your data processors are GDPR compliant (like the review site, in this case). Essentially you should review all contracts of all vendors you work with who touch your marketing activities and make sure their practices have been updated to align with GDPR requirements.
2. Review and accept your data processor’s updated terms of services, here’s Google’s: Google Ads data processing amendment
   
3. Fire your GA tag AFTER you have the user’s permission, especially if you are working with User-ID feature. Work with your developer and create an overlay cookie acceptance box that also contains the link to your terms and conditions. Once you have the user’s consent, either trigger a page reload that then fires the GA tag or trigger the GA tag with a virtual pageview.
4. Audit your existing Google Analytics implementation for PII (name, email, phone, etc).
   You can’t delete this if you’ve collected this in the past but you can stop processing it by following those steps:

• Check existing page URL & Page titles in GA for PII
• Ensure you don’t submit PII in the URL on form submits or destination pages
  
• Audit your stored identifiers and custom dimensions
  • Open Google Analytics and check if the User-ID feature is enabled
    
  • If you are using the User-ID feature, ensure that the values are alpha-numeric and don’t contain any PII
  • By May 25, 2018, Google will support User-ID deletion
• Stay in the property column, navigate to ‘Custom Definitions’>’Custom Dimensions’ and validate which data you are pushing to those dimensions. The basic GA implementation doesn’t come with custom definitions.
  
• If you are pushing any kind of ID to custom dimensions, those IDs need to be alpha-numeric and can’t contain PII.
  
• Anonymize IPs
  • If you are deploying GA with GTM, use the ‘anonymizeIp’ feature
    • Open Google Tag Manager and navigate to the GTM container that’s present on your site
    • Find your Google Analytics tag in the workspace area of the GTM container
      
    • Open the Google Analytics tag and click on More Settings>Fields to Set
    • Add a new field and start typing anonymizeIP. Since this is an out of the box variable, you should see the auto-suggestion once you start typing.
    • Set the value to ‘true’
      
    • Save your changes and publish the new GTM container version
  • If you are not using GTM and you have the GA snippet deployed directly on your page, have your developer add the following line of code:
    
• Update your privacy policy and include
  • Contact information for the Data Controller
  • User rights and how to apply them
  • How you collect their personal data
  • How they can choose what types of information you process about them
  • How you will use their PD
  • With whom you will share their PD
  • The names of entities with whom you share their PD for direct marketing purposes
  • How you secure their information
  • The legal basis and purposes for processing their PD
  • The length of time you store their PD
  • Whether their information will be transferred to other countries
  • Their right to request, access, change, restrict, make portable, or erase their personal information

By updating Google Analytics with the following steps, you should still be able to capture critical data needed for site performance optimization, or aggregate user-behavior analysis but keep clear of personally identifiable information (PII) that would potentially put you at risk from a GDPR audit and fine. As always, you should consult with your legal advisor or other GDPR advisor on this compliance step.

Related. Learn about Tag Management Systems.

Download the complete Marketer’s Guide to GDPR