1. Home
  2. Forums Index
  3. WebmasterWorld / Website Analytics - Tracking and Logging 4:37 am May 21, 2026

Forum Moderators: DixonJones

Message Too Old, No Replies

Analytics and GDPR

3 Approaches to complying with the GDPR regulations with Google Analytics.

         

DixonJones

11:27 am on May 14, 2019 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



I have always been wary of putting GA code on websites... mostly because I was involved in a product that was arguably competing in some areas with Google. Now I am a little freer to broaden my horizons and find myself looking at GA through the eyes of an enquiring child.

My main interest is in seeing how I can avoid falling foul of the EU's GDPR regulations. To be ABSOLUTELY CLEAR... in my mind, if you just take Google analytics out of the box and put it on your website, YOU (not Google) are breaking the law as soon as an EU citizen comes to see your site unless you take at least SOME steps to protect or at the very least inform the visitor. This is why so many sites now show GDPR stick-up pop-ups to EU IP addresses.

The EU considers IP addresses as Personally Identifiable information... so right there, analytics systems have a problem. GA is no exception. But there are ways to mitigate the problem.

In putting this post together, I have to give credit to Brian Clifton (Author of Advanced Web Metrics with Google Analytics) who has a couple of really good blog posts with tips on the subject if you want to get into the nitty-gritty.

Option 1 (low tech): Most people just put up a banner to people visiting from EU IP addresses saying that you collect personally identifiable information. Google has plenty of help on how you can do this. But it is starting to affect the way we use the web. Everyone just feels obliged to "click accept" which goes against the policy of "informed consent". users are not informed if they do not understand what they just clicked. so in the long term, this approach sucks.

Option 2: Most people do not realize that you can anonymize IP addresses [support.google.com] in GA. in theory, if you do that, I do not think that you need to have any message on your website about collecting personal data (due to GA at least)! Someone tell me otherwise? Surely this is a BETTER way to go than pop-ups?

Option 3: This is where I really need to give Brian kudos. The BEST way deal with GDPR and Data Privacy in general is to use Regex to block sending personal data to GA in the first place. Advanced set up of GA and Analytics means that you can be collecting personal data on your own site, but using Regex you can strip that data before Google sees it. This has to be a bit of a gold standard approach because you don't pass information to the third party at all.

I'd love to know what percentage of GA users go beyond option 1! My guess would be pretty well none, but I think we should all take up option 2. It is an easy setting in GA and frankly, they could switch it on by default.

[edited by: DixonJones at 10:32 am (utc) on May 15, 2019]

TheRealSaxman

1:15 pm on May 14, 2019 (gmt 0)

10+ Year Member



I'm in the US and for the most part don't really have to deal with GDPR. However, I do have a number of clients that are global and therefore do have to deal with it. My biggest "problem" with it, in the sense of it actually creating a problem for me and not so much it being a personal issue for me, is that it hinders my conversion tracking. I could care less "who" converted over the fact that somebody actually did and that I can see that along with the keyword data (Paid Search here...). The company uses something called "Cookiebot" to place this annoying floating banner at the bottom of the screen that follows you everywhere until you choose from three selections of tracking settings (Marketing, Statistics and Preferences). Until you click "Okay" the site collects nothing and I get nothing of value which makes it hard for me to track leads attributed back to Paid Search. This company tells me that their "Law Team" says that they HAVE to take this level of precaution in order to be compliant, but it seems that you (@DixonJones) are saying that all we need to do is shut off our ability to track IP Addresses. Am I understanding this correctly? Do you have any documentation backing this up? I would appreciate any insight into my issue if you don't mind... Thanks in advance!

- Ed

Webwork

2:24 pm on May 14, 2019 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Dixon - I found this post "Remove PII from Google Analytics – The Smart Way" [brianclifton.com ]

Is there another post on the topic that you are referencing or that you found helpful?

DixonJones

7:03 am on May 15, 2019 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



@WebWork yes that is post that I thought was very interesting. Not new, but a different and more mature approach than popups.

@TheRealSaxman - yes, most people in the EU seem to be using that Cookiebot or a similar narrative to try and comply with the legislation. However, Brian’s solution gets around the need for Personal Data (especially IP addresses but also emails etc from ever reaching Google or any third party in the first place from what I can see. (My coding skills suck... I am making a business case here).

If you do not care WHO converted, only that they did (and what marketing channel sent them), then the cookiebot thing is only necessary because you are storing data you don’t need. That, ironically, creates a second legal issue... if you don’t need it, you shouldn’t be keeping it anyway! Mind you, I find the same dataloss when using third party payment providers that you are finding with your cookiebot, so make sure that is the root cause before fighting a battle to change legal opinion. :)

TheRealSaxman

12:43 pm on May 15, 2019 (gmt 0)

10+ Year Member



@DixonJones thanks for the feedback. I think I was a little loosey-goosey with my "I could care less "who"" comment, as I could care less "who" but my client most definitely cares. They use the data to follow up with the potential customer to sell their software. For my purposes I could care less... I just need to report that a conversion occurred, where it came from, and what search phrase they used to convert from. I also care about attribution funnels as well so I need to know all sources that were used to get to the eventual conversion. We find with SaaS clients there are often multiple sources used, more-so than other verticals, that lead to the eventual conversion and therefore we like to use that data to shape our messaging across those different sources... sorta/kinda like using Click Funnels in Facebook Ads, but only across multiple sources. I think I was hoping, after reading your post, that ditching the IP from G would be the simple answer without me really loosing any of the other data... but I'm guessing not. Am I understanding correctly? Do you have any other advice knowing now that I really do need to be able to use the data? Thanks!

DixonJones

2:11 pm on May 15, 2019 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



(**I am not a lawyer Disclaimer**)
Thx @TheRealSaxman - I don't want to pretend I know how that business works, but here's another way of looking at how the data flows...
Surely - until the user puts something into a web form, you probably don't have enough data in GA anyway for the salespeople to follow up abandoned carts and whot-not? Perhaps you do through cookies already laid in the past... in which case consent should have already been sought, so a pop-up only serves to potentially revoke that consent. My guess is that the sales guys do the follow-ups via Salesforce or some other CRM system and the Personally Identifiable Information (PII) that THEY rely on is not the IP address. In that case, they don't start following up until an email address or phone number has been volunteered? Maybe you can use the IP anonymizing in GA and the Sales guys and gals wouldn't even know?

Avoiding the use of the popup takes a bit of finesse and legal consideration, however you look at it. The pop-up on its own is not really addressing GDPR... but will probably help to avoid the first waves of enforcement notices. Mind you, being a non-eu company will probably also provide a temporary shield.

If you are doing cross-site tracking with GA cookies to retarget or track attributions to a unique person, then I think that the EU would still think that the data subject (the user) will need to give informed consent... but if you can ask for that when they are filling in a form anyway, then that would be better and could open the door to removing the popup.

ergophobe

12:20 am on May 17, 2019 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Great post. I've implemented Option 3 - regex - on a site that was in gross violation.

In addition to IP addresses, search for a year's worth of pageviews for the "@" character. If you get a lot of those because of some GET parameter, try searching for gmail.com. People were sort of blasé about it... then I took screenshots of the *their* personal addresses in their analytics.

Even before GDPR, some of the violated the GA terms of service. It's critical when you do this, that the regex hit before sending any data to Google. In other words, it is not okay to do this with a filter on a view in GA. You must do it prior to that.

The easiest way to implement (IMO) is via Google Tag Manager.

Nutterum

12:27 pm on May 29, 2019 (gmt 0)

10+ Year Member Top Contributors Of The Month



I am sorry to ruin your thought process but GDPR was never created with the intent to scare small businesses (sub 1 million in revenue per month) into being squeaky clean about their data. GDPR was invented so that when a fat lawsuit comes to pass, like the EU going to the courts against Google, the EU has a legitimacy right and benchmark on what they consider as data privacy. Do you know how many GDPR commissars are there in total in the EU? Less than a thousand (that is 1000). They have no logistic, technical or human resource capability to control the all the data. They do have the capacity to take a look at big cases and have levarage against or for certain big EU businesses.

The huge fines are the main controlling mechanism. No one would date make a big privacy breach because they will be easy target for a lawsuit. But every and I do mean EVERY company has big flaws when it comes to data privacy, with the biggest offender being all financial institutions, that are obligated to hold on to persona and identifiable data at all costs because there are other local laws that allow them to do just that.

Long story short, don't bother your brain about GDPR - go with the low key solution, grab as many identification points as you can, while walking the grey line of "what data is truly unidentifiable" and rest assured no one will care.

On to your specific question - you can randomize the IP addresses in GA but you will still in breach of GDPR, because in actuality your hosting server still has the logs of the exact IPs and thus you are still legaly obligated to pop up the GDPR message. Take it from someone who has big enough experience with the matter first hand. (can't say more without revealing too much)

TheRealSaxman

1:31 pm on May 29, 2019 (gmt 0)

10+ Year Member



@Nutterum ...Thanks for your reply. That's about what I thought the real story was with GDPR, and your answer in regards to the IP addresses and GA confirms my suspicions about that as well... Thanks!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Analytics - Tracking and Logging 4:37 am May 21, 2026