The use of Google Analytics is subject to certain requirements under the GDPR (General Data Protection Regulation). Data protection and Google Analytics have long been in conflict. At the latest since the ECJ judgment on tracking, an opt-in has been provided for Google Analytics. In this context, the question of the processing of Google Analytics cookies is of importance. You will find support from consent management providers (CMPs) for the legally secure integration of Google Analytics. With cookie consent solutions you contribute to data protection in Google Analytics.
Google Analytics at a glance: importance of data protection
The majority of larger websites rely on analysis tools to draw conclusions about visitor behavior. By far the most popular user analysis tool is Google Analytics. As can be seen from various statistics, this tool is used on around half of all websites, depending on the survey. On the one hand, this popularity is due to the fact that Google has access to a particularly large amount of user data . On the other hand, the popularity stems from the fact that a large range of Google Analytics functions is free for all users .
Google Analytics uses cookies to evaluate user data. These small files are stored in the visitor’s browser. Users have numerous options to collect different data according to customized settings. Google Analytics then enables website operators to process and evaluate the data according to various parameters. On this basis, valuable key figures such as page views, user behavior or length of stay on the site can be tracked. Google Analytics also enables individual actions to be precisely tracked , including subscribing to a newsletter or downloading certain files. Conversion tracking options can be used to determine the points at which visitors become customers. This reveals optimization potential and contributes to a continuous improvement in page performance.
From the perspective of data protection , the vast amounts of data that Google Analytics collects and evaluates must be viewed critically. In particular, data protection officials complain about the storage and transmission of complete IP addresses of visitors to Google (directly to the USA). Furthermore, data protectionists criticize that Google’s data protection regulations do not provide sufficient information about which data of the site visitor is actually collected, stored and transmitted .
Due to the access to a lot of user data, data protection in Google Analytics has long been controversial. With the entry into force of the GDPR (also GDPR: General Data Protection Regulation) and even more so since the ECJ ruling on cookies in 2019, the legally secure use of Google Analytics is subject to certain requirements. If Google Analytics is not coordinated with the GDPR, site operators may face severe warnings or fines .
Google Analytics: Legal background (GDPR and ECJ ruling)
Coordination of Google Analytics with the GDPR has become indispensable at the latest since the latter came into force. Data protection authorities have threatened website operators with fines for using this tool in the past. Before the GDPR, Google Analytics could also be used without consent, provided only a few requirements were met (e.g. IP anonymization and AV contract). The GDPR was linked to the hope that the question of consent would only be regulated with the ePrivacy Regulation . Until then, website operators wanted to rely on the “legitimate interest” in accordance with Art. 6 Para. 1 lit. f GDPR appointed.
An important change came with the 2019 ECJ ruling in the Planet49 case (Ref.: C-673/17). The judgment is accompanied by clear information regarding consent to the use of Google Analytics cookies and other cookies. The design of the consent should be such that visitors must first expressly agree to the use of Google Analytics cookies. Therefore, Google Analytics relies on opt-in : Users must first voluntarily agree before an operator is even allowed to collect and process Google Analytics cookies. An exception exists with regard to cookies, which are absolutely necessary for the technical functioning of the site.
In its judgment, the ECJ pointed out that the ePrivacy Regulation (Art. 5, Para. 3) already provided for consent even for cookies that are not absolutely necessary. Similar statements by the ECJ are already known from earlier case law.
The legal requirements for the use of Google Analytics cookies were reassessed by the coordination committee of the German data protection supervisory authorities (DSK) on May 12, 2020. With this resolution, there is also an addition to the orientation guide for telemedia providers . This orientation guide explains various settings when using Google Analytics in terms of legally compliant use.
Legally compliant use of Google Analytics: Measures for website operators
Anyone who continues to rely on Google Analytics as a website operator, for example in the media sector or in e-commerce , is well advised to implement certain measures that ensure legal certainty for the tracking tool.
Ensuring transparency in data protection regulations
Website operators should provide comprehensive information about the use and processing of personal data in the data protection regulations. This transparency must be guaranteed in accordance with Art. 13 GDPR so that Google Analytics can be coordinated with the GDPR.
With regard to the specific requirements of the information obligation, data protection experts refer to the guidelines on transparency of the European Data Protection Board. When adapting the data protection declaration, at least the following information content must be specified, taking into account the DSK requirements according to Art. 12 and 13 DSGVO: The scope of the data collection must be communicated clearly. Furthermore, the data protection declaration must provide information on the legal basis on which the data is collected. Likewise, the privacy policy must be explained in order
how long the data is stored. In this context, the
Criteria for determining the storage period are disclosed. The data protection declaration should also provide a reference to the right of withdrawal and its implementation.
Shorten IP address
As a further measure to coordinate Google Analytics with the GDPR, operators of a website with this tracking tool should arrange for the IP address to be shortened . This can be implemented by adding the “_anonymizeIp()” command to the tracking code. This refers to any website that has a Google Analytics integration. Technical details on this type of IP address truncation can be found directly in the instructions on Google’s Developers page.
Shortening the IP address is an important measure to protect users in accordance with Art. 25 Para. 1 GDPR. However , simply shortening the IP address is not enough to ensure anonymous data processing. In addition to the pure IP address, the use of Google Analytics involves the collection of numerous other usage data. This includes personal data, such as those used to identify users (e.g. in the sense of linking to an existing Google account).
Therefore, even after the IP address has been shortened, further requirements for the coordination of Google Analytics with the DSGVO must be observed. Likewise, in the aforementioned data protection declaration, a note must be given as to whether the IP address was shortened.
Determination of the retention period of the data
In order to coordinate Google Analytics with the GDPR, it is also necessary to specify exactly what retention period is provided for the data. Google Analytics includes certain data retention controls . The default setting is designed to automatically store user data and event data for 26 months. Often the “Reset on new activity” button is disabled in the default settings. This button should be deactivated to coordinate Google Analytics with the GDPR (compare Art. 25: Data protection by design). The retention period of the data should be limited to 14 months .
To change the retention period of the data, the property to be edited should be selected under the “Management” tab. In the corresponding “Property” column, settings for the duration of storage can be made under “Tracking information – data storage”. After a different setting has been selected here, you should remember to adapt the data protection declaration to these modifications.
Express consent to the use of cookies
One of the most important prerequisites for the legally compliant design of the use of Google Analytics is the guarantee of a well thought-out cookie consent . A visitor’s consent to the use of Google Analytics and cookies must contain certain information: first of all, the headline must be clear and unambiguous. It must show that the user agrees to the data processing by Google after giving their consent. Furthermore, users must be informed that as part of data processing, personal data and data on usage behavior on the website are transmitted to Google . The request for consent should also contain precise information about the types of data involved.
It is also relevant to know that the data collected is mainly processed by Google . It should be emphasized that the operator of the website has no influence on data processing in this regard. Google processes the data for its own purposes (e.g. profiling).
It is also important to know whether the data collected can also be linked to information from other sources. Information must also be added as to whether the data is being stored in the USA and whether state authorities may have access to this data.
Technical requirements for consent and withdrawal
Furthermore, the consent option must not represent an all-encompassing consent to the use of cookies. An important technical prerequisite for consent is the active involvement of the user. The user must have the opportunity to actively agree to the use of data. This excludes pre-ticked boxes or checkboxes !
This is associated with the requirement that the tracking tool and corresponding Google Analytics cookies can only become active after users have given their active consent. Google Analytics cookies must not be set beforehand.
The data may only be collected after users have actively ticked the box. Furthermore, this consent must be voluntary. This is also linked to the possibility for users to refuse consent at any time.
Furthermore, it must be technically ensured that users do not suffer any disadvantages in the event of non-consent. Users must be provided with clear and user-friendly technical solutions to ensure and implement consent. Consent tools offer one possibility for this. These should offer the possibility to revoke this consent at any time, even after consent has already been given. In all apps or cookie consent solutions, there must also be an easily accessible option for an effective revocation in the settings.
In principle, Google offers a browser add-on which deactivates Google Analytics. It should be noted that it is not sufficient to refer users to this add-on. This does not offer users a sufficient possibility of revocation. According to Art. 7 para. 3 p.4 GDPR, the revocation of consent must be just as simple as the consent. The Google add-on does not meet these requirements because it first requires the user to download a program in the form of the add-on.
Importance of the opt-in procedure
Active and express consent to the use of Google Analytics cookies is also known as an opt-in procedure. The design of the consent to use must be designed as a real Google Analytics opt-in at the latest since the ECJ judgment on cookies. In principle, since the data protection guidelines of the EU from 2009, it has been provided that website users are asked for their consent. So far, however, many operators have interpreted this consent as an opt-out. In practice, this means that cookies are collected without the user having to do anything. Visitors only have the option of preventing the collection of cookies. According to the ECJ ruling on cookies, a website may no longer set cookies before the visitor has given their express and active consent . This means that Google Analytics cookies can only be set at all after the visitor has opted for them (opt-in).
CMP: Consent Management Solutions for Websites and Their Benefits
It is important for website operators and companies to take precautions in good time for effective consent to the use of Google Analytics. On the one hand, consent management banners provide users with comprehensive information about the use of the data and at the same time ask them to give their consent.
The technical realization of a legally compliant cookie management benefits from so-called consent
Solutions. A good consent manager takes into account the requirements of the GDPR and the ECJ judgment as well as a positive user experience. The most important aspects of a positive user experience include a high dwell time and a high acceptance rate . Accordingly, the bounce rate should be kept as low as possible. Good consent management solutions help to increase the acceptance rate and at the same time minimize the bounce rate. In this way, they ensure that the website performs well and make their contribution to customer acquisition and customer loyalty.
A well thought-out consent management solution gives a real-time overview of acceptance and bounce rates. This allows valuable conclusions to be drawn about the current website performance and the corresponding potential for improvement.
Consent solutions are internationally oriented. The displayed banner appears automatically in the respective language of the country in the GDPR area from which the website is accessed. Overall, the consent management provider displays the information in 29 languages. Likewise, a responsive design and adaptation goes without saying in a modern consent solution. The consent solution takes into account the end device, operating system and screen size and displays the consent banner in an optimized manner.
