Wondering about compliance with GDPR and Google Analytics? You’ve come to the right place!
On May 25, 2018, the European Union implemented the General Data Protection Regulation (GDPR). The new rule set out requirements for handling user data with penalties of up to €20 million or 4% of annual revenues for failure to comply with GDPR policy. Needless to say, it was quite alarming for website owners.
Even today, we continue to receive questions from concerned users about GDPR, especially with the transition to Google Analytics 4. So, in this article, we’ll discuss the impact of regulatory requirements, how to navigate GDPR and Google Analytics, and how ExactMetrics’ privacy features can help with compliance.
Let’s begin with a brief introduction of GDPR…
What is GDPR Regulation?
GDPR, short for General Data Protection Regulation, is a privacy regulation passed by the European Union (EU) that oversees how companies, websites, internet providers, and other web-based services collect, manage, and use user information. However, its laws stretch far beyond the EU as it governs how organizations handle data related to EU residents, regardless of where the organizations themselves are based.
Why was the GDPR introduced?
GDPR was launched in an effort to protect the privacy rights of individuals by providing them with significant control over their personal data. It ensures stricter guidelines for businesses on collecting and processing personal data, which is why it’s essential to know if GDPR applies to your website.
To give you an idea of how GDPR can affect your WordPress site, we’ve highlighted some important points from the over 200-page legal document. Here are some key takeaways:
- Your privacy policy should be transparent and clearly state how you’ll be collecting data and what it’s used for.
- It’s crucial to get permission from users before gathering personal information and using it for the desired purpose.
- If you decide to use the same data for another purpose, you need to ask for specific consent again.
- Users have the right to remain anonymous and deny any information they don’t wish to have collected.
- Users have the right to see what data has been collected about them by the company.
- Users can revoke permission at any point and request to have their data removed. This means you’ll have to remove their information from your database and from any other source you’ve shared data with.
These are a few pointers from GDPR privacy law that you’ll want to consider for your website’s compliance. However, we recommend consulting with your legal advisor or an attorney to ensure your site fully complies with the law. Please see our legal disclaimer at the end.
Now, let’s find out how GDPR affects Google Analytics.
Is Google Analytics GDPR Compliant?
Whether or not Google Analytics is GDPR compliant is a bit of a loaded question. By default, Google Analytics collects and stores a significant amount of data, some of which can be classified as ‘personal data’ under GDPR. This data could include user IDs, cookies, and other online identifiers. So, this makes Google Analytics potentially non-compliant with GDPR, as the regulation specifically mandates strict rules about how personal data is collected, stored, processed, and shared.
Google Analytics 4 (GA4) came with several changes in response to GDPR including data retention controls, data anonymization, and improved user consent management. These updates along with the recent acceptance of the EU-US Data Privacy Framework help website owners use Google Analytics in a GDPR-compliant manner.
However, it’s still the responsibility of website owners to ensure that Google Analytics is set up and used in compliance with applicable regulations. So, while Google Analytics as a data processor can be made GDPR compliant, it’s up to you, acting as the data controller, to ensure that it is.
WordPress Tutorial: How to Make Google Analytics GDPR Compliant
- Step 1: Install ExactMetrics
- Step 2: Activate EU Compliance Addon and Configure Settings
- Step 3: Change Google Analytics Data Retention Period
- Step 4: Offer a Consent Checkbox and Opt-Out Option
- Step 5: Update Your Privacy Policy
Google Analytics is the most powerful analytics tool available. If you have a website, chances are you have it set up to track user behavior on your site. Google Analytics tracks visitors by assigning a unique UserID, and although GA4 doesn’t store IP addresses, it does record other potentially personally identifiable information (PII) like age, gender, and other demographic information using cookies.
So, what you do with this collected data is important. For example, if you don’t have consent, you can’t share Demographics and Interest reports with your Remarketing / Advertising (Google Ads) account.
Now, at this point, compliance with GDPR may sound pretty time-consuming and confusing, but that’s where ExactMetrics can help. As the best premium WordPress Analytics plugin and the best GDPR plugin for WordPress, ExactMetrics offers EU Compliance features that automate multiple processes needed to ensure GDPR compliance.
Let’s take a look at how to use the addon to help ensure Google Analytics and GDPR compliance. Follow these steps to get your site on track and meet GDPR requirements.
Step 1: Install ExactMetrics
The first step is to install the plugin on your WordPress website. To do that, head to the ExactMetrics pricing page and grab the Plus license or above to access the EU privacy addon.
Then, download the plugin’s ZIP file from the Downloads tab in your account area of ExactMetrics.
Then, go to Plugins » Add New on your WordPress website. Click Upload Plugin at the top and install and activate the plugin file that you just downloaded on your website.
Next, you’ll need to connect your WordPress site to Google Analytics using the simple setup wizard. Just follow the prompts and you’ll be ready to go in a few clicks.
If you need more help with getting set up, check out our detailed tutorial on How to Add Google Analytics to WordPress (Step-by-Step Guide)
Step 2: Activate EU Compliance Addon and Configure Settings
After installing the plugin and connecting it to Google Analytics, you’ll need to enable the EU compliance addon. Go to ExactMetrics » Addons. Navigate to EU Compliance and click Install.
After pressing install, the addon will automatically activate on your WordPress site.
The next step is to configure your ExactMetrics EU Compliance addon settings. You can access them by going to ExactMetrics » Settings » Engagement.
Click to expand the EU Compliance section, and you can scroll down to change different settings for GDPR compliance.
Here are the automated configuration changes you can implement with ExactMetrics:
- Automatically anonymize IP addresses for all Google Analytics hits
- Automatically disable UserID tracking on Google Analytics hits, eCommerce hits, and form hits.
- Automatically disable the UserID dimension and Author tracking in Custom Dimensions.
- Enable the ga() compatibility mode automatically.
- Wait for AMP addon users to agree with Google AMP Consent Box before tracking them.
- Integration with Google Analytics cookie consent plugins like Cookie Notice and CookieBot.
- Automatically disable Interest and Demographic reports for remarketing and advertising tracking (Google Ads) in Google Analytics.
Note: The EU compliance addon ONLY turns off the demographics and interests reports used for remarketing and advertising tracking purposes such as Google Ads. You’ll still have access to demographic and interest reports based on aggregated data.
Step 3: Change Google Analytics Data Retention Period
In addition to setting up ExactMetrics and its EU compliance addon, you can make changes to your Google Analytics data retention settings. Google Analytics 4 data retention is set to 2 months by default, but most users want to change this.
Log into your Google Analytics account and click on Admin (the Gear icon) at the bottom left of the page.
Under the Property column, go to Data settings » Data Retention. Here, you can select the time period you want to retain data, either 2 months or 14 months using the dropdown menu.
Google states that your regular reports won’t change with this adjustment, as they mainly use aggregated data. This means you still have access to basic reports like Acquisition, Engagement, and Monetization after the data retention period.
However, what Google leaves unsaid is that discarding this data means you can’t create ad-hoc reports using historical data. These reports use sample data with a segment, filter, or secondary dimension, or a custom report with a combination of metrics and dimensions not standardly available.
As a result, you won’t have historical data in your Explore reports within Google Analytics. Even if you don’t regularly use these reports, they’re pretty very important when you start to look more closely at your website analytics.
You’ll want to keep this in mind when changing your settings. At the very least, most users opt for the 14-month retention. You can learn more about this topic and other options in this article by Jeff Sauer.
Step 4: Offer a Consent Checkbox and Opt-Out Option
The previous settings anonymize and disable personal data tracking, which provides an ideal solution for meeting GDPR requirements. But, if you do still want to track personalized information, you’ll need to get users’ consent and offer an opt-out option.
Thanks to ExactMetrics’ integrations with Cookie Notice, CookieBot, Complianze, and CookieYes, you can easily set up a sitewide consent checkbox and opt-out option for visitors. If any of these plugins are active on your site, ExactMetrics will wait to load the Google Analytics tracking script until the user gives permission.
Just remember, the downside of this option is that unless a user provides consent, they won’t be tracked, which may lead to a lot of missing Google Analytics data. To learn more about this, check out our documentation on getting started with the EU Compliance addon.
If you would like to provide visitors with an opt-out option and aren’t using one of the plugins above, you can use one of ExactMetrics’ Opt-Out link integrations or follow our guide to create an opt-out link. ExactMetrics is also compatible with both Google Analytics’ Chrome browser opt-out extension and Google Analytics’ built-in cookie opt-out system.
Step 5: Update Your Privacy Policy
The last step is to update your privacy policy to reflect Google Analytics and GDPR compliance. This provides transparency to visitors and helps you to comply with GDPR requirements.
If you’re wondering which type of cookies Google Analytics uses and what their purposes are, check out our full guide on updating your privacy policy.
And that’s it!
You’ve made it to the end of the article and you now know how to make Google Analytics GDPR compliant.
We hope you found this article on GDPR and Google Analytics helpful in learning how to make your WordPress site compliant. Be sure to also check out our post on How to Ensure Google Analytics CCPA/CPRA Compliance.
Not using ExactMetrics yet? What are you waiting for?
If you have any queries, drop a comment below. Don’t forget to follow us on Twitter and Facebook to see all the latest reviews, tips, and Google Analytics tutorials.
Legal Disclaimer: This addon is designed to automate some of the settings changes required to be in compliance with various EU laws. However, due to the dynamic nature of websites, no plugin can offer 100 percent legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.
As a website operator, it is solely your responsibility to ensure that you are in compliance with all applicable laws and regulations governing your use of our plugin. ExactMetrics, its employees/contractors, and other affiliated parties are not lawyers. Any advice given in our support, documentation, website, other mediums, or through our services/products should not be considered legal advice and is for informational and/or educational purposes only and is not guaranteed to be correct, complete, or up-to-date, and does not constitute creating/entering an Attorney-Client relationship.