Disclaimer: I am not a lawyer so do not take this as official legal advice. This is my best-effort interpretation of the resources below.
This is an unofficial set of guidelines to use of Google Analytics with cookie banners / notices, synthesized from the following resources:
- https://blog.oriel.io/2019/01/24/how-to-make-google-analytics-gdpr-compliant/
- https://webdevlaw.uk/wp-content/uploads/2018/05/WordCamp-Belfast-GDPR-Google-Analytics.pdf
- https://brianclifton.com/blog/2018/04/16/google-analytics-gdpr-and-consent/
- https://brianclifton.com/blog/2018/05/21/gdpr-request-consent-before-tracking/
- https://www.blastam.com/blog/gdpr-need-consent-for-google-analytics-tracking
Twitter discussion: https://twitter.com/karlhorky/status/1126025690443329536
Google Analytics can be used without users giving consent (consent example: clicking on an accept button), if configured correctly:
If you use [the] Advertising features in GA, you must request explicit consent. If you do not, then you don’t.
These settings assume that you will not need the advertising features.
- If you haven't yet, read and accept the Data Processing Amendment under
Admin
->Account Settings
Ref - Uncheck all Data Sharing Settings checkboxes under
Admin
->Account Settings
Ref - For each property, disable the advertising features you don't need. If you do need them, leave them on and make sure to implement Step 1b Option 2 and Step 2:
- Make sure that you never track URLs with personal information in them (query parameters, for example) Ref
If you do not need any advertising features, on creation of the tracker, set anonymizeIp
to true
(Ref):
ga('create', 'UA-XXXXX-Y', {
// Make IP addresses anonymous, reducing accuracy
anonymizeIp: true,
});
Alternatively, if you need advertising features, you can disable them until you get consent by setting allowAdFeatures
to false
(Ref):
ga('create', 'UA-XXXXX-Y', {
// Make IP addresses anonymous, reducing accuracy
anonymizeIp: true,
// Disable any default-enabled Advertising features (turn them on later when we get consent)
allowAdFeatures: false,
});
Mention Google Analytics in your privacy policy with instructions how to remove cookies (opt-out).
If your strategy requires advertising features such as Demographics and Interest Reports, Remarketing with Google Analytics and DCM Integration, you need to enable them programmatically by calling the set
method after consent. Any necessary features will need to be enabled again in the property (Step 1a point 3).
- Design a prominent cookie notice that users will notice, to improve engagement with it
- Once the user accepts the cookies, you may enable following features again (Ref):
if (userAccepted) { ga('set', { allowAdFeatures: true, anonymizeIp: false, }); }