November 8, 2019

GDPR consent needed for Google Analytics?


I haven't been able to find concrete answers on the topic. I wanted to add GA to my site but I'm not sure whether I need to have the consent dialog for EU users? To be honest from the user perspective it's super annoying.
FWIW my targeted users are in the USA.

  1. 2

    A few key misconceptions about GDPR that people need to know:

    At a high level, GDPR exists to protect the data of EU residents (EU citizens or otherwise), not to regulate businesses operating in the EU.

    Read that again.


    1. "I don't 'target' the EU so I don't need to worry".


    It doesn't matter whether you intend to store EU residents' personally identifiable data or not, if you do, you're subject to GDPR.

    1. "My business is not located in the EU so GDPR doesn't apply to me".


    GDPR can be enforced through cooperation with non-EU authorities. The penalties for GDPR infringement are horrifying, this is not a risk you want to take.

    1. "Im using 3rd party software to store customer data so it's not my responsibility to comply, it's their's."


    If your business is collecting data, you are the "Data Controller" in GDPR terms and subject to regulation.

    The best way to approach GDPR is to:

    1. Get educated on it. It can feel overwhelming at first, but there are some good clear resources that are just a Google search away.

    2. Understand what constitutes "personally identifiable data". Get really clear on this.

    3. Reconsider your need to collect personally identifiable data. The nice thing about GDPR is that it is forcing many of us to tidy up pretty shoddy data collection and storage practices. Many times out of 10 that IP address or email isn't really essential.

    4. If you're using 3rd party platforms, don't hesitate to contact them about their GDPR compliance. GDPR has been around for long enough that any company worth its salt should have its shit together and be able to demonstrate that clearly to you.

  2. 2

    I would say don't worry about it too much (if it's really only GA), but you could do some nice things for all your users, even if you're not forced to do it:

    1. Disclose that you track users and utilize cookies
    2. Explain what exactly you track
    3. Do not collect private data, or if you gather it, don't associate it with analytics
    4. Always anonymize user IP. This is crucial for GDPR, you must alter your GA tracking code:

    Also, I find it more comfortable to use services like iubenda to manage privacy policy: policy

  3. 1

    GDPR relates to the collection of personally identifiable data.

    It is against Google Analytics terms and conditions to use it to collect personally identifiable data.

    Therefore, if you are using a standard implementation of Google Analytics then you are not in breach of GDPR.

    1. 0

      Actually, with a standard GA implementation, there are at least a few problems, in terms of GDPR:

      1. It's recording a visitor IP which might be treated as a personal data
      2. Google is cross-referencing data with other products

      More info:

      It's doubtful that any US (or even EU) based SMB would have any problems with it. But anonymizing IP and unchecking few checkboxes would be still a good idea to do, even if you don't really care too much.

      1. 2

        You can still collect personally identifiable data and be compliant with GDPR. It requires disclosing how the data is processed / stored / used etc.

        Google has some information here:!?modal_active=none

        My understanding is they comply because their disclosure meets GDPR requirements.

        All that said, given IP addresses aren't useful to you as an end user of Google Analytics, taking the steps outlined in those articles to anonymise them certainly isn't a bad idea.

        1. 2

          Excellent info. Thanks! I didn't know GA is almost in compliance with GDPR. While I'm not collecting user data (yet) you're right that I have no control what google does with that data.

  4. 1

    If you’re targeting the US, I don’t see a need to bother with GDPR. It’s an EU thing.

    I am based in the US, and I comply with US laws. I think it’s silly to have to comply with everywhere else - do we also have to comply with Chinese or Iranian law?

    That said, don’t take my legal advice! :)

    1. 1

      If you store personal details of people in EU, you need to comply.

      GDPR is not about regulating businesses, it's about protecting personal data and rights of those people who's data it is, hence GDPR rules are a good practice to apply even if you don't store personal EU data:

      • tell your customers who'll you pass/sell their data to
      • allow them to request for their personal data to be deleted
      • don't store it longer than you need it

      All of that sounds fair and square, how every business in the world should operate and treat personal data from day 1.

      1. 1

        Sure, as an optional "best practice" being transparent with user data is great. However I don't legally have to comply, and I'm not going to sacrifice my user's experience by slapping those dumb popups all over my page.

        1. 1

          I agree on popups and user experience with you, however, you have to legally comply if you store personal details of EU people, regardless if you're in United States or North Korea.

          That link above in previous comment has all the information about GDPR for US companies.

          You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.

          1. 1

            We will have to agree to disagree. We don't advertise or target the EU, we're registered in the US, and our clients are US/Canadian/Australian.

            Technically I also need to comply with Chinese internet law, but I'm not worrying about that either. I guess the EU and China can sue me if they want!

            1. 1

              It's a law, that can be enforced through mutual international treaties.

              However, common sense prevails in EU and especially with GDPR, so no one will go after you because of Google Analytics.

              But if you start collecting personal addresses, emails and phones disguised as a charity offering free gifts and then sell that to Chinese call centers for tax scams and upload it to 4chan, then yes, EU's reach will be tested.

              So yes, I agree with you, you don't need to show popups or anything like that when you're serving US/Canadian/Australian customers.