How To Make Google Analytics GDPR-Compliant (No Consent Required)

How To Make Google Analytics GDPR-Compliant (No Consent Required)

92 / 100

Google Analytics is an incredibly powerful analytics tracking tool at the heart of being able to evaluate marketing data and making decisions based on what’s working to improve SEO performance over time.

However, the introduction of the GDPR in May of 2018 imposed a number of restrictions on the extent to which data can be collected and processed without consent – significantly affecting Google Analytics tracking data.

What Is The GDPR & Why It Matters?

Simply put, the GDPR – General Data Protection Regulation – is a regulation in EU law concerning data protection and privacy in the EU and the EEA (European Economic Area). However, it also addresses the transfer of personally identifiable information & data outside of the EU and EEA areas which means it affects virtually every business with a website that’s accessible to a global audience.

Cookies and Personally Identifiable Information

BEFORE: How Google Analytics Adds Tracking Cookies By Default (This Is Not GDPR-Compliant)

Google Tracking Cookie

The GDPR has led to unusable and inescapable cookie & consent notices that many would classify as a UX nightmare on almost every website – with them really failing to do anything to actually protect our privacy.

People deserve to know all of the personally identifiable information that companies are collecting about them and have access to it when they want.

A part of the data that is affected is Google Analytics tracking data. Out of the box, Google Analytics is not GDPR-compliant which means that using it on your site can only be done once consent is given. This means that in order to remain compliant with the privacy regulation, you would need to install additional plugins that let visitors give consent and only add the analytics tracking code if and when people agree.

Not only is this a hassle to set up, but it also leads to analytics data that is grossly misrepresentative of real-world data – meaning it becomes virtually impossible to rely on when making decisions as a business. And not doing anything, continuing to collect information from your visitors that’s protected by the GDPR without collecting consent can lead to penalties and significant fines.

So, in this guide, we’re going to walk you through how you can make Google Analytics GDPR-compliant (no consent required).

Note: While we stand by the method that is outlined in this post, Rank Math isn’t a law firm so the contents of this guide are not to be considered legal advice.

How To Make Google Analytics GDPR-Compliant (No Consent Required)

AFTER: Using Rank Math’s Cookieless Tracking Feature (GDPR Compliant, No Consent Required)

Google Analytics GDPR Friendly without any cookie.

The first & easiest solution is one that’s available to you if you use WordPress as your content management system (which we highly recommend as it’s trusted by businesses including Bloomberg, the BBC, and TechCrunch just to name a few).

1 Install & Activate Rank Math PRO

Every WordPress website needs a WordPress SEO plugin – ideally one that lets you take complete control of your website’s technical & on-page SEO. Fortunately, that’s exactly what we do here at Rank Math.

So, as you might’ve guessed, the first step – if you haven’t already – is to go ahead and install the Rank Math WordPress SEO plugin:

  1. Download Rank Math & Rank Math PRO
  2. Follow Rank Math’s Setup Guide
  3. And that’s it! Keep reading…

Note: Rank Math’s Analytics module is available in the free version of Rank Math, but the functionality that allows you to install Cookieless Google Analytics so that no consent is required is only available in Rank Math PRO. Learn more & upgrade today.

2 Enable Rank Math’s Analytics Module

In order to use Rank Math to automatically make Google Analytics GDPR-compliant, you need to enable the Analytics Module available by navigating to Rank Math > Dashboard > Analytics – as shown below:

Once enabled, you’ll be able to connect your Google Account by clicking the Settings button. Go ahead and make sure that you connect the account that has access to the Google Analytics property for the site that you’re currently working on.

3 Enable Cookieless Tracking and Anonymize ID Address

The final step is to navigate to Rank Math’s General Settings > Analytics.

This is where you’ll be able to enable the Install analytics code option.

And once that option is enabled, you’ll see an additional four options, including Enable Cookieless Tracking (No Consent Required) which is the option that allows the Google Analytics tracking code to be added without collecting consent from your website visitors before doing so.

You will also need to ensure that the “Anonymize IP addresses” option is enabled. This option is required for GDPR Compliance as well.

Rank Math also lets you further tweak your analytics tracking implementation, including:

  • The ability to exclude logged-in users (to avoid users on your team from inflating and skewing your analytics tracking data)
  • The ability to self-host the JavaScript tracking file (host Google Analytics locally, often helpful when accelerating site speed as an external request no longer needs to be made)

Note: Once you’ve enabled this option in Rank Math – please ensure that you disable and remove all other tracking plugins and or scripts added manually.

When the above options are enabled, Rank Math PRO installs the Google Analytics tracking code using a different method to generate a unique ID for each visitor that doesn’t require a cookie (meaning that no consent is required as no sensitive, personally identifiable information is collected or sent to Google Analytics).

Behind the scenes, the way that this implementation works is by generating an encrypted ID (dynamically on page load) by hashing and combining a client’s IP address, website domain, user agent, and browser language.

Alternative Method WordPress: GDPR-Compliant Google Analytics

If you aren’t already using Rank Math, this simple & free Google Analytics plugin also makes use of the same implementation to install the Google Analytics tracking script in a way that ensures that consent is not required.

How To Make Google Analytics GDPR-Compliant On Non-WordPress Websites

Only websites that run on WordPress are able to use the Rank Math WordPress SEO plugin and benefit from the easy implementation of all of this & much more.

However, to keep things nice and simple for those of you that don’t use WordPress – here’s how you can make Google Analytics GDPR-compliant:

Add the following JavaScript code to your page’s HTML head section (just before the closing </head> tag).

<script>
    const cyrb53 = function(str, seed = 0) {
    let h1 = 0xdeadbeef ^ seed,
        h2 = 0x41c6ce57 ^ seed;
    for (let i = 0, ch; i < str.length; i++) {
        ch = str.charCodeAt(i);
        h1 = Math.imul(h1 ^ ch, 2654435761);
        h2 = Math.imul(h2 ^ ch, 1597334677);
    }
    h1 = Math.imul(h1 ^ h1 >>> 16, 2246822507) ^ Math.imul(h2 ^ h2 >>> 13, 3266489909);
    h2 = Math.imul(h2 ^ h2 >>> 16, 2246822507) ^ Math.imul(h1 ^ h1 >>> 13, 3266489909);
    return 4294967296 * (2097151 & h2) + (h1 >>> 0);
    };

    let clientIP = "{$_SERVER['REMOTE_ADDR']}";
    let validityInterval = Math.round (new Date() / 1000 / 3600 / 24 / 4);
    let clientIDSource = clientIP + ";" + window.location.host + ";" + navigator.userAgent + ";" + navigator.language + ";" + validityInterval;
    let clientIDHashed = cyrb53(clientIDSource).toString(16);

    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
    })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

    ga('create', 'YOUR-GA-TRACKING-CODE', {
    'storage': 'none',
    'clientId': clientIDHashed
    });
    ga('set', 'anonymizeIp', true);
    ga('send', 'pageview');
</script>

Well-deserved credit for this method as well as the inspiration for the implementation goes to Helge Klein.

Note: You will need to replace YOUR-GA-TRACKING-CODE with your actual Google Analytics tracking code. And if your web server isn’t able to run PHP, you’ll need to find another way of embedding the client’s IP address – in which case replacing {$_SERVER[‘REMOTE_ADDR’]} with whatever is required by your platform in order to be able to parse the client’s IP address.

Google Analytics Data Processing Settings

In order to be fully compliant with the GDPR, in addition to changing your tracking code using the methods described above – there are also a few relevant settings that need to be set/checked in your Google Analytics account:

1 Review & Accept The Data Processing Amendment

First, you have to sign the processing agreement of Google. This can be found in the Google Analytics management environment under Account Settings. Under Data Processing Agreement you should click on Review Amendment.

After reading, click Done. Learn more here.

2 Disable Data Sharing

Turn off data sharing with Google. This is done by unchecking the Data Sharing Settings under Account Settings.

Google Analytics Data Sharing Settings

3 Disable the User-ID Feature For Your Analytics Property

The User-ID feature lets you associate the engagement data from different devices and multiple sessions so you can measure how users interact with your content over an extended period of time.

This is not something you can track without permission so in order to use Google Analytics without collecting consent, disable this in your Google Analytics Property Settings > Tracking Info > User ID, as shown below:

Disclaimer: If you are adding Custom Variables with sensitive data, collecting User ID or other pseudonymous identifiers, you’ll need to gain consent from the user.

To protect user privacy, Google policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII). PII includes, but is not limited to, information such as email addresses, personal mobile numbers, and social security numbers. Because laws across countries and territories vary, and because Google Analytics can be used in many ways, consult an attorney if you are in doubt whether certain information might constitute PII or not.

4 Disable Data Sharing for Ads

Turn off data sharing with Google. This is done by unchecking the Data Sharing Settings under Account Settings, as shown below:

Google Analytics – Frequently Asked Questions

Is Google Analytics GDPR-Compliant?

No, Google Analytics isn’t GDPR-compliant by default. However, with the help of the Rank Math WordPress SEO plugin, you can easily make it compliant thanks to features including generating unique encrypted IDs using client IPs, user agents, language, and more.

What Personally Identifiable Information Does Google Analytics Collect?

By default, Google Analytics collects various personally identifiable information which would require consent from website visitors, including IP addresses, generating unique IDs and clientIDs – all of which can be used to track and identify an individual across the web (and even across devices, hence the need for consent when configured in this way).

Do I Need To Show A Consent Notice for Google Analytics?

Yes, you do need to show a consent notice prior to inserting the Google Analytics JavaScript tracking file and generating cookies as per the GDPR – unless you take advantage of Rank Math’s Cookieless Google Analytics tracking.

What Happens To My Google Analytics Code If I Disable Rank Math?

If you used Rank Math’s built-in Google Analytics integration to insert your tracking script & subsequently remove Rank Math, the tracking script will be removed meaning that data will no longer be sent to Google Analytics as a result.

Summary: Rank Math + Google Analytics = An Analytics Powerhouse

As Clive Humby famously said back in 2006, “data is the new oil” and this continues to become more true as time goes on. We all use, need, consume, and require data both personally but even more so in business. And to succeed in your SEO & marketing efforts, you need data.

At what cost though? With Rank Math and the method we’ve covered in this post protecting your visitor’s privacy doesn’t have to be an afterthought or something you neglect doing simply because of how complex the implementation is. Instead, it’s something you can set & forget in a matter of clicks.

Email Icon

Don’t Miss Any Future Post!

Sign up today for Exclusive SEO Articles