Google Analytics Settings for GDPR

If your business operates in areas that are governed by the General Data Protection Regulation, some of the default settings of Google Universal Analytics and Google Tag Manager must be modified to comply with the regulation. Follow these steps to ensure that your use of customer data remains in compliance with the GDPR.

Google Analytics - data sharing settings Google Data Sharing Settings

Step 1: Update Google Settings

  1. Sign in to your company’s Google Analytics account.

  2. At the bottom of the left sidebar, choose Admin. Then, navigate to the account that you want to edit, if applicable.

  3. In the Account column, click Account Settings.

  4. Turn off data sharing in order to meet GDPR requirements.

    The default Google Analytics settings share your company data with Google and other parties, To turn off data sharing, clear the selection checkbox for the following settings:

    • Google products & services
    • Benchmarking
    • Technical support
    • Account specialists
  5. Accept the Data Processing Amendment.

    The Google Ads Data Processing Terms describe how Google processes data, and the measures it takes to ensure data security for business that are subject to the GDPR. A record of your legal entities and contact information is also maintained with the amendment. To learn more, click the link in the message at the top of the page.

    • Scroll down the page to Data Processing Amendment.

    • Click Review Amendment to read the Google Ads Data Processing Terms.

    • Click Accept.

    • Click Save.

  6. Complete the DPA Administration details.

    • Click Manage DPA Details to open a DPA administration page where you can edit contacts and your organization’s legal entities.

    • In the Legal Entities section, click the Edit ( ) icon and add one or more registered name(s) for your organization. When complete, click Save.

    • In the Contacts section, click the Add ( ) icon and enter the information for the first contact. Then, select the checkbox of each applicable role and click Add.

      Primary Contact (Notification Email Address) The contact to whom notices are sent.
      Data Protection Officer (If applicable) The person who is designated to facilitate GDPR compliance.
      EEA Representative (If applicable) The person who represents customers outside of the EU regarding their GDPR obligations.

      Repeat to add another contact, if applicable.

Step 2: Modify Your Google JS Libraries

Google supports three JavaScript libraries to measure website usage, depending on the Google product: gtag.js, analytics.js, and ga.js. To meet GDPR requirements, the standard code must be modified for the following requirements:

Anonymize IP Addresses

  1. To anonymize the IP addresses used by Google Universal Analytics, add the following snippet to the analytics.js library on your web server:

    analytics.js
    ga(’set’, ‘anonymizeIp’, true);

    To learn more, see the Analytics.js Field Reference.

    If you use the legacy ga.js library, add the following snippet:

    ga.js
    ga(’set’, ‘anonymizeIp’, true);
  2. To anonymize the IP addresses used by Google Tag Manager, set the anonymize_ip parameter to true in the gtag.js library on your web server.

    gtag.js
    gtag(’event’, ’your_event’, { ‘anonymize_ip’: true })

    To learn more, see IP Anonymization in Analytics in Google Help.

Force SSL

To force all Google data to be transmitted over a secure socket layer (SSL), add the following snippet to the analytics.js library on your web server.

analytics.js
ga(’set’, ‘forceSSL’, true);

Step 3: Update Your Privacy Policy

Update your privacy policy to state that your company:

  • Uses Google Analytics
  • Masks IP addresses to hide personal information
  • Has turned off Google Data Sharing
  • Does not use other Google services in conjunction with Google Analytics cookies.