Current European data protection laws (the GDPR) mean that Google Analytics can no longer collect data without first getting consent from site visitors. You must therefore take a few precautions to ensure that Google Analytics is using data collected from your site in a way that complies with this data protection law.
1. Sign a valid data processing agreement with Google
You can sign a data processing agreement directly through your Google Analytics account. For more information about this agreement, go to this Google support page.
2. Activate IP anonymization
By adding an “_anonymizeIp” function to your tracking codes in the JavaScript library “ga.js”, you can ensure that the IP addresses of your visitors will never be completely saved. The final digits, which allow identification of the computer itself, will be replaced with a series of zeros. For more information about IP anonymization, go to this Google support page.
3. Avoid the “User ID” function
In the latest version of Google's “Universal Analytics”, even more data are processed than with the standard version. You should make sure that the User ID function is deactivated. This function allows tracking across devices by letting site owners follow User IDs even more effectively, which does not comply with German data protection laws.
4. Deactivate the target group (or “remarketing”) function
You can change this setting in the Google Analytics options. For more information, go to this Google support page.
5. Let users deactivate add-ons
Visitors have the possibility to opt out of their user data being saved. This works with all common browsers, but not on mobile devices.
6. Let users opt out of cookies
With a simple click, users can block analytics tracking, including on mobile devices. A guide on implementing this using JavaScript (Disabling tracking) can be found in this Google article.
7. Limit data retention periods
Limit data retention periods in the settings (to 14 months maximum) and deactivate the “Reset on new activity” function.
8. Explain your data protection
In your data protection policy, make sure you clearly explain to your users if you use Google Analytics, and if so, what you do with it. Make sure to also detail the above-mentioned points, i.e., the data processing agreement, IP anonymization and opt-out options (for browser plug-ins and cookies).