Google Analytics and GDPR – Google’s renewed warning to businesses

Tom Paxman
27th August 2024

Google has tightened up its rules about cookie consent which affects all businesses using Google Analytics to gather data about website users for marketing purposes.  

This follows warnings in January 2024, that site owners must collect data in compliance with the General Data Protection Regulation (GDPR) or risk account suspension. 

Here we discuss how Google Analytics uses cookies and what you can do to make sure your organisation is UK GDPR compliant whilst still accessing valuable data.

How does Google Analytics 4 (GA4) use cookies to track users?

GA4 uses cookies to collect valuable website information for businesses, including: 

• The number of unique and new users to the website. 
• The number of people who visited a particular webpage. 
• How long visitors spent on a particular webpage (bounce rate). 
• How many people visited the website over a given time period, such as 30 minutes (sessions). 
• How long users spent on the website before leaving (session duration). 
• The number of first-time visits to the website. 
• How many visitors completed a valuable action on the website, such as filling in a contact form or making a purchase (event counts). 
• How a visitor arrived at the website (from organic search, social media, a direct link or another website). 
• The type of device a visitor is using (computer, smartphone, tablet, etc.). 

Is Google Analytics 4 GDPR compliant?

While GA4 cookies collect extensive data about user behaviour, they do not collect personally identifiable information (PII) such as names, email addresses, or phone numbers by default.  

However, GA4 can infer certain demographic and geographic information based on the user’s IP address. This data includes the user’s approximate location (city, country) and language preference.  

Google Analytics falls under the GDPR privacy laws because the data collected can still be used to build detailed profiles of user behaviour. 

To learn more about GDPR rules on data collection, please read our article, What are the 7 GDPR principles? 

What are GDPR requirements for cookies? 

GDPR requires that explicit consent is obtained from someone before their personal data is processed. This includes data collected through cookies and other tracking technologies.  

Under GDPR, websites must: 

1. Inform users. Clearly explain what cookies are used, what data is collected, how it will be used, and who it will be shared with. 
2. Obtain explicit consent. Users must actively opt-in to the use of non-essential cookies. Pre-ticked boxes or implied consent (for example, consent is implied because someone continues to use the website) is not GDPR compliant. 
3. Provide options. Users must have the option to reject non-essential cookies without being denied access to the website. They must also be able to withdraw their consent at any time. 
4. Document consent. Websites must keep records of when and how consent was obtained, as well as the specific details of the consent given. 
5. Enable data access and deletion. Users have the right to access their data and request its deletion, a provision known as the ‘right to be forgotten’ under GDPR. 

As well as the risk of Google suspending a business’s account, non-compliance with GDPR can result in severe penalties, including fines of up to €20 million or 4% of a company’s global turnover, whichever is higher. 

How can you manage Google Analytics cookies?

Obtain explicit consent 

Given the requirements of GDPR, website owners must obtain explicit consent from users before placing Google Analytics cookies on their devices.  

Consent must be given freely, be specific, informed, and unambiguous, usually through a pop-up or banner when a user first visits the website. 

Provide information about data processing 

Under GDPR, users must be informed about the types of cookies being used, their purpose, and how their data will be processed. 

Allow users to opt-in and out 

Users must have the choice to opt-in or opt-out of data tracking, and they must be able to change their preferences at any time. 

How can GA4 still provide organisations with valuable data?

GA4 can use ‘conversion modelling’ to estimate and fill in data gaps when user activity is not directly observable due to GDPR restrictions, such as the user opting out of cookies.  

Conversion modelling uses machine learning algorithms to provide a more complete picture of user behaviour and conversion rates. The model works by analysing patterns from the available data and using these patterns to infer what might have happened in situations where data is incomplete or missing. 

Conversion modelling supports GDPR compliance in several ways: 

1. Data minimisation. GDPR emphasises the principle of data minimisation, which means collecting only the data that is necessary. Conversion modelling in GA4 allows businesses to still gain insights from their analytics without needing to collect every piece of user data. 
2. Consent management. Under GDPR, users must provide consent for their data to be collected and processed. If a user opts out or does not provide consent, GA4’s conversion modelling can still help estimate conversions without infringing on the user’s privacy. This ensures that the analytics remain useful while respecting user choices. 
3. Anonymisation and pseudonymisation. GA4 uses aggregated and anonymised data in its modelling processes, which is in line with GDPR’s requirements for protecting personal data. By focusing on trends and patterns rather than individual user data, GA4 reduces the risk of processing personally identifiable information (PII) without consent. 
4. Data retention and deletion. GDPR requires that personal data is kept only as long as necessary. GA4’s data-driven models can work even as data is deleted over time, reducing the need for long-term retention of personal data and helping businesses stay compliant with GDPR’s data retention rules. 
5. Privacy by design. GA4 incorporates privacy considerations into its design, ensuring that user data is handled in a way that is consistent with GDPR. Conversion modelling is part of this approach, as it helps fill gaps in data without needing to collect large volumes of data. 

Conversion modelling in GA4 allows businesses to maintain robust analytics and insights while adhering to the stringent data privacy requirements set out by GDPR.

Does GA4 manage user consent for businesses? 

Google Analytics 4 does not directly manage user consent, but it is designed to integrate with consent management platforms (CMPs), such as Cookiebot, to help businesses comply with GDPR. 

Organisations need to do the following: 

Implement a CMP 

GA4 can be integrated with CMPs, which are tools designed to collect and manage user consent for data processing. When a user visits a website, the CMP can prompt them for consent to use cookies. Based on the user’s response, the CMP can instruct GA4 on whether to collect and process data. 

Configure GA4’s consent mode 

Google offers a feature called ‘consent mode’, which adjusts how data is collected based on user consent. Consent mode allows you to configure GA4 to behave differently depending on the user’s consent choices: 

• Ad storage. Controls the behaviour of cookies used for advertising purposes. 

• Analytics storage. Controls cookies and data used for analytics purposes. 

When a user does not give consent for analytics or adverts, GA4 can adjust the way it tracks data, either by not collecting data at all or by using consented data in a limited way. This feature helps businesses maintain compliance with GDPR. 

Anonymise IP addresses 

GA4 provides options for anonymising IP addresses and limiting data retention, which can support compliance with GDPR while valuable insights into user behaviour are still gained. 

Review and manage data retention 

Google Analytics allows users to set the data retention period. Websites should ensure this is set according to GDPR guidelines, which state that data should not be kept for longer than necessary for the purposes for which the data was collected. 

Update privacy policies 

Websites must include detailed information about their use of Google Analytics in their privacy policies. This should cover the type of data collected, the purpose of the data collection, how long the data is retained, and how users can opt out. 

Document consent 

Records of consent must be kept so data processing activities are auditable and GDPR compliance can be demonstrated. 

UK GDPR training for your organisation

By providing comprehensive UK GDPR training across your organisation, you can ensure that employees in all departments understand their responsibilities. 

Sales and marketing teams, for example, handle large volumes of personal data, including customer information and behavioural data used for targeted campaigns. GDPR training ensures that email campaigns, social media targeting, and Google Analytics data processing is conducted in compliance with GDPR.  

Please visit our website to find out what our UK GDPR training course covers and how your organisation can benefit or contact our friendly team on 0203 011 4242 or info@praxis42.com.

Tom Paxman

Managing Director (Digital)

Tom is the Director of Services & Training at Praxis4. He has extensive experience in risk management and the eLearning industry. His area of focus is the digital side of the business where he looks after hundreds of thousands of individual training needs.