Google Analytics is used by millions of websites worldwide — but its relationship with GDPR has been controversial since the regulation came into force. If your website uses Google Analytics, here's what you need to know to stay compliant.
Why Google Analytics and GDPR Are Complicated
Google Analytics collects data about your website visitors — including IP addresses, browser information, device type, and browsing behaviour — and sends it to Google's servers, which are located in the United States.
Under GDPR, transferring personal data outside the UK and EEA requires specific safeguards. The fact that IP addresses (which can be used to identify individuals) are transferred to the US has led several European data protection authorities to rule that Google Analytics violates GDPR.
In the UK, the ICO has not issued a blanket ruling against Google Analytics, but has made clear that businesses must ensure appropriate safeguards are in place for any international data transfers.
What You Need to Do
If you use Google Analytics on your website, you should:
1. Enable IP Anonymisation
GA4 anonymises IP addresses by default, which reduces (though does not eliminate) the risk of transferring personally identifiable information. If you are still using Universal Analytics (now deprecated), you needed to manually enable IP anonymisation.
2. Obtain Proper Consent
Google Analytics uses cookies to track visitors. Under UK PECR and GDPR, you must obtain prior, informed consent before placing analytics cookies. This means:
- Your cookie consent banner must offer a genuine choice to reject analytics cookies
- Google Analytics must not load until consent is given
- Pre-ticked acceptance is not valid consent
3. Update Your Privacy Policy
Your privacy policy must explicitly mention Google Analytics. It should explain:
- That you use Google Analytics
- What data it collects
- That data is transferred to Google in the US
- The transfer mechanism (Google relies on Standard Contractual Clauses)
- How users can opt out (including the Google Analytics opt-out browser add-on)
A generic reference to "analytics tools" or "usage data" is not sufficient — you must name Google Analytics specifically.
4. Configure Data Retention Settings
In your Google Analytics account, set data retention to the minimum period necessary — typically 14 months. This is consistent with GDPR's data minimisation principle.
5. Sign Google's Data Processing Agreement
Google provides a Data Processing Agreement for Analytics users. You should ensure this is in place for your account. You can find it in your Google Analytics account settings under Data Settings.
Consider Privacy-Friendly Alternatives
Some businesses are switching to privacy-focused analytics tools that don't use cookies and don't transfer data outside the UK — such as Plausible, Fathom, or Matomo. These tools are easier to make GDPR compliant and may eliminate the need for cookie consent for analytics entirely.
Is Your Site Compliant?
ClearlyCompliant automatically detects Google Analytics and other tracking scripts on your site, checks whether your privacy policy covers them, and flags any compliance gaps — for £29.99.
Is Your Website GDPR Compliant?
Find out in minutes with our automated compliance report. 23 checks, AI-powered policy analysis, detailed PDF report — £29.99.
Get Your Report — £29.99