How to configure Google Analytics in Compliance with the GDPR

Awesome! If you made it this far, that means you told Google to back off and respect your visitors’ privacy. It also means that your website almost complies with the GDPR. Almost. Because in order to fully comply you have to make quite a few modifications to your site’s Google Analytics tracking-code.

Breaking News: The Austrian Data Protection Authority (“Datenschutzbehörde”, “DSB” or “DPA”) has ruled that Austrian website providers using Google Analytics are in violation of the GDPR. Since other European countries are likely to follow in this decision, this post has been updated to include measures needed to keep using Google Analytics in compliance with GDPR.

Configuring your Google Analytics tracking code to comply with the GDPR

To fully comply, a few additional measures need to be taken when using Google Analytics.

Before, implementing the aip parameter into your tracking code would suffice. However, since the ruling in Austria of January, 2022 additional measures need to be taken. Specifically:

  • The last two octets of the IP address need to be aonymized (as opposed to just the last octet)
  • The IP address needs to be anonymized before its sent over to Google Analytics
  • Data needs to be proxied through a server (within the European Union) and fully anonymized before it crosses the border and is sent to Google Analytics
  • Universally unique identifiers (UUID) currently used by Google as an additional method to identify users have to be disabled.

Where possible, I’ll add coding examples of how certain measures should be implemented into your (tracking) code. Unfortunately, for certain measures (e.g. proxying traffic) there is no one size fits all solution.

If you’re not comfortable with (or interested in) coding and/or doing the work yourself, upgrade to CAOS Pro and you’ll be all set within minutes.

5. Anonymize your visitor’s IP-address properly

Google Analytics created an option to remove the last octet (the last group of 3 numbers) from your visitor’s IP-address. This is called ‘IP Anonymization‘. This isn’t actual anonymization, because Google takes care of the anonymization for you — on their servers.

To fully comply you’ll want to make sure the IP address is masked before its sent over to Google Analytics’ API.

Lastly, only replacing the last octet of an IP address isn’t considered anonymous enough by Privacy watchdogs. Proper anonymization means replacing the last two octets of an IP address.

This procedure also comes in handy if you want to use Analytics without prior consent from your visitors. However, some countries (e.g. Germany) demand IP’s to be anonymized at all times.

Here’s an example of how to achieve this in PHP:

<?php
$octets = explode('.', $ip);
/**
* Instead of using Regex and str_replace, we're slicing the array parts
* and rebuilding the ip (implode) to make sure no duplicate values are
* replaced.
*
* E.g. using str_replace or preg_replace; 192.168.1.1 would result in 092.068.0.0.
*/
$second_to_last = array_slice($octets, -2, 1, true);
$second_to_last_key = array_key_first($second_to_last);
$second_to_last[$second_to_last_key] = '0';
$last = array_slice($octets, -1, 1, true);
$last_key = array_key_first($last);
$last[$last_key] = '0';
/**
* Replace each octet with the with the
*/
$octets = array_replace($octets, $second_to_last, $last);
return implode('.', $octets);

This script detects all the parts of the IP address and replaces the third and fourth octet with a zero.

Unfortunately, there’s no one size fits all solution for this, but if you’re a WordPress user, you’re in luck!

With CAOS Pro, masking IP addresses and proxying Google Analytics traffic is a matter of a few clicks!

CAOS Pro True IP Anonymization masks the IP address before sending it to Google Analytics
With Anonymize IP and Stealth Mode enabled in CAOS Pro, the IP addresses will be masked before sending them to Google Analytics.

Within CAOS Pro’s settings page (Settings > Optimize Analytics) do the following:

  1. Under Basic Settings click Anonymize IP
  2. Click Save Changes & Update

With Stealth Mode disabled, CAOS Pro will add the aip parameter provided by Google into your tracking code.

To use Google Analytics in compliance with the GDPR, the aip parameter doesn’t suffice and a proxy is required to truly anonymize the IP address before it’s sent to Google Analytics’ servers.

Using a proxy for your Google Analytics traffic has a huge bonus side effect! It also bypasses ad blockers so you’ll get a 100% accurate representation of your website’s traffic!

6. Proxy all traffic to Google Analytics with Stealth Mode

Modifying Google Analytics’ traffic code to intercept its traffic isn’t very hard. By creating a sendHitTask, we can reroute the traffic to our own custom proxy file:

ga('create', 'UA-XXXXXX-Y', 'auto');
// Insert this function after the property is created and before the pageview is sent.
ga(function(tracker) {
tracker.set('sendHitTask', function(model) {
payload = model.get('hitPayload');
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://yourdomain.com/your-proxy-file.php', true);
xhr.send(payload);
});
ga('send', 'pageview');

A proxy could simply be anything from a single script to an API endpoint. As long as it captures the data and modifies it according to the specified requirements before passing it to Google Analytics’s Measurement Protocol. It could also be a custom API endpoint (much like CAOS’ Stealth Mode.)

To anonymize all data before it’s sent to Google Analytics you could should use CAOS Pro. To enable its proxy, do the following:

  1. Go to Extensions
  2. Enable Stealth Mode (Pro)
  3. Check if cURL is enabled on your server by clicking the link in the description of the Request Handling option.
  4. If cURL is succesfully detected, choose the Fast (Super Stealth API) option and click Save Changes & Update. Otherwise leave it to Default (WordPress API)

At this point, CAOS Pro will use its built-in (on-premise) API to proxy all traffic to Google Analytics.

7. Lose the UUID trail created by Google

As an additional method to further identify users, Google uses a universally unique identifier. Even with the IP address masked, Google will still be able to identify users if this UUID is still stored somewhere in a browser cookie.

To achieve this, your Google Analytics instance needs to be made cookieless and should be able to generate and store its own UUIDs (unknown to Google)

Are you a CAOS Pro user? Then you’re in luck! By simply enabling Cookieless Analytics (Pro) under CAOS Pro’s Advanced Settings you’ve taken the final measure needed to keep using Google Analytics in compliance with the GDPR. Get CAOS Pro now!

While this measure is meaningless on its own, it is an important step. Disabling cookies in Google Analytics will assure you and your users that any UUID’s stored in cookies will never be used again.

In order to disable cookies, include the storage parameter into your Google Analytics tracking code:

ga('create', 'UA-XXXXX-Y', {
'storage': 'none'
});

Now we’ve made sure the UUID Google uses to identify the user is lost, we need to feed Google a random one, because the uid is a required parameter in Google Analytics requests.

To activate UUID randomization, include the following before your Google Analytics tracking code:

const cyrb53 = function(str, seed = 0) {
let h1 = 0xdeadbeef ^ seed,
h2 = 0x41c6ce57 ^ seed;
for (let i = 0, ch; i < str.length; i++) {
ch = str.charCodeAt(i);
h1 = Math.imul(h1 ^ ch, 2654435761);
h2 = Math.imul(h2 ^ ch, 1597334677);
}
h1 = Math.imul(h1 ^ h1 >>> 16, 2246822507) ^ Math.imul(h2 ^ h2 >>> 13, 3266489909);
h2 = Math.imul(h2 ^ h2 >>> 16, 2246822507) ^ Math.imul(h1 ^ h1 >>> 13, 3266489909);
return 4294967296 * (2097151 & h2) + (h1 >>> 0);
};
let creationTime = new Date().getTime();
let expiryTime = creationTime + (30 * 24 * 3600 * 1000); // Change 30 to any number of days you want the UUID to be valid.
let clientIDSource = window.location.host + ";" + navigator.userAgent + ";" + navigator.language + ";" + creationTime;
// Only store client ID and its expiry time if it doesn't already exist and isn't expired yet.
if (window.localStorage) {
clientIDhashed = localStorage.getItem('GA_CLIENT_ID_HASHED');
clientIDexpiry = localStorage.getItem('GA_CLIENT_ID_EXPIRY');
// Start a fresh session or update when expired. Otherwise, do nothing.
if ((clientIDhashed === null && clientIDexpiry === null)
|| (clientIDhashed !== null && clientIDexpiry !== null && clientIDexpiry >= expiryTime)) {
localStorage.setItem('GA_CLIENT_ID_HASHED', cyrb53(clientIDSource).toString(16));
localStorage.setItem('GA_CLIENT_ID_EXPIRY', expiryTime);
}
}

This script is a modified version of Helge Klein’s cookieless tracking script and includes a few optimizations and tweaks:

  • Instead of the IP address (as a truly unique factor in the hash) it uses a UNIX timestamp.
  • To avoid (page) caching collisions, it uses the browser’s localStorage object to guarantee proper tracking of sessions and returning visitors.
  • It includes proper logic to set an expiry time for the generated UUID.

In the previous code snippet, the UUID is stored for 30 days and is stored using the browser’s localStorage. This avoids unexpected collisions with (page) caching mechanisms and allows us to track users (and returning visitors) over an extended period of time.

Then make sure the generated UUID is set as the clientId in Google Analytics.

// Check if localStorage is present. It usually is.
if (window.localStorage) {
ga('create', 'UA-XXXXX-Y', {
'storage': 'none',
'clientId': localStorage.getItem('GA_CLIENT_ID_HASHED')
});
} else {
ga('create', 'UA-XXXXX-Y', 'auto');
}
ga('send', 'pageview');

After this, you’ve taken the necessary measures to keep using Google Analytics in compliance with the GDPR. Even after the ruling of January, 2022.

8. Inform about Analytics usage and how to opt-out

At this point you’re allowed to process your visitors’ data without their prior consent. You still need to inform them about it and (optionally) allow them to opt-out.

Informing your visitors comes down to adding a Privacy Policy to your site. I could give you a full walkthrough on this, but I think that’s beyond the scope of this article. You can generate a privacy policy for free and if you made it this far into this tutorial, I suppose you know to how to copy + paste the text to a new page in WordPress and put it in your blog’s menu. 🙂

Conclusion

Now you can keep using Google Analytics in compliance with the GDPR, and as a bonus your bypassing ad blockers to further complete your Google Analytics data.

Since you’re no longer collecting personal data, it’s not required to request prior consent, unless you’re still collecting personal data using other servers.

You’ve configured Google Analytics to respect your users’ privacy and CAOS Pro has helped you to truly anonymize user data before its sent over to Google Analytics using a proxy. Was this tutorial helpful? Do you have any suggestions for fellow readers? Did I miss anything? Please let me know in the comments!

  • The Wait is Over!

  • ❤️ it? Share it!

    14 thoughts on “How to configure Google Analytics in Compliance with the GDPR”

    1. Great job, Daan, thanks for the work! I am a treehunter myself 🙂

      Only the link to your opt-out article seems broken.

      Regards, Tez

      1. Hi Tez, Thanks! It’s always good to meet a fellow treehunter!

        Thanks for the heads up! I just realized I pulled this article back, because the information in it needed to be refreshed.

    2. You’ve written and link to the how to add a snippet for users to opt out but you’ve removed the link. Can you link me here to that article part in adding the option to opt out?

      1. Hi Randy,

        I temporarily removed that link, because I am in the middle of rewriting that article. After publishing it I figured out new, and easier ways to implement an opt-out option. Because I also updated CAOS a lot in the meantime, it’s in need of serious revision. As soon as I re-published it, I’ll let you know.

      1. Hi Lorenz,

        Yes, as far as I know it’s still up-to-date!

        But, laws might differ per country. The rule of thumb is: as long as Google Analytics doesn’t track/save any information that can identify an individual, you don’t have to show a cookie notice.

    3. Hi Daan. Can Google still access my analytics data for its own purposes if I disable the remarketing and data sharing options?

      1. If you use the disable display features option in CAOS: No, because the data isn’t sent to Google at all. If you disable it from your Google Analytics dashboard: I’m not sure, as you’re still sending the data to Google, they’re just not processing it. But you never know what they’ll do with in the background.

    4. Hello Daan,
      I just installed CAOS on client site, if all goes well I will generalize on all my clients’ sites, great job.
      I will focus on the French translation.
      cordially
      I don’t speak English and I use the Google translator, excuse the level of English 🙂

    5. Hi Daan, absolutely perfect WordPress Plugin with an easy setup and a very useful article on “How to setup Google Analytics to be GDPR Compliant”. Everything was already disabled on GA but I didn’t know th IP disabled trick. Thanks a lot!

    6. Hi, do you know how people are getting around the ‘essential cookies’ default and not being able to use Google Analytics? Is there some sort of plugin to get around this limitation?

    7. Hello,
      according to the new (april 2nd 2021) CNIL post and my understanding, users should have the choice to refuse cookies, period, cookiewall might be not forbidden.

      Links:
      French: https://www.cnil.fr/fr/nouvelles-regles-cookies-et-autres-traceurs-bilan-accompagnement-cnil-actions-a-venir
      Translated by Google: https://translate.google.com/translate?hl=en&sl=fr&tl=en&u=https%3A%2F%2Fwww.cnil.fr%2Ffr%2Fnouvelles-regles-cookies-et-autres-traceurs-bilan-accompagnement-cnil-actions-a-venir

      Any answer appreciated

    Leave a Comment

    Your email address will not be published.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.