GDPR and Google Analytics

A guide to how companies should manage their analytics and other tracking software, to ensure that their website activity is GDPR compliant.

Google analytics is a powerful tool that can provide valuable data for your business.  But it is important to ensure that your use of this resource is compliant with the GDPR, and this applies to any business based in Australia or any other territory around the globe.  Google analytics is dependant on the use of cookies, to set up the service you will have had to install a piece of tracking code on your website.  The presence of this tracking code will allow Google analytics to track the activities of visitors to your website via the web browsers that they use to do so.

The GDPR refers to cookies specifically, as follows:

(30):"Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them".

Effective use of Google analytics depends on being able to identify each visitor uniquely in order to be able to understand what activity they have carried out on the site.  If in turn the visitor can be identified personally, directly or indirectly as a result, whether via their IP address or by virtue of the fact they are logged into an online profile or whatever, this would bring that use of cookies within the scope of the GDPR and means that the record of that browsing activity is the personal data of that visitors and you must comply with the requirements of the GDPR in relation to the collection and use of that personal data.

At the time of writing, the terms of service of Google analytics prohibit the use of the service to identify a visitor personally, however, the mere fact that Googles terms of service currently seek to prevent you from being able to identify a visitor personally, does not mean that the data that you are being provided with via Google analytics is not personal data for the purposes of the GDPR.   A person can be identified indirectly via their IP address, and this then would bring a record of an individual’s use of a website, such as provided by Google analytics within the definition of personal data; personal data for which you are responsible for compliance with the GDPR.

For example, re-marketing, or re-targeting, enables a business to show display ads on the Google network to users who have previously visited a site or a particular page on a site.  While you may not be aware of the personal identify of the individual concerned, if you are seeking to display an ad to that person by virtue of the fact that you know that they have previously visited a particular page on your website, in doing so you need to ensure that you are GDPR compliant.

So, how can you ensure compliance?

Well, there you have two main options, the first would be to ensure that Google analytics is set up and used by you in such a way that you are not collecting any personal data in the process, i.e. to put measures in place to ensure that any data collection is properly anonymised and no individual is capable of being indentified from any of the data collected.  This is likely to prevent the use of re-marketing or retargeting services, which by their definition will need to identify and record individual users to be able to display remarketing ads to them.

The second option is to understand that you are collecting personal data in your use of Google analytics and to ensure that, as with any other personal data that you hold in your business, you collect hold and use this in compliance with the GDPR.  For more details of what is involved in doing that, please see here.

Useful links

About the author

is the author of our guides to GDPR. Flor is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi award winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.

Click here to return to the GDPR Compliance Hub.

Require an EU Representative? Get Started For €97/mo

No hidden fees. Cancel anytime.

GET STARTED NOW
POPUP FORM