There is a growing awareness around privacy. Several years back, we saw the first examples of cookie laws in Europe. Two years ago, the GDPR was introduced. Technology vendors are getting involved (ITP anyone?). And stories like the one about Cambridge Analytica show that data can impact on our everyday lives.

Even though Google Analytics is just a small dot in the vast landscape of privacy, it is a tool that runs on millions of websites. And it is also a tool that allows you to set quite some privacy-related settings. This post helps you use those settings to set up Google Analytics and the new Google Analytics App + Web in a privacy friendly way.

Setting guidelines

Now before we start discussing the technical aspect of privacy-friendly tracking, we should discuss guidelines. In this post, I’ll give a summary of the guidelines defined by the Dutch Data Protection Authority (Dutch). These guidelines allow you to use Google Analytics without consent in The Netherlands. It’s really nice to have these guidelines, but keep in mind they may be different (or be non-existent) for the place you live in. You can still use this post as an example of how to set guidelines for Google Analytics and how to set up your tracking accordingly.

Dutch Data Protection Authority guidelines

The guidelines of the DDPA discusses 6 key elements to make Google Analytics privacy friendly. The elements include:

  1. Data processing amendment
  2. IP anonymisation
  3. Sharing data with Google
  4. Data sharing with Google for advertising purposes
  5. User ID tracking
  6. Inform the user

Let’s briefly discuss all of them. I will mention if an element impacts the tracking code and will discuss the details of those changes later in my post.

1 Data Processing Amendment

This one is plain and simple: review Google Analytics’ Data Processing Amendment in the account section and sign it.

Tracking code changes: none.

2 Anonymise IP

This is a well known option in Google Analytics. You can anonymise the IP address of the users visiting the website. The feature will change the last octet of the IPv4 address or the last 80 bits of IPv6 to zero. The DDPA still considers the remaining part personal data. But it says removing the last part of the IP address is an important measure nonetheless. They require companies to save a screenshot of this change, so you can easily show when you’ve implemented this change (a tag manager with versioning should also do the trick).

Tracking code changes: enable anonymise IP.

3 Sharing data with Google

In the account section of Google Analytics, you will find 5 ways you can share data with Google:

You should uncheck all these boxes. This does not impact any advertising features.

Tracking code changes: none.

4 Sharing data with Google for advertising purposes

In the property section of your Google Analytics setup, you will find an option to enable data sharing for marketing purposes:

Do not enable these. You can update your tracking code to make sure that you don’t collect this data when someone turns it on by accident.

Tracking code changes: none, but you should disable ad features just to be safe.

5 User ID tracking

Collecting user IDs in Google Analytics is optional. According to the guidelines, you should not enable this feature. Luckily, it is quite hard to start collecting user IDs by accident. Besides enabling it in the admin section of Google Analytics, you also need to modify your tracking code for it.

Tracking code changes: none, but you should not implement user ID tracking.

6 Inform the user

In the last section, they discuss how you should inform the user about your setup. So even when you have Google Analytics set up in a privacy friendly way, you should still inform the user that you us it. And tell them how you’ve setup Google Analytics in a way to make it privacy friendly. It also advises companies to review to Google’s own opt-out possibilities.

Tracking code changes: none.

All in all it is quite a nice overview of what you can and can not do with Google Analytics if you don’t want to ask a user’s consent. Although I would have liked to also see some mention of the data retention settings. And as far as I know, both ‘Sharing data with Google’ and ‘Sharing data with Google for advertising purposes’ do not impact the Google Ads connection for conversion tracking. Which is good for marketing, but privacy-wise I think it is a grey area.

The document also does not mention more recent features like Google Signals. I suggest to use a common sense approach for unmentioned features. For example: Google Signals allows you to track and target users across devices based on their Google account. This behaviour is similar to enabling the user ID feature. So approach it in a similar way: do not enable it when there is no consent.

And don’t forget to inform the user about the (new) ways you use Google Analytics data!

Tracking code changes summary

Let’s quickly summarise the way this impact the tracking code:

  • First of all, you have to enable IP anonymisation.
  • The second one is optional: advertising features. Besides not enabling these features in the admin section of Google Analytics, you can disable it in the tracking code. This prevents you from collecting the data when someone turns it on in the admin section by accident.
  • Next is user ID tracking. Now you can enable this in the admin section, but when you do, you won’t magically start collecting user IDs. You have to update your tracking code for that. So make sure that you, or your agency, doesn’t do so. And the same goes for Google Signals.
  • The last one is force SSL. It is not mentioned in the guidelines, but this setting makes sure Google Analytics data is sent over a secure connection. Though Google Analytics defaults to this on https pages, it’s good to enable it to be sure it does so always.

With the summary ready, we can look at the changes you have to make to your tracking code.

Tracking code changes for Google Analytics

Let’s go through the four points for the Google Analytics (analytics.js) tracking code:

  • Anonymise IP: set anonymizeIp to true.
  • Advertising Features: set allowAdFeatures to false.
  • User ID tracking: do not set the field userId in any of your tags.
  • Force SSL: set forceSSL to true.

Here’s a screenshot of a privacy friendly Google Analytics settings variable in Google Tag Manager:

Here’s an example of the modified tracking code when using analytics.js:

  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),

  ga('create', 'UA-XXXXX-Y', 'auto');

  /* start of privacy settings */
  ga('set', 'anonymizeIp', true);
  ga('set', 'allowAdFeatures', false);
  ga('set', 'forceSSL', true);
  /* end of privacy settings */

  ga('send', 'pageview');

Tracking code changes for Google Analytics App + Web

The guidelines I based this post on were not made with Google Analytics App + Web in mind. In this section I’ll only discuss how you can implement the same technical changes to the tracking code for App + Web. The new Google Analytics may also impact how you ask for consent.

Let’s go through the four points for the Google Analytics App + Web (gtag.js) tracking code:

  • Anonymise IP: enabled by default.
  • Advertising Features: set allow_google_signals to false.
  • User ID tracking: do not set user_id as a user property.
  • Force SSL: no details. Should be secure by default if your website runs on a secure server.

Here’s an example of a privacy friendly Google Analytics App + Web configuration in Google Tag Manager:

Here’s an example of a modified tracking code when using gtag.js:

<script async src=""></script>
    window.dataLayer = window.dataLayer || [];
    function gtag(){dataLayer.push(arguments);}
    gtag('js', new Date());

    gtag('set', 'allow_google_signals', false );
    gtag('config', 'G-XXXXXXXXXX');

Now this is where data processing in Google Analytics hits a grey area. You can set up Google Analytics in a privacy friendly way and enable some of the features when there is consent. The way you can use Google Analytics data for remarketing causes an issue here.

When advertising features are enabled, the user’s data can be included for remarketing purposes. This flag (advertising features = true) is connected to a user, not to every single measurement. So any data of the user collected before the moment of consent, and that is within your remarketing window (e.g. 90 days), will be included in your audience.

You have two ways to not include any data without consent:

  • By not changing the settings when there is consent. Alternatively, you can use remarketing tags of your advertising platform (e.g. Google Ads) or a secondary property with remarketing features enabled.
  • By adding a consent information to every hit with a custom dimension. When creating audiences, always exclude users that have one or multiple hits without consent. Keep in mind that any current and future employee should know how to do this and remember how to do this. In other words: this is not as robust as the first option.

This also goes for an App + Web setup, as it only allows you to configure remarketing features on property level.

A more privacy friendly world

Google Analytics is one of the go-to tools for web analytics these days. It is easy to install through various plug-ins or Google Tag Manager. And to be honest: it is a good platform to help you get started with digital analytics. I hope this post helps you put in a little extra effort to make the data you collect with Google Analytics more privacy friendly.

Happy privacy friendly analysing!

Leave a Reply