Protect Your Users' Rights within Google Analytics with These 5 GDPR Setup Steps

You may be wondering – if my website is not collecting PII (Personally Identifiable Information) within Google Analytics, and I am not using other adtech cookies that fall under GDPR regulations, why should I burden my users?

The truth of the matter is, you do not need to burden anyone. Instead, go make the following tweaks to Google Analytics. For some clients we implement this across their entire site; for others, only certain key landing pages. This allows the best of both worlds. Tracking your important or engaged users with cookies, but perhaps leaving others alone.

Step 1 – Accept and Sign Policies

First, let’s get rid of that big yellow bar at the top of Google Analytics! To do that, Navigate to Account Settings within the Google Analytics Admin Area.

1. Uncheck all the various ways Google wants your data
2. Review and accept the Data Processing Amendment
3. Fill out your company details within the DPA Details
4. Press Save and relax a bit, but don’t stop yet

Overall account settings and DPA

Data Processing Amendment details

Step 2 – Set User Retention Policy

If you have not done this already, you are now getting a notification when logging into Google Analytics. Or you see a bright yellow bar. In Admin, go into Property Settings > Tracking Info > Data Retention. We highly suggest you go beyond the default 26 months, per image below. While Google tries to make light of the data you will be missing, it is quite significant!

The best explanations of this are from Jeffalytics and Raven Tools. Whatever you choose, make sure you designate that in your Privacy Policy.

GA – User Retention Settings for GDPR

Furthermore, make sure you leave Reset on new activity set to ON. One exception would be to leave it OFF if you state this explicitly in your privacy policy.

GA – User retention settings for GDPR

Step 3 – Anonymize IP’s within Google Analytics

IP address can most likely not be used to tie a Mary Joe NewUser. That said, it is always better to be safe than sorry. We recommend you Anonymize your IP’s. That takes out the last octet, making the IP look like 123.456.789.???. While you might see a slight shift in your geographic reporting, it should be very insignificant. It has never been like GPS. For Google Tag Manager, add the following to the Fields to Set:

Fields to Set in GTM to anonymize IP’s

Or, add the bold line to your analytics.js Script:

<!-- Google Analytics -->
<script async src='//www.google-analytics.com/analytics.js'></script>
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-XXXX-Y', 'auto');
ga('set', 'anonymizeIP', true);
ga('send', 'pageview');
</script>
<!-- End Google Analytics -->

Or, add the bold to the new gtag Script:

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=GA_TRACKING_ID"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());

gtag('config', 'GA_TRACKING_ID', {'anonymize_ip': true });
</script>

Step 4 – Turning off Remarketing or Demographic Reporting

OK, now let’s take a break from that complicated code and get back to the easy Google Analytics interface (slight sarcasm). Remarketing and Demographics use persistent cookies that track a users behavior across websites. I.e. they shares people’s stuff. You now need to ask them before doing so. Since this is an article about avoiding the pop-up, here is how:

Within your Admin > Tracking Info > Data Collection settings you will need to turn these completely off. Done! Now, wasn’t that a lot easier!!

Step 5 – Assuring No PII Was Collected within Your URL’s

OK, now we are nearing the end. Rarely, but sometimes, you may be passing PII such as email, phone number, etc. into Google Analytics without even knowing it. Furthermore, this is greatly impacting your reporting – it is creating separate pages for each form submission! Below is how to fix this one.

Note, you will need to duplicate this filter for each parameter such as email, phone number, first name.

PII in a URL string

Or even worse, PII may hidden within Custom Dimensions, Events, and more!

Personally Identifiable Information in custom dimensions

The Great Fix:

1. GA filter for email, phone, etc
2. Go To Admin > View Settings > Filters
3. Add a new “Custom” \ Advanced \ Filter
4. Enter the following in Field A -> Extract A: (.*?)email=[^&]+(.*?)$
   Replace email with phone, name, etc. as it may apply.
5. Enter the following in Output To -> Constructor $A1email=email$A2
6. Rinse and repeat for every instance of PII you are collecting
7. Assure the filters are added to ALL profiles. Test in your Test view or first.

Congrats, breathe well. You may not have won the lottery, but you also can sleep tight knowing you won’t go bankrupt. Better yet, you are protecting your user’s privacy to the utmost degree.