Google Analytics is a widely used and popular analysis tool. There have always been data protection problems and questions to be solved when using Google Analytics. The entry into force of the GDPR does not make the challenges for an implementation that is as flawless as possible in terms of data protection law any easier.
The following steps must be taken to ensure that Google Analytics is as legally secure as possible:
With this contract Google assures you to protect the user data. You can conclude the contract by clicking in the Google Analytics interface.
To do this, go to "Administration" (Gearwheel) > Click on "Account Settings" > Click on the button "Add" > Click on the button "Done". Then enter the data on the person responsible, contact options and, if necessary, the data protection officer.
Since the IP address is a personal date, it must be shortened. Google does not offer this function offensively. Therefore, there are usually several ways to perform anonymization. Depending on the CMS, blog or shop system used, anonymisation can already be integrated by the software manufacturer. If this is not the case, it still depends on the analytics code used. This code has undergone various changes in recent years, so we cannot offer a blanket solution here.
Technical details on IP anonymization can be found directly at Google:
Example of a possible implementation of anonymization:
As already mentioned, the tracking code you use can look completely different, so there is no standard solution.
With this user ID, Google is able to track visitors to your pages across multiple devices (desktop, smartphone,...). Since your visitors cannot expect to be tracked across multiple devices and will not be informed in most cases, we recommend deactivating this function.
You will find the settings for this under the Settings of the Property > Tracking Information > User ID. There set the switch to "off".
If you serve Google AdWords ads and your AdWords account is linked to your Analytics account, you can use this feature to create audiences for advertising in AdWords. So you (or rather Google) send data to a third party tool.
You can also find the settings in the Property > Target Group Definitions.
In the course of the GDPR, Google has published a function with which you can now set the storage period in Analytics. The shortest storage period here is 14 months, if you can't explain why you store the data longer, then you should set 14 months here. See also this: (Art. 6 para. 1 lit. f. GDPR).
The settings for the storage period can also be found in the settings of the respective property under Tracking Information > Data Retention.
This measure is not new; even before the introduction of the GDPR, the use of Google Analytics had to be pointed out in the data protection declaration. You can create a sample declaration here:
If you have collected data with Google Analytics without anonymizing the IP addresses, you must delete this old data. You will find the deletion function in the settings of the properties, there you select "Move to trash", whereby the data is finally deleted after 35 days.
We would like to point out that our website is for information purposes only and does not constitute legal advice. The content of this offer cannot replace a binding legal advice. All information is without guarantee of correctness and completeness.
Send an email