How to Change Your Google Analytics Settings to Become GDPR Compliant

What is GDPR and why is it important?

The General Data Protection Regulation is an EU law on privacy of data & personal information. This Regulation helps to protect personal data of people and goes on full effect from May 25th, 2018.

Reasons the GDPR is important

  1. Penalties for violation can go upto €20M or 4% of the offending company’s global annual revenue, whichever is higher.
  2. The definition of personal data has expanded. All information such as email, name, cookies, GPS etc are now considered as personal information.
  3. Even if you are not a part of EU, but you are providing goods and services to EU citizens, you are ought to follow the GDPR rules.
  4. Consent and transparency to use personal data is now a must.

How to become GDPR Compliant

Data Retention

Google recently introduced Granular Data retention controls that will allow you to manage your older data. These settings will allow you to help retain your data; otherwise any data that is older than 26 months shall be deleted by Google automatically.

To retain less or more data, go to Tracking info in the admin section and selection “Data Retention”

Here, you can select the time period of Data retention you are looking for and save the settings.

Hola! You are done with the main step.

GDPR Compliance

While the GDPR technicalities does appear scary at first, we have tried to simplify those technically confusing settings for you in the below 4 actionable steps:

1. Audit your Google Analytics for any Personally Identifiable Information (PII)

This is a big no-go for Google Analytics. Check your account for any PII being stored like email, username etc. This is how you do it

  • Go in Behaviour → Site Content → All Pages
  • Look in the search bar for any identifiers (emails, username or anything else)
  • Check your custom dimensions as well for any PII and ensure that no personal data is being passed into forms by users

If you find out any PII, you are already at risk. Just filtering out PII is not going to help, you should address this at the code level to avoid personal information from being sent to Google Analytics

2. Anonymize IP

This feature takes out the last numbers from the user’s IP address, masks it before storing. The IP address is also considered as PII and hence not to be ignored. This might lead to a slight decrease in terms of accuracy of Geolocation that Google analytics does, but still needs to be implemented. For those who use Google tag manager, this is how you do it

  • Click on More settings → Fields to set and then add a new field “anonymizeIp” with a value of “true”
  • Save this. Simple!

If you are not working with Google Tag Manager, but with analytics.js, implement the GA set option anonymizeIp to true, or if you are using the Global site tag, you will need to add anonymizeIp to true to your configurations of Universal Analytics Code.

3. Disable Display Features

This is a feature that gives you the ability to build remarketing custom audiences and gives you some interesting data too which needs to be turned off now.

  • Go to Tracking Info in the admin section → Data Collection
  • Turn off Remarketing and Advertising Features here.

For those using analytics.js, simply delete the code that says it requires the display features, or for those using gtag, add “false” to allow display features.

For Google tag manager, go to more settings and under Advertising section select off.

4. Google Analytics Cookie

It’s a thing of the past now when cookie (with a pseudonymous ID of the client) could make an escape & save information by just stating that if you proceed using this site, you consent. With the GDPR updates coming in, a clear explicit consent form asking user to allow data to be sent to Google analytics, before it executes, is now a must.

The most ideal way to do this would be to have a pop up over the page, where the user could actually read about the terms and conditions of the consent form before proceeding. The Google Analytics cannot be directly installed in the back-end before a user’s “yes”. You need to build an opt-in mechanism for the user to opt-out at any point they wish.

GDPR is definitely a complex update, but it is important for you and your company to follow the right path towards becoming GDPR compliant. Do share with us the challenges you faced on this road, we’d love to hear.

Leave a Comment