Google Analytics GDPR compliance

With the advent of Google Analytics 4, things have changed when it comes to Google Analytics privacy-friendly settings. Google Analytics GDPR compliance without consent is can be realized as GA4 no longer collects ip addresses. However!

Note that if you use Google Analytics 4 in conjunction with other Google products such as Signals or Ads, then GA4 shares data and you will have to use a cookie consent banner to ask permission to place analytics cookies.

Under GDPR, you must get explicit consent from website users for sharing their data between other Google products such as Google Signals or Google Ads. The consent must be given BEFORE the data sharing takes effect. In addition, your website’s privacy policy must clearly state that users’ private data can be shared with other Google products.

These cookies are then categorized as “statistical cookies” that require consent.

Setting up Google Analytics privacy-friendly

If you want to set up Google Analytics privacy-friendly read the steps you need to take below:

1. Enter into a processor agreement with Google

You can find this under your account in the Google Analytics management environment.

When Google Analytics 4 collects data, no IP addresses are recorded or stored in Analytics.

• Analytics removes all IP addresses collected from users in the EU before that data is registered through domains and servers in the EU.

Analytics additionally provides options to:

• Deploy collection of data from Google signals by region
• Deploy collection of detailed location and device data by region

Analytics does not record IP addresses

Google Analytics 4 does not record or store individual IP addresses.

Analytics does provide estimated geolocation data by deriving the following metadata from IP addresses: city (and its derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For traffic in the EU, IP address data is only used to derive geolocation data before it is immediately deleted. The data will not be stored, accessed, or used for any other application.

When Analytics collects metrics, all IP lookups are performed on servers in the EU before traffic is forwarded to Analytics servers for processing.

2. EU data is collected in the EU

Google Analytics 4 collects all data from devices in the EU (based on IP geo-lookup) through domains and on servers in the EU before traffic is forwarded to Analytics servers for processing.

If you are currently using a Content Security Policy (CSP), update your configurations (img-src and connection-src instructions) so that the following domains are allowed by Analytics:

• *.google-analytics.com
• *.analytics.google.com

3. Data collection – setting up Google Analytics privacy-friendly

In GA4 management, under data settings, turn off the collection of detailed location data and device data.

4. Take into account the court’s decision that invalidated the EU-US Privacy Shield framework.

On July 12, 2016, the EU-US Privacy Shield entered into force as a framework for regulating the transatlantic exchange of personal data in accordance with data protection standards. However, the EU-US Privacy Shield lost its validity on July 16, 2020.

The Trans-Atlantic Data Privacy Framework (TADPF), a new proposed data transfer regime, is currently in the negotiation phase and should be ready by the end of 2022 (isn’t it). There are currently no agreed rules for data transfers between the EU and the US.

For now, GA4 is not fully GDPR-compliant. Even with the addition of all the aforementioned privacy-focused features, GA4 has still failed to win over European regulators. Google has yet to regulate EU-U.S. data protection after the invalidation of the Privacy Shield agreement in 2020. The company now provides insufficient protection from U.S. surveillance laws for the data of EU citizens and residents. There is no method in GA4 to guarantee data storage within the EU or to choose a specific regional storage location. Users are also not informed by Google about data storage or transfer locations outside the EU. This violates the AVG and the data processing contract with Google on limited data transfer only partially solves the problem.

5. Properly inform visitors about the use of Google Analytics and provide an opt-out

Google Analytics GDPR compliance requires that your privacy statement reflects that:

• You have entered into a processor agreement with Google.
• the data is encrypted and processed anonymously.
• you have turned off “data sharing” with Google.
• Google Analytics cookies are not used in conjunction with other Google services, such as DoubleClick and AdWords.
• Which Google Analytics cookies are placed, for what purpose and when they are deleted. Do you use other tools and advertising platforms? Then the purpose, duration and responsible of these cookies will also have to be described in the same way.

Tip: save a screenshot showing date/time when you made the above changes. This way you can always prove when you applied Google Analytics privacy-friendly settings.

6. Google Analytics and Cookiebot

If you have gone through all the steps to set up Google Analytics privacy friendly, there are a number of options in conjunction with Cookiebot that will ensure that analytics cookies can be loaded. Here are the options:

Option 1. Use Google Analytics in conjunction with Google Consent Mode.

Cookiebot integration with Google Consent Mode ensures that your visitors’ privacy choices are respected with minimal impact on your website’s ad-based revenue, statistics and more. If you are already using Google’s Gtag or Google Tag Manager (GTM) we recommend that you implement Google Consent Mode integration on your website to ensure that Google services are used optimally and continue to work. The configuration below is based on implementation using Gtag.js and “web” containers in GTM of the following Google services:

• Google Ads (including Google Ads Conversion Tracking and Remarketing)
• Floodlight
• Google Analytics

You can read more about Google Consent Mode here:

Knowledge base article: Cookiebot and Google Consent Mode

Option 2. Loading after giving consent on statistics

If setting Google Analytics privacy-friendly is not an option for you, because you use it in combination with other Google services, then let consent run through the Cookiebot solution. Analytic cookies are loaded after the user has given their consent to accept everything or at least the Statistics category.

Option 3. Do not use Cookiebot with GA cookies

Only if you are 100% sure that you are using Google Analytics stand-alone, set up completely privacy friendly and not combined with other Google services. By NOT applying the tag: data-cookieconsent=”statistics” to your GA script, it will not be processed by the cookie manager. Therefore, the cookie will just load and your analytics data will be collected. This is entirely according to the AVG (if you have the above steps set up). All cookies will of course still be found by the cookie scanner and will then also be displayed in your cookie statement.
With this method you cannot offer users an opt-out via the Cookiebot solution. You will then have to refer them to, for example, the Google Analytics Opt-out Browser Add-on**
Do include this in your Privacy Statement.

GA4 data, please note that your metrics may vary. This is due to the fact that all cookies, except session cookies provided with the HttpOnly flag, are placed again after giving/adjusting a consent. This is “by design. The moment the consent is given, it is recorded in the log. By placing cookies again, it is irrefutably established that you only placed cookies after giving a consent. As a result, the following may occur:

• A user visits your website and a GA cookie is set.
• The user gives consent on your website
• The cookies are reset
• The user gets a new GA cookie placed with a different ID

Do you have any questions after reading about Google Analytics GDPR compliance? Let us know and get in touch.