Google Analytics (“GA”) is one of the most popular tools utilized by websites to obtain information regarding their site traffic. If you’re using GA, you should be aware of the data privacy requirements related to using this tool, and how you can set up your GA to avoid expensive GDPR and CCPA violations. In this post we will explain (with relevant screenshots) how to set this up in your Google Analytics account.
As a general rule, if you have only necessary cookies and GA running on your site, you are not collecting the kind of personal information that requires consent (either explicit or implied) to collect, but you need to configure your GA in a specific way to comply with GDPR and CCPA. If you are running non-essential (e.g. advertising, performance or targeting) cookies, then you should be using a cookie consent management platform to ensure compliance.
When setting up GA, you will be asked if your GA setup in Google is in accordance with GDPR requirements for usage without consent, meaning you are not using any non-essential cookies. If so, GA will be configured with anonymized IP addresses. If you’re using non-essential cookies (e.g. plugins for Facebook, DoubleClick, YouTube, etc.), then the instructions below will not provide you with a compliant experience, and we suggest that you contact Clym for assistance.
Step 1 – Data Processing Terms
First, you have to sign GA’s Data Processing Agreement (“DPA”), which can be found in GA’s Account Settings. Once you’re in the DPA, you can click on “Review Amendment”. After reading the amendment, click “Done”.
Step 2 – Turn off data sharing
Turn off data sharing with Google. This is done by unchecking the Data Sharing Settings under Account Settings.
Step 3 – Anonymize IP
IP addresses are considered personal information by most data privacy regulations, including GDPR and CCPA, so if you are taking this approach you must restrict Google’s access to process the entire IP address, which is referred to “Anonymize IP”. By adding an extra piece of code to your GA tracking code, the last part of the website visitor’s IP address will be deleted.
When you are working with Google Tag Manager (“GTM”) you can also make some adjustments to get anonymized IP addresses. To do this, log on to GTM. Make a new variable with the type Settings of Google Analytics. Add a new field and fill in “anonymizeIp” with the value ‘true”.
Step 4 – Check if user ID function has been disabled
Check if the user ID feature is disabled. The ID feature allows you to link a website visitor’s behavior over different devices and multiple sessions, which is not allowed without obtaining consent. If you’re taking this approach, you must disable this feature in GA’s Property Settings, Tracking info, and then User ID.
Step 5 – Disable sharing data for ad purposes
Disable data sharing with Google for advertising purposes. To do this, you should uncheck the options in Data collection under Tracking Info, which can be found in the property settings.
The instructions above provide a way to side step GDPR and CCPA compliance by not collecting personal information, however this can hurt your marketing team’s efforts by being overly restrictive, which can hurt your company’s bottom line. Clym can help! Our cost-effective, audit-ready platform provides you with an easy way to get your website compliant with GDPR, CCPA and other global data privacy laws. If you’d like to learn more, please book a demo or contact us to discuss.