Merge pull request #890 from plausible/cms/blog/2020-06-08-consent-required-web-analytics-gdpr-and-is-google-analytics-compliant

Hricha-Shandily · web-flow · commit 949c2c8e594b · 2025-12-22T12:17:05.000+05:30
Automatically generated. Merged on Netlify CMS.
diff --git a/_posts/2020-06-08-consent-required-web-analytics-gdpr-and-is-google-analytics-compliant.md b/_posts/2020-06-08-consent-required-web-analytics-gdpr-and-is-google-analytics-compliant.md
@@ -38,34 +38,27 @@ These dark patterns may get very expensive when the GDPR gets enforced and compa
 
 The fines for violating GDPR max out at 4% of global revenue or 20 million Euro whichever is highest. More than 100 million Euro in fines have been issued to companies including Facebook and Google since GDPR came into effect.
 
-You can read the full GDPR regulation [here](https://gdpr.eu/tag/gdpr/).
+You can read the [full GDPR regulation here](https://gdpr.eu/tag/gdpr/).
 
 ### What are the GDPR requirements?
 
 Here's a summary of what the law looks at and requires:
 
 * Any personal data processing must be fair and transparent to your site visitors
-
 * Your site visitors must freely give you specific, informed and unambiguous consent to process the data such as by subscribing to your newsletter
-
 * Requests for consent must be clearly distinguishable from the other matters and presented in clear and plain language
-
 * Data processing can only be done for legitimate purposes specified explicitly to your customers or site visitors when you collected their consent
-
 * You should collect and process only as much data as absolutely necessary for the purposes specified when you got the user consent
-
 * You may only store personally identifying data for as long as necessary for the specified purpose
-
 * Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality by for instance using data encryption
-
 * Your site visitors can withdraw previously given consent whenever they want and you have to honor their decision
 
 ### What is personally identifiable information according to the GDPR?
 
 What does GDPR mean when they talk about personal information? Here's what the law says:
 
 > Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
-
+>
 > ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 
 ## What is the impact of GDPR on website analytics
@@ -83,17 +76,11 @@ If you're using one of the well-established and popular website analytics platfo
 Complying with GDPR is not difficult in theory but wanting to use tools that are not compliant with GDPR makes the process more complicated. Here's how you can follow the intention of the GDPR and have a fully compliant and user-friendly GDPR implementation:
 
 1. Show contextual and non-personalized ads, don't place any non-functional cookies and don't track or share any personal data by default
-
 2. You must obtain consent from your visitor before you set a non-functional cookie and before you collect any personal data. Your site shouldn't load any third-party script, tracker or pixel that collect personal data and share it for non-functional purposes before obtaining consent from the visitor 
-
 3. Prompt user to receive more personalized and more relevant ads or to be tracked by giving you consent to collect their data
-
 4. You need to be transparent about your plan for data collection and inform the visitor clearly and sufficiently about it. What data do you plan to collect? What purpose do you plan to use this data for? What third-party services are you sharing the data with?
-
 5. User consent must be explicit. It can be given by clicking on an "Agree" button, or by placing a checkmark or by pressing a slide switch.
-
 6. When you get explicit user consent, proceed as you described to the user. Place those cookies that the user agreed to, collect that data that the user agreed to and share the data that the user agreed to the third-parties user agreed to.
-
 7. If the visitor doesn't actively and explicitly give you consent by either ignoring your prompt or by choosing "Disagree" on the prompt, then you don't have consent. There are no exceptions. You should not place any non-functional cookies and you should not collect any personal data.
 
 ## Does Google Analytics track personal data and IP address?
@@ -110,12 +97,12 @@ Yes, Google Analytics tracks IP addresses of your website visitors and it shares
 The above means that Google Analytics is not GDPR compliant out of the box. And this is what [Google says](https://www.google.com/about/company/user-consent-policy/) about what you need to do if you're using Google Analytics: 
 
 > "You must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement".
- 
+
 You must obtain legally valid consent from your website visitors to:
 
 * the use of cookies or other local storage
 * the collection, sharing, and use of personal data for personalization of ads
- 
+
 Here's an independent [legal assessment on Google Analytics and GDPR-compliance](https://plausible.io/blog/legal-assessment-gdpr-eprivacy) written by an experienced data protection expert and lawyer.
 
 **January 2022 update:** The Austrian Data Protection Authority has decided that the use of [Google Analytics violates the GDPR](https://plausible.io/blog/google-analytics-illegal). This decision is the first DPA decision regarding EEA-US data transfers. Similar decisions are expected to drop in most EU member states.
@@ -131,27 +118,16 @@ You are considered a data controller while Google is considered a data processor
 There are ways you can hack and change Google Analytics to make it more GDPR compliant. Go into the "Admin" section of your Google Analytics account.
 
 * In "Account Settings", disable all the data sharing options. Stop sharing your visitor data with Google products & services, for Benchmarking purposes, for Technical support, to Account specialists and Google sales experts.
-
 * In "Account Settings", review and accept the Google Ads Data Processing Terms.
-
 * In "Property Settings", disable all the Advertising Features including Demographics and Interest Reports.
-
 * In "Property Settings", disable User Analysis including Users Metric in Reporting.
-
 * In "Tracking Info" click on the "Data Collection" section and disable all the Data Collection for Advertising Features. Disable Remarketing and Advertising Reporting Features. 
-
 * In "Tracking Info" click on the "Data Collection" section and within "Advanced Settings to Allow for Ads Personalization" disallow all regions from Ads personalization.
-
 * In "Tracking Info" click on the "Data Retention" section and reduce the "User and event data retention" to the minimum amount of time possible (14 months). 
-
 * In "Tracking Info" click on the "Data Retention" section and disable "Reset on new activity".
-
 * In "Tracking Info" click on the "User-ID" section and disable the User-ID feature. 
-
 * In "Product Linking" section, disable all the product linking including Google Ads linking, AdSense linking and Ad Exchange linking.
-
 * Update your privacy policy with clear information on how and why you use Google Analytics.
-
 * You also need to disable Google Analytics cookies and enable IP anonymization feature. Keep reading.
 
 ### Google Analytics IP anonymization
@@ -165,8 +141,8 @@ ga('set', 'anonymizeIp', true);
 ### Disable Google Analytics cookies
 
 Google Analytics sets multiple cookies (including _ga, _gid and _gat) and it “uses cookies to identify unique users across browsing sessions”. This is done “to remember what a user has done on previous pages / interactions with the website”.
- 
-Google [says](https://support.google.com/analytics/answer/2992042): "In order for Google Analytics to determine which traffic belongs to which user, a unique identifier associated with each user is sent with each hit. This identifier can be a single, first-party cookie named _ga that stores a Google Analytics client ID, or you can use the User-ID feature in conjunction with the client ID to more accurately identify users across all the devices they use to access your site or app".
+
+[Google says](https://support.google.com/analytics/answer/2992042): "In order for Google Analytics to determine which traffic belongs to which user, a unique identifier associated with each user is sent with each hit. This identifier can be a single, first-party cookie named _ga that stores a Google Analytics client ID, or you can use the User-ID feature in conjunction with the client ID to more accurately identify users across all the devices they use to access your site or app".
 
 You can disable cookies from Google Analytics but disabling cookies leaves Google Analytics with a broken functionality. Tracking unique visitors will be broken and pretty much every pageview will be counted as a unique visitor.
 
