Did you know that Google Analytics is not GDPR compliant by default?
The General Data Protection Regulation (GDPR) took effect on May 25th, 2018. It came with hefty penalties of up to 4% of annual revenue or 20 million euros (whichever is greater), so it caused quite a panic among businesses around the world.
We received countless emails from MonsterInsights users asking us what changes we were making with regard to GDPR at the time, and we continue to hear from concerned users today.
In this post, we’ll explain how MonsterInsights privacy features, along with Google Analytics, help automate some of the GDPR compliance processes for website owners.
Legal Disclaimer: Due to the dynamic nature of websites, no single plugin can offer 100% legal compliance. Please consult an Internet law attorney specialist to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. Nothing on this website should be considered legal advice.
What is GDPR?
General Data Protection Regulation (GDPR) is a privacy regulation passed by the European Union (EU) that significantly impacts businesses around the world.
The law is over 200 pages long and consists of data subject rights such as the right to be forgotten, breach notification, consent, and more.
It’s nearly impossible for any blog post to accurately describe all that’s involved, which is why we recommend consulting an attorney to discuss full compliance. However, we’ll do our best to summarize GDPR and Google Analytics, its impacts, and how MonsterInsights can help you.
Is Google Analytics GDPR Compliant?
Google Analytics is not GDPR compliant by default.
According to GDPR, you must obtain explicit consent before collecting or processing any personal information of an EU resident or citizen.
Since Google Analytics can be used to collect user ID or hashed personal data, cookies, and other behavioral profiling event data, you have two options:
- Anonymize potentially personal identifying data
- Obtain explicit consent before loading the Google Analytics script
If you don’t have consent, then you also cannot share the Demographics and Interest reports with your Remarketing / Advertising (Google Ads) account.
In addition, you’ll need to adjust the data retention controls in Google Analytics. This will ensure that you continue to keep historical data and can access custom reports.
Now that we’ve answered how GDPR consent applies to Google Analytics, let’s go over how you can start making your site compliant.
MonsterInsights Helps Make Google Analytics GDPR Compliant
We have a great solution to help make Google Analytics GDPR compliant.
Since MonsterInsights is the best WordPress GDPR plugin and offers third-party Google Analytics integration for WordPress, we’ve made it easy for you to automate some of the GDPR compliance processes.
In 2018, we released our EU Compliance Addon for MonsterInsights, which is available on all premium licenses.
To help you better understand the features, we’re going to break down every detail one by one.
Google Analytics GDPR Compliance Features
1. Automatically Anonymize or Disable Personal Data Tracking
When you enable the MonsterInsights EU compliance addon, it automatically:
- Disables UserID tracking on Google Analytics hits, eCommerce hits, form tracking hits, and the UserID dimension in the Custom Dimensions addon
- Disables author tracking in the Custom Dimensions addon
- Enables the ga() compatibility mode
- Disables the Demographics and Interests Reports for Remarketing and Advertising tracking on Google Analytics hits
- Integrates with four cookie compliance plugins (CookieBot, Cookie Notice, CookieYes, and Complianz) without any code changes required to MonsterInsights
It’s important to note that it ONLY disables the demographics and interests reports for remarketing and advertising tracking (i.e Google Ads). You’ll continue to get demographics and interest reports from aggregated data in Google.
2. Enable Consent Box Integrations
If you want to continue tracking personalized data, you’ll need user consent. Instead of building a consent box solution inside MonsterInsights, we decided to integrate it with existing popular solutions so you can have a site-wide consent box that encompasses everything.
The MonsterInsights EU compliance addon integrates seamlessly with four cookie compliance plugins: Cookie Notice, CookieBot, Complianz, and CookieYes.
When you have one of the above plugins enabled, MonsterInsights will wait to load the analytics script until the user gives explicit consent. We’ve also enabled the ga() compatibility mode so the cookie plugins can properly pass the data.
The downside of this cookie plugin solution is that, unless users opt-in, they won’t be tracked, which will potentially lead to missing Google Analytics data. This is why we always recommend option #1 as the most ideal solution.
To learn how to customize your EU compliance settings further, please see our documentation on getting started with the EU compliance addon.
3. Easy Opt-out of Data Tracking
Depending on your needs, you may wish to provide an option for users to opt out of tracking.
MonsterInsights has 3 ways to offer opt-out options for tracking:
- If you are using one of the four cookie compliance plugins we integrate with, then you should use their respective built-in options.
- If you are not using any of those plugins, then you can use one of MonsterInsights’ Opt-Out link integrations or easily create an opt-out link by following our guide.
- We have also made MonsterInsights compatible with both Google Analytics’ Chrome browser opt-out extension and Google Analytics’ built-in cookie opt-out system.
GDPR and Google Analytics User and Event Data Retention Policy
For Google Analytics data retention, you can choose either 2 months or 14 months.
You can configure this by logging into your Google Analytics account and clicking on the Gear icon at the bottom left of the page.
Look in the Property column under Data settings » Data Retention.
According to Google, this setting will not affect most standard reporting based on aggregated data. But what does that really mean?
This means that you’ll have access to your default reports like Acquisition, Engagement, and Monetization because they use aggregated data.
You can select a date range for these reports, and they’ll be generated in seconds because they’re readily available.
That sounds all great, but there’s a big problem unless you take action.
Google Analytics GDPR: The Impact on Online Marketing
What Google isn’t telling you is that purging this data will eliminate your ability to run ad-hoc (custom) reports on historical data.
Ad-hoc reports are based on sample data that includes applying a segment, filter, or secondary dimension – or creating a custom report with a combination of dimensions and metrics that don’t exist in a default report. This means you’ll also lose access to historical data on your Explore reports in Google Analytics.
While you may not use these reports every day, they can be pretty significant once you start diving deeper into your website analytics.
To learn more about this, this article by Jeff Sauer provides detailed insights and perspectives on the data-retention policy.
Keep PII Out of Google Analytics
We’ve added another MonsterInsights tool to help you maintain your compliance: Privacy Guard.
It’s possible for Google Analytics to record the personal data of your users without your knowledge. Sometimes, personal information can be added to URLs because of how your website works. For example, submitting a contact form might cause something like this: yourwebsite.com/contact-us/thanks?email=personal@email.com
With Privacy Guard switched on, that email address would be stripped from the URL, and it wouldn’t end up in Google Analytics, and against privacy laws.
In Conclusion
We hope this article and MonsterInsights’ features help you automate some of the Google Analytics GDPR compliance issues on your website.
Due to the dynamic nature of websites, no single plugin can offer 100% GDPR compliance. This is why different services and plugins have their own GDPR enhancements to help your business comply with the law.
For example, WPForms released its own set of GDPR enhancements for WordPress forms.
At the end of the day, it is your responsibility as a business owner to comply with GDPR.
As always, thanks for your continued support of MonsterInsights and we look forward to bringing more new features to you.
Syed and the MonsterInsights Team
You might also want to check out:
Guide to Google Analytics Cookies & Consent in GA4
Google EEA Compliance & Consent Signals Guide (Ads Personalization)
How to Make Sure Your Google Analytics Complies with CCPA
How to Add a WordPress Cookie Consent Banner
Not using MonsterInsights Plus or above? Upgrade your license to access the EU Compliance addon, plus many other features!
And don’t forget to follow us on YouTube for more helpful Google Analytics tips and tutorials.