How to maintain GDPR compliance when using Google Analytics

News coverage of the EU General Data Protection Regulation (GDPR) has eased since it took effect on 25 May 2018, but that’s no indication of organisations’ level of compliance. Many are still struggling to understand the GDPR, and looking for advice wherever they can get it. 

Webmasters are among those most in need of help. They process a lot of personal information, and often rely on third parties, such as Google Analytics, meaning there are compliance obstacles all over the place. This blog clears things up, explaining how you can ensure that your use of Google Analytics remains GDPR-compliant. 

Data retention

The GDPR mandates that personal data can only be kept for “as long as necessary”, which means that organisations need to know the purpose for collecting data and how long it intends to meet that purpose. This needs to be decided before organisations process personal data, as the information must be outlined in their privacy policies. 

To help organisations meet this requirement, Google Analytics has updated its data retention settings. Under the “tracking and info” menu, users can select whether they would like to retain account data for 14, 26, 38 or 50 months – after which time, data will automatically be deleted. There’s also a “do not automatically expire” option. 

Although automatic deletion of data is often a good idea, it’s only necessary for GDPR compliance when it comes to some processing activities. Most information provided by Google Analytics uses aggregated data, which doesn’t fall under the GDPR’s scope. 

Pseudonymisation and anonymisation

Webmasters should pseudonymise or anonymise as much information as possible, because it puts the data either partially or fully out of scope of the GDPR. 

Anonymisation removes all personal data from data sets, whereas pseudonymisation only replaces part of the data set. There are only a few instances where anonymisation is useful, which is why pseudonymisation is much more popular – although it still comes with risks. Unlike anonymised data, it’s still considered personal data and therefore subject to the GDPR, but by pseudonymising data, organisations mitigate the damage and repercussions of a breach. 


The most common question surrounding almost every aspect of processing under the GDPR is ‘do I need consent?’. The answer is always the same: consent is one of six lawful grounds for processing personal data, and it’s generally the least reliable option. Consent should only be sought if no other grounds apply. 

However, data collection for advertising purposes is one of the few times where consent will almost always be necessary. Google Analytics includes several advertising features, including demographics and interest reports, remarketing and DoubleClick integration. If you use any of these features, you will need explicit consent. 

GDPR compliance guide

You can find out more about the GDPR’s lawful grounds and its other requirements by reading EU General Data Protection Regulation – A Compliance Guide.   

This  free green paper provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation, and the areas that organisations need to focus on. 

One Response

  1. Andrew 24th September 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.