Google Analytics vs. GDPR – is that even possible?

We are currently receiving many inquiries from uncertain clients regarding the new General Data Protection Regulation (GDPR). During an initial analysis of the homepage, it immediately becomes apparent that most clients use an analysis tool – mostly Google Analytics or Matomo (formerly Piwik). Such tools are useful and indispensable for good online marketing.

But now the question arises: to what extent can these tools still be used to be compliant with the GDPR?

Admittedly, we believe that the GDPR and in particular the German implementation of this has gone far beyond the target. This creates enormous uncertainty in most companies and regular business operations are hardly possible without fear of violating any GDPR standard. But back to the actual topic: Is the tracking of user data of a website still permissible from the point of view of the basic data protection regulation?

Basically no! At least not without a few special adjustments. This is also confirmed by the position of the Conference of Independent Data Protection Authorities of the Federal Government. The statement of the German authorities can be found here:

https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/TechnikundOrganisation/Inhalt/Zur-Anwendbarkeit-des-TMG-fuer-nicht-oeffentliche-Stellen-ab-dem-25_-Mai-2018/Positionsbestimmung-TMG.pdf

But now to the real thing: How did I implement Google Analytics in compliance with the law? This requires a look at the provisions in accordance with Art. 6 para. 1 lit. f GDPR. You should therefore follow these steps:

  1. sign a Data Processing Agreement (DPA) with Google. You can find this contract here: 

     http://static.googleusercontent.com/media/www.google.de/de/de/analytics/terms/de.pdf

  2. accept the addendum for data processing with Google. You may have wondered what the “Data Processing Supplement” option in your Google Analytics account settings is for. This is appropriate here for GDPR. Once you enable this feature, your site visitors’ interests will be protected. It is also important that you enter the following information manually:
    1. The person responsible (i.e. the legal person responsible for data processing),
    2. A contact (i.e. a person/contact to whom the communications relating to the data processing conditions can be sent,
    3. a data protection officer (if to be appointed),
    4. an EEA Representative (but this is only important for companies that are not in the European Union).

3.  install an easy way for your website users to opt-out.

You can use the following two Java scripts:

first, implement the JavaScript alert:

<a onclick=”alert(‘Google Analytics has been disabled);” href=”javascript:gaOptout()”>deactivate Google Analytics</a>

For the upper code to work, the following code must be installed globally on the website:

<img src=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBR AA7″ data-wp- preserve=”%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%2F%2F%20Set%20to%20th e%20same%20value%20as%20the%20web%20property%20used%20on%20the%20site%0Avar%2 0gaProperty%20%3D%20’UA-XXXX- Y’%3B%0A%0A%2F%2F%20Disable%20tracking%20if%20the%20opt- out%20cookie%20exists.%0Avar%20disableStr%20%3D%20’ga-disable- ‘%20%2B%20gaProperty%3B%0Aif%20(document.cookie.indexOf(disableStr%20%2B%20’%3Dtrue ‘)%20%3E%20- 1)%20%7B%0A%20%20window%5BdisableStr%5D%20%3D%20true%3B%0A%7D%0A%0A%2F%2F %20Opt- out%20function%0Afunction%20gaOptout()%20%7B%0A%20%20document.cookie%20%3D%20di sableStr%20%2B%20’%3Dtrue%3B%20expires%3DThu%2C%2031%20Dec%202099%2023%3A59% 3A59%20UTC%3B%20path%3D%2F’%3B%0A%20%20window%5BdisableStr%5D%20%3D%20true %3B%0A%7D%0A%3C%2Fscript%3E” data-mce-resize=”false” data-mce-placeholder=”1″ class=”mce-object” width=”20″ height=”20″ alt=”&lt;script&gt;” title=”&lt;script&gt;” />

  1. implement IP anonymization – this will nullify the last two blocks of the IP (e.g. 108.138.0.0) so that it is no longer possible to identify the respective website visitor;
  2. integrate a data protection declaration in accordance with the law within the meaning of Art. 12, 13 GDPR;
  3. don’t activate the user ID.

We hope that with this short explanation we could take away the horror of the GDPR in relation to Google Analytics (as well as further analysis tools).

If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts: