David Vallejo - Web Analyst

#Discussion :: GDPR Compliance - Google Analytics Setup Proposal

Web Analytics

NOTE: I want to start this post with a big disclaimer over it I'm not publishing it in order to tell anyone how they should be doing the Google Analytics tracking to comply with the GDPR / CCPA .


The goal of this post being able to start an open discussion about the reliability of this exposed method and any final decision should be taken the site owners under their own responsability.

One of biggest issues I ( my clients ) are hitting when implementing a hard "cookies-consent wall" is that they would likely lost all the attribution info for at least all the people that bounces. Which can be a disaster if you use Google Analytics for reporting about how your investments in marketing are working. ( not to mention that losing the info about pageviews, sessions, for all that many amount of traffic ).

Let me show you my proposal for setting up Google Analytics for when the users didn't yet selected an option for their cookies preferences:

Then, what are we doing here:

  • If the current user didn't yet selected his preference, we'll be launching a pageview hit to Google Analytics
  • This is not an standard hit/tracker initialization. It's a stateless tracker with all the cookies writing disabled, the IP Anonymization enabled and with the AdsFeatures forcely set to false.

if (!userConsent) {
  
ga('create''UA-123123123-123''auto', {
    
'storage''none',
    
'storeGac'false,
    
'anonymizeIp'true,
    
'allowAdFeatures'false
  
});
  
// We'll save the current clientId into a variable,
  // if later on, the user gives it's consent, we'll be using 
  // to write the cookie
  
ga('set''customTask', function(tracker) {
    
window._gacid tracker.get('clientId');
  });
  
ga('send''pageview');

At this point when the user lands we'll be launching a pageview in order to track that session start, but no cookie will be used ( if the users reloads a new clientId will be genarated ). If at some point the user accepts the cookies, we'll write down the uses random-generated-clientId into the cookie and we'll be able to properly track the user journey.

All the tracking happens ( imo ) in a first-party content, and we're respecting the user privacy while we takes a decision. It's just an extra "anonymized" session starting hit, that will allow to keep a vision from where our traffic is coming.

Of course after the user has choosen not to be tracked, so this should only be used while our "consent-cookie" is not present, from that point on, we should obey to what our cookies states.

I really feel this respects the GDPR since there won't be any cookies if the users doesnt' explicitly allow it, and we' re taking extra steps to protects the user privacy in all other ways we can when sending the hit.

In any case, I'm not a lawer nor an expert on user-privacy, so I'd love to have feedback from other people on this.

DISCLAIMER: This post in NOT mean to show a law-approved way to use Google Analytics. Please get a proper advise from an user-privacy expert or from your lawer before implementing your tracking the way is showed on this post.