Google Analytics & GDPR | Compliance Checklist

If you use Google Analytics or any other analytics platform, you might have heard of GDPR compliance – regulation aimed to control data collection for the EU citizens.

European Union adopted a new regulation on data protection called GDPR (General Protection Data Regulation) in 2018.

Since May 25, 2018, this legal act governs any data activity of all European citizens. In case you collect, store, process data from citizens in the EU, even if your business operates outside the EU, you’re subject to these legal requirements. Therefore, you have to learn as more as possible about what does GDPR compliance mean.

The purpose

The GDPR’s primary aim is to establish consistent forceable rules to protect any EU citizen to the privacy and security of personal data. 


We all want privacy. I seriously doubt that any of you would be happy to learn that someone knows your name, last name, email address (that oftentimes consists of the name or last name), geo-location, etc. Whatever the purpose of this collection is. 

Even if your personal data is not observed by a human eye, knowing that your sensitive info can become a part of some virtual operations is a bit icky. Besides, how can you be sure someone won’t use this data for ill intentions? 

personal data privacy

So, a regulatory for protecting your data privacy seems like a fair move. There are some requirements you should follow, small adjustments to be made in your Google Analytics account, and you’re totally up-to-date, fearless of fines or any other inconveniences. 

If you’re a marketer, though, one little thought may be sneaking into your mind at this point: how many nice insights into my customers will I Iose after switching to this data-wrapping account?

  1. Well, there is no choice (unless you love walking on the roof edge). This regulation is a legal act enforceable in all EU member states and applies to everyone outside the EU who collects data of the EU citizens. If your digital business fails to comply with it, be prepared to pay penalties for breach. And that is, according to the last update, “£17.5 million under the UK GDPR, and €20 million under the EU GDPR.

So, even if you’re in Uruguay, selling rag bags that are hugely popular in London, and tracking your customers’ emails, you may seriously consider weighting your profits against possible penalties that will be imposed.

  1. Will it be truly catastrophic for you to lose out on personal data of your customers or prospects? Or are you just under the influence of general panic, pushing away more thorough fact inspection?

How to make Google Analytics account GDPR-Compliant

But first things first: since we’ve come concrete on inevitability of becoming GDPR compliant, let’s go through the steps needed to score for it. There are numerous guides and videos on the Internet that explains how to make necessary adjustments to do a sweep in your account.

We’ve put all the needed steps into one simple frame so you can seamlessly implement them one-by-one, without missing out on a thing.

GDPR compliance measures: make sure you don’t track PII

What is Personal Identifiable Information? According to Google, it’s email addresses, phone numbers, precise locations, full names or usernames.

In your Google Analytics, you want to check whether you inadvertently track someone’s sensitive information. This can happen if, let’s say, your marketing tools send you user URLs that may contain personal data.

To spot check this, go to your GA account, choose “Behaviour” > “Site Content” > “All Pages.”

GDPR Google Analytics

Go to the search bar and type @ to see if any emails appear on the list. You may also want to type in “firstname” to retrieve possible mentions of user names.” 

make GA account GDPR compliant

GDPR compliance measures: install IP masking 

IP anonymizing feature came in force to prevent the storage of full ip address information. If you request a user’s identifying information, it will be masked at last digits to prevent your access to it. The full IP number will never be written in the database.

To implement ip anonymization within GA, you will need to edit the code in your Analytics.js, updating the configurations for your property. Or, if you’re already using gTag, you’ll need to add to your universal analytics code the anonymization ip object to apply to all events. 

anonymizer in Google Analytics

It is not that hard, moreover, Google has provided a full guide on how to edit the code here. 

Or, if you use Google Tag Manager, go to “Google Analytics Page View Tag” > More Settings > “Fields to set.”

GDPR requirements
Anonymize ip in Google Tag Manager

Among all the dropped options, choose “anonymizeip” and set its value to “true.” This will anonymize all IP addresses in future. To prepare your GA account for GDPR compliance, the IP anonymization feature must be enabled, so, if you have no idea how to edit the code by yourself, you may need some help . Just don’t skip this step under any circumstance, otherwise you might come to the list for breaking GDPR policies. 

GDPR compliance measures: turn off advertising features

Analytics Advertising Features is a set of features that let you receive more detailed information about your target audience. It consists of Ad Reporting Features and Remarketing. Both collect data with the help of Google advertising cookies and Integrated services.

ad features in Google Analytics

In Google’s Policy Requirements for Analytics Ad Features it is stated that without user prior affirmative, you have no right to disaggregate user data that Analytics Ad collects.

If you’re willing to use these features, according to the Policy, you’re required to notify users in privacy policy information. This info might reveal how you use first-party cookies and how users can opt-out of the features that you use.

GDPR compliance measures: install cookies consent form on your website

GDPR obliges you, as a data controller, to clearly outline how you use cookie data through accessible policies on your website. Not only should you disclose this in your privacy policy, there must be cookie policy generate. They must declare to your users what cookies are active on your website, how you use them, and where they might be sent.” 

Of course, no sane marketer would wish to meet a cookieless future, particularly as they don’t collect any personal data, but web trends and preferences. Ethical cookie usage allows content teams to track who engages with their content, how people interact with it, so they can tailor materials to their audience’s interests.

The opt-in requirement, though, which means you should create a pop-up asking users for approval to gather cookies, is applicable only for non-essential cookies. Non-essential cookies are any cookies deployed to analyze user behavior on a particular site.

These cookies are used to tag remarketing campaigns or advertisements toward your preferences. 

Unnecessary cookies are responsible for all those “best massage and wellness centers in houston tx” next-day chasers after you googled what to do with your aching back, just overnight.

unnecessary cookies

Essential cookies, on the other hand, are mandatory for smooth web experience. They don’t require prior consent from users to be deployed.  Things like log-in data, authentication would not be possible without them in place. 

So, in order to stay GDPR-compliant, all you need to do is 1) create a cookie policy on your website that discloses all needed information on how you’re going to use gathered cookies; 2) develop a pop-up with the message to visitors asking to give consent to collect cookies from their sessions. 

How to do marketing and stay GDPR compliant

Collecting user’s preferences is essential for defining audience’s preferences, tailoring content strategies to readers’ needs, ensuring smooth ecommerce shopping experience. In other words, it’s your hints to rely on while building content marketing. 

Content is a tool. And being in the right hands, it has an enormous capability of propelling your forward to achieve your business goals. 

Google Analytics cookies and advertising features are a very helpful tool in these terms. To proceed reaping benefits without violating GDPR policies, you only have to adhere to the guide we provided above. If you manage to set up settings in your GA account, as we pointed out, integrate cookie policy along with updated data policy, you minimize private data collection without narrowing your marketing activities in any way. Use enclosed detailed guides that we linked to seamlessly navigate through your GDPR compliance preparation.

The main thing you have to understand here is that GDPR doesn’t intend to take the pleasure of exploring your audience away from you. It would be highly illogical. The main purpose of this regulation is to give everyone the right to decide whether you agree to disclose your personal information or not. 

Have troubles setting up GA Account for GDPR compliance?

The whole described above process is not that hard; however, for people with limited technical knowledge, there may be more hoops to jump through. 

That’s why editor & content teams around the globe utilize more advanced, robust analytics platforms with built-in data security features

The main advantage of enhanced analytics tools like io.technologies is that it caters primarily to the needs of content teams, understanding their pain points that hold them back from growing their audiences. 

content tracking tools

That being said, if you don’t know how to measure your content performance and engagement (that are two different things), you may need a more focused tool. A one that will provide only necessary insights, leaving complex data behind. 

With advanced content analytics, you don’t need to worry about GDPR-compliance: to supply you with actionable insights on your reader’s behavior, it won’t track any user personal data. So, you won’t need to go through: 

  • real-time content analytics streaming
  • powerful insights in scale
  • digestible data visualization 
  • suitable for teams with limited technical knowledge
  • excellent speed and scalability
  • evaluations and scoring models for precise assessments of your marketing efforts

If you want to know more about how this solution can help you increase content revenue, bump up engagement scores, and grow readership – leave us your email and we will get in touch.


  • Do listed steps guarantee GDPR compliance?

Yes, these are the essential steps needed for you to go through if you want to become GDPR compliant. Of course, every situation is individual, but to stay on the safe side it’s re commended to have all these measures implemented.

  • How about US citizens? Do we need to become GDPR compliant?

If your website visitors include those from the EU, you have to get align with GDPR compliance. Failing to do so leads to your website getting on the blacklist for breaking the law. In practice, the law is more loyal towards foreign companies, but it doesn’t mean you won’t get just desserts for ignoring GPDR requirements.

  • What should go in the cookie policy?

This section of website must clearly explain to users what type of cookies you use, and how you’ll use them. There should be a list with all cookies included, along with the purpose for each. A separate paragraph must mention the step users can take to opt-out. You should also explain how you update cookie policy, and how long does it take to roll out new information.