Did you know that Google Analytics is not GDPR compliant by default?
The General Data Protection Regulation (GDPR) took effect on May 25th, 2018. It came with hefty penalties of up to 4% of annual revenue or 20 million euros (whichever is greater), so it caused quite a panic among businesses around the world.
We received countless emails from MonsterInsights users asking us what changes we were making with regards to GDPR at the time, and we continue to hear from concerned users today.
In this post, we’ll explain how MonsterInsights privacy features, along with Google Analytics, help automate some of the GDPR compliance processes for website owners.
Legal Disclaimer: Due to the dynamic nature of websites, no single plugin can offer 100% legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. Nothing on this website should be considered legal advice.
What is GDPR?
General Data Protection Regulation (GDPR) is a privacy regulation passed by the European Union (EU) that significantly impacts businesses around the world.
The law is over 200 pages long and consists of data subject rights such as the right to be forgotten, breach notification, consent, and more.
It’s nearly impossible for any blog post to accurately describe all that’s involved, which is why we recommend consulting an attorney to discuss full compliance.
But we’ll do our best to summarize GDPR and Google Analytics, its impacts, and how MonsterInsights can help you.
Can I use Google Analytics and be GDPR compliant?
Google Analytics is not GDPR compliant by default.
According to GDPR, you must obtain explicit consent before collecting or processing any personal information of an EU resident or citizen.
Since Google Analytics can be used to collect user ID / hashed personal data, IP addresses, cookies, and other behavioral profiling event data, you have one of two options:
- Anonymize potentially personal identifying data like IP addresses
- Obtain explicit consent before loading the Google Analytics script
If you don’t have consent, then you also cannot share the Demographics and Interest reports with your Remarketing / Advertising (Google Ads) account.
Aside from that, you’ll also have to adjust the data retention controls in Google Analytics.
This will ensure that you continue to keep historical data and the ability to access ad-hoc reports like multi-channel funnel attribution reports, flow visualization reports, custom reports, etc. (more on this later in the article).
Now that we’ve answered how GDPR consent applies to Google Analytics, let’s go over how you can make your site compliant.
MonsterInsights Helps Make Google Analytics GDPR Compliant
We have a great solution to help make Google Analytics GDPR compliant.
Since MonsterInsights is the best WordPress GDPR plugin and offers third-party Google Analytics integration for WordPress, we’ve integrated the changes that Google Analytics has made to their product so you can easily automate some of the GDPR compliance processes.
In 2018, we released our EU Compliance Addon for MonsterInsights which is available on all premium licenses.
To help you better understand the new features and changes, we’re going to break down every detail one by one.
1. Automatically Anonymize or Disable Personal Data Tracking
When you enable the MonsterInsights EU compliance addon, it automatically:
- Anonymizes IP addresses on all Google Analytics hits, eCommerce hits, and form tracking hits
- Disables UserID tracking on Google Analytics hits, eCommerce hits, form tracking hits, and the UserID dimension in the Custom Dimensions addon
- Disables author tracking in the Custom Dimensions addon
- Enables the ga() compatibility mode
- Disables the Demographics and Interests Reports for Remarketing and Advertising tracking on Google Analytics hits
- Integrates with four cookie compliance plugins (CookieBot, Cookie Notice, CookieYes, and Complianz) without any code changes required to MonsterInisghts
- Allows AMP users to agree on the Google AMP Consent Box before being tracked
It’s important to note that it ONLY disables the demographics and interests reports for remarketing and advertising tracking (i.e Google Ads). You’ll continue to get demographics and interests reports from aggregated data in Google.
2. Enable Consent Box Integrations
If you want to continue to track personalized data, then you’ll need to get user consent. Instead of building a consent box solution inside MonsterInsights, we decided to integrate with existing popular solutions, so you can have a site-wide consent box that encompasses everything.
When you have one of the above plugins enabled, then MonsterInsights will wait to load the analytics script until the user gives their explicit consent. We’ve also enabled the ga() compatibility mode so the cookie plugins can properly pass the data.
The downside of this cookie plugin solution is that, unless the users opt-in, they won’t be tracked, which will lead to a lot of missing Google Analytics sessions data. This is why we always recommend option #1 as an ideal solution.
However, enough users asked for this solution, so we made it available. To learn how to further customize this, please see our documentation on getting started with the EU compliance addon.
3. Easy Opt-out of Data Tracking
Depending on your needs, you may wish to provide an option for users to opt-out of tracking.
MonsterInsights has 3 ways to offer opt-out options for tracking:
- If you are using one of the four cookie compliance plugins we integrate with, then you should use their respective built-in options.
- If you are not using any of those plugins, then you can use one of MonsterInsights’s Opt-Out link integrations or easily create an opt-out link by following our guide.
- We have also made MonsterInsights compatible with both Google Analytics’s Chrome browser opt-out extension and Google Analytics’s built-in cookie opt-out system.
GDPR and Google Analytics User and Event Data Retention Policy
Starting May 25, 2018, Google automatically set data retention to 26 months by default.
You have an option to choose from: 14 months, 26 months, 38 months, 50 months, or never expire user and event data.
You can configure this by logging into your Google Analytics account and clicking on the Gear icon at the bottom left of the page.
If you’re using Google Analytics 4, find this option in the Property column under Data settings » Data Retention.
In Universal Analytics, in the Property column click on Tracking Info » Data Retention.
According to Google, this setting will not affect most standard reporting based on aggregated data. But what does that really mean?
This means that you’ll have access to your default reports like Audience, Acquisition, Behavior, and Conversions because they use aggregated data.
You can select a date range for these reports, and they’ll generate in seconds because they’re readily available.
That sounds all great, but there’s a big problem unless you take action.
Google Analytics GDPR: The Impact on Online Marketing
What Google isn’t telling you is that purging this data will eliminate your ability to run ad-hoc reports on historical data.
Ad-hoc reports are based on sample data that includes applying a segment, filter, secondary dimension, or a custom report. This includes losing access to historical data on your Multi-Channel Funnel and Attribution reports, Flow-visualization reports, etc.
While you may not use these reports every day, they can be pretty significant once you start diving deeper into your website analytics.
The decision to make the data-retention policy to “Never Expire” or expire in 50 months should be made by consulting with an attorney.
To learn more about this, this article by Jeff Sauer provides detailed insights and perspectives on the data-retention policy.
We hope this article and our new features help you automate some of the Google Analytics GDPR compliance issues on your website.
Due to the dynamic nature of websites, no single plugin can offer 100% GDPR compliance. This is why different services and plugins are announcing their own GDPR enhancements to help your business comply with the law.
At the end of the day, it is your responsibility as a business owner to comply with GDPR. You can go ahead and also check out our guide on how to make sure your Google Analytics complies with CCPA.
As always, thanks for your continued support of MonsterInsights and we look forward to bringing more new features to you.
Syed and the MonsterInsights Team
Not using MonsterInsights Pro? Upgrade your license to access the EU Compliance Addon among many other features!