Note: I have written this article on my linkedIn as well.
GDPR has been the talking point for a while. Google Analytics is having enough trouble since users need to show cookie consent popup even when users don’t need the private information in question.
What if I say, you can use Google Analytics without the consent popup, i.e without tracking any personal information. On a high level we can split the compliance into two categories,
- Data Collection
- Data Storage
Data Collection
This is what kind of information you are collecting from your user. Your website is the Data Controller, since you can control what data gets sent to GA, while GA is a Data Processor. As per GDBR, PII(Personally Identifiable Information) information needs users’ consent. So we need to make sure we don’t collect any personal information in the first place. Let’s review what are the PII in question as per GDBR,
- IP Address
- Geo Location
- User identifier via Cookie
By default Google Analytics uses the IP address to identify the user's precise location (like which city), and cookies to keep track of users. Cookie is a piece of information stored on a browser with an expiry time, this can be referred again by the website/script to recollect some information. Let’s see how we can get rid of both. Before that, you need to understand, there are 3 kind of Google Analytics scripts,
- Ga.js
- Analytics.js
- Gtag.js
Ga.js
It’s the legacy script, Google Analytics script, not used or suggested anymore. It might still work.
Analytics.js
The upgraded version of Ga.js with more features.
Gtag.js
It is kind of a wrapper around Analytics.js but acts as a multi purpose tool you use when you want to use Analytics with other Google Services. Otherwise, you better use Analytics.js since Gtag.js does not use proper caching compares to Analytics.js.
In this article, I am going to focus on Analytics.js and Gtag.js. Let’s cut short, move to the actual code. To disable IP address collection, GA offers an IP Anonymization feature which replaces the last octet in the collected IP address with ‘0’ (If the IP address is an IPv6 address, the last 80 of the 128 bits are set to zero). GA does this on their server side, before writing any data to the storage, meaning the actual IP address of the user is never recorded.
Let’s see how you can activate it,
With GTag.js,
gtag('config','UA-YOURID-ID', {'anonymize_ip' : true});
With GA.js
ga('create','UA-YOURID-ID'); ga('set','anonymizeIp', true);
I have tested this feature on my local system, you can see “aip: 1” which indicates IP anonymization is enabled.
Good, let’s disable the cookie. This is the part that has not been documented properly for GTag.js. I had to go through the source code to find it.
With GTag.js,
gtag('config', 'UA-YOURID-ID', {'client_storage': 'none'});
With GA.js
ga('create', 'UA-YOURID-ID', {'storage':'none'});
Here is the final code with both options,
Gtag
gtag('config', 'UA-YOURID-ID', {'anonymize_ip' : true, 'client_storage': 'none'});
Ga
ga('create', 'UA-YOURID-ID', {'storage':'none'});
ga('set', 'anonymizeIp', true);
Here are some images, first one with cookies enabled, second one without the cookies.
You can see when I set storage to 'none', GA did not set cookies!
Impact
IP Anonymization may not have a bigger impact other than losing some precise user geolocation. But disabling cookies might have a bigger impact. When I tested, each time I reloaded the same page, the real time user count kept increasing. This is expected since GA does not have a way to identify if the access is from the same device or not, without the cookie identifier.
Solution
We need a way to uniquely identify the device/browser to make sure we get the right “Unique Users” in Google Analytics report. But to be GDPR compliant, we don’t want to store or track personal information.
The best solution to me is to use the ETag approach. Read here for more details, basically ETag is an identifier sent by the responding server when the browser sends a request, so the next time the server can determine if it should let the browser use cache or should send a new file. Basically you need to set up a small API endpoint that can generate a new ETag, be it a completely random number.
Here is a code I used,
var req = new XMLHttpRequest();
req.open('GET', 'http://yourdomain.com/myrandom.png', false);
req.send(null);
var eTag = req.getResponseHeader('ETag');
ga('create', 'UA-YOURID-ID', {'storage':'none', 'clientId':eTag });
Now, when the browser makes a fresh request, your endpoint will need to respond with an unique string if there is no “If-None-Match” in the request header, else just return the same “If-None-Match” value (the value stored in the header). This guarantees each browser (as long as cache is not cleared), will use a consistent client id, which makes GA happy.
Metrics like total users, unique users all should work fine. Ofcourse, endpoint adds a little latency, but make sure to configure it properly for lowest latency. If you have trouble setting up this endpoint, I may be able to set up one, but only if there are enough people interested. I reviewed this, as long as ETag is unique, the real time user count did not go up as it did previously.
A little plug: FlatGA is an all-in-one website management tool that brings website analytics, SEO, and uptime monitoring in one tool. It works on top of Google Analytics and Search Console to extract critical metrics, presents you a simple dashboard without any mess.
Data Storage
This is the part you need to configure GA settings. Most of the settings would already be disabled, but you need to do review everything to be sure.
Reduce data retention period
Admin → Tracking Info → Data Retention. Convert the default duration to 14 months.
Turn off 'Reset on New Activity'
Under Admin → Property Settings → Advertising Features, turn this off to prevent Google from making reports around user info.
Remarketing
Turn off “Advertising Reporting Features” under Admin → Tracking Info → Data Collection
Data sharing
Turn off from Account Settings -> Data Sharing
Disable Demographics and Interests Reports
Under Property Settings, disable this if enabled.
Conclusion
So there are ways to configure GA to adhere to GDPR criteria, and avoid showing that annoying popup to the user or switching to alternative analytics solutions. But if you are using cookies in the other parts of the application, you don't have to go to this length anyways. Let me know what you think, if you have any questions, don't hesitate to reach out to me.