Steps to GDPR Compliance with Google Analytics

Niquee CrystalCommerce Updates, Marketing

Steps to GDPR Compliance with Google Analytics


Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics.

With Google as your Data Processor, they have obligations to conform to the EU GDPR. According to Google’s Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” You can see more details on this site, and it is almost sure that Google Analytics will be fully compliant by May 25, 2018. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.

1.  Sign in to Google Analytics.

2. Go to Property Setting (as it shown on a screenshot)

3. Make sure that Demographics and Interest Reports, Use enhanced link attribution and Users Metric in Reporting are turned off. Don’t forget to save changes if there were any by clicking save.

4. Click on the Tracking info and then click on Data Collection.

5. Make sure that both Remarketing and Advertising Reporting Features are turned off. Don’t forget to save it.

6. Next, click on the Data Retention and choose the period after which the data will expire. It can be 26 months. Reset on new activity button should be turned on. Click save.

7. Now we need to make sure that User-id tracking is disabled. Click on User-ID and check if everything is turned off. Click save.

Under both GDPR and the Google Analytics Terms of Service, this appears to be an acceptable practice. But, this is where you are advised to ensure that your Privacy Policy is updated to reflect this data collection and purpose. The language used needs to be clear (no technical or legal terms) and answer the questions of, “what data is collected?” and “how it will be used?”

If you are familiar with the GDPR at this point, you may be asking yourself how you can reasonably honor a User’s request to be forgotten. Google Analytics will support User ID/Client ID data deletion pretty soon.

Update your Privacy Policy

The most significant update to your Privacy Policy under GDPR is that these notices need to be written in a way that is clear, understandable, and concise.

As it always should have been, the intent of the Privacy Policy is to describe what you do in a precise manner, and then, most importantly, your organization needs to follow through and do what it says. Your audience of the Privacy Policy is the end user (not lawyers).


Per this eConsultancy article, you should consider the following questions when writing your privacy notice:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

Disclaimer: Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.