GDPR Compliance for Google Tag Manager and Google Analytics
The time is upon us when we all have to comply with the EU’s regulations on privacy. While websites in the USA don’t have to technically comply BUT everyone accessing your site from the EU is protected under this statute and so it is best for all of us to “get with the ball game”, so to speak.
So what are we supposed to do? Let me list down the steps that need to be taken.
Step 1: Data storage in Google Analytics. Please go into the Property Setting and look for the Data Retention menu as below:
Click on the tab and you will see choices of how many months of data to keep. I went for 50 months because that is the maximum time explicitly allowed. I wouldn’t recommend “Do not automatically expire” option because it is quite vague.
The option “26 months” is a Google-suggested default, just so you know. Here is some more information on Retention.
Step 2: Anonymize IP. If you use Google Tag Manager as any normal human being should, this is a very simple setting change. Please go into the Universal Analytics tag that fires on every page view and set the Fields to Set to have anonymizeip as TRUE.
Now, the last 4 digits of a user’s IP will be marked as ‘0000’ and you cannot identify them in any way. Not that you were doing anything with it but still, that is the guideline.
If you are not able to use GTM for any reason, just change the normative collection by adding the following to every page of your site.
<!– Global site tag (gtag.js) – Google Analytics –>
Step 3: Advertising and Re-targeting. Some of the more conservative folks are recommending that you shut down the re-targeting and advertising features in Google Analytics. If you are not using them, do turn them off, otherwise there is no harm in keeping them on.
Step 4: Set up a cookie consent form. The best recipe that I have seen is by our friends at AnalyticsMania. This is a great a quick recipe to install using Google Tag Manager. It will put you in more compliance than is absolutely necessary.
One more thing…..
Step 5: Audit your site so that there is no PII being sent to Google Analytics. So any emails, userID’s or any unencrypted content. I know a lot of folks who have email addresses floating around in URL’s or events.
You do not want to be banned from Google. Getting back in requires and lot of work. Clean all new data collection to make sure nothing personal gets recorded in Google Analytics. Read this article; memorize if necessary.
You are all done and now can rest easy that the EU will not come after you.