GDPR compliant analytics

More and more Google Analytics users are looking for Google Analytics alternatives after the recent crack downs on how Google Analytics work with data processing and in particular, data transfers. The use of the popular analytics tool has been questioned in organizations due to fear of non compliance with the GDPR.

But with the new agreement between the US and EU on data transfers, it seems that Google Analytics is once again possible to use and still maintain GDPR compliance. So, should you use another analytics tool or stick to Google Analytics?

GDPR compliant analytics does not mean less analytics

There are quite a few GDPR compliant Google Analytics alternatives out there, but most are trading compliance for features. And as a result, they sport basic analytics without the ability to expand to more advanced features and deeper insights. A lot can be said about Google Analytics, and it can be confusing, annoying and sometimes complicated to use. But it does have a bunch of useful features that a serious alternative should either compete with, or complement.

We think that a good Google Analytics alternative bring something new to the table, and if it does, it does not have to replace Google Analytics, but might as well complement it. For example by providing a deep integration with GA4 to enable users to have the best of both, with better data.

Why is GDPR compliance important?

While there are implications if you're not following the General data protection regulation (GDPR) when you are located in the European Union or have EU citizens visiting your website, it is not important per se to be GDPR compliant. Nowadays, respecting user privacy is important to show your visitors and users that they can trust that you manage their data securely and responsible. If not, they may avoid your business.

Data privacy is no longer just a regulatory requirement but a user expectation. Visitors expect their user privacy to be respected and often visits websites in good faith, providing explicit user consent without ever really reading the privacy policy och cookie consent policies stated in the common consent popup. Hence, it is important to take precautions to properly manage personal data (personally identifiable information) such as name, email, user ids, ip addresses and other online identifiers, and to secure the data with proper data encryption and data retention policies.

Is Google Analytics GDPR compliant?

As you probably already know, Google Analytics is a website analytics tool that track users and collect website data. Google Analytics collects personal data, or personally identifiable information (PII), such as IP addresses and client identifiers as part of its data collection. It is possible to restrict Google from collecting IP addresses in Google Analytics 4, but the GDPR also restricts the use of cookies unless consent is given. Hence, most companies includes information about the data Google Analytics will collect in its privacy policy. Which in general is how most implement consent nowadays.

However, GDPR stipulates that consent must be given before any data is collected and the visitor should have options to opt in or out. And this is often not technically implemented as it is easier to just paste the Google Analytics code in the <head> tag according to the installation instructions provided.

Google Analytics have added the Google consent mode (can be turned on in the (Google Analytics settings) to better cater for user privacy. User requests on privacy can now be shared with Google to have Google Analytics adhere to the consent given. When consent is not given, Google Analytics still track users but will not send back any personal data or set any cookies. This way Google Analytics can still report on website traffic to website owners.

But the real problem with Google Analytics has never been the data collection, but rather that Google, as a data processor has sent the collected data outside of the European union for data processing. And this is an issue because it has not been possible for the user to control this, and the data protection laws in the US (where the data was sent) is not as strict as the General data protection regulation in the EU. Up until now that is.

The EU-US Data Privacy Framework

Since July 10th, the European commission and the US has entered an agreement on data sharing and data transfers between the two. In effect, this means that a company can make data transfers between the EU and US as long as the company is certified by the Department of Commerce under the new framework.

US companies will be able to join the framework by committing to comply with a detailed set of privacy obligations. This means that Google Analytics, once it is certified, will be able to send data from the European Union to the US without breaching GDPR compliance.

So, to answer the question if Google Analytics is in GDPR compliance, one need to determine if Google has been certified, which would make Google Analytics GDPR compliant. As of now, Google seem to be among these businesses and thereby, if proper consent has been obtained, should be compliant with the GDPR. Hence, Google Analytics 4 (GA4) can be part of your GDPR compliant analytics setup.

How to make Google Analytics GDPR compliant

As described above, Google Analytics as a tool can be used in a GDPR compliant way by making sure to obtain consent to collecting and processing data, as well as to set cookies. Google Analytics data transfer issues are currently resolved with the ned EU - US agreement and beyond that it really comes down to obtaining the correct consent to use the visitor data for analytics.

Restricting Google Analytics from collecting IP addresses

It is recommended to restrict Google Analytics from collecting IP addresses (you can do it in settings from your Google Analytics account) if you don't need the features coupled with the information. But disabling it will not make much of a difference from a GDPR compliance point of view since it is not the only thing that might be considered PII in Google Analytics.

You should implement the Google consent mode to make Google listen to the user privacy settings of your website and turn off tracking and advertising features when the user does not consent to it. Alternatively you can use a consent management tool that completely removes the Google Analytics tracking from your site when proper consent isn't provided.

Want more than website analytics?

Engage is a smart analytics data platform that features everything from basic web analytics to advanced personalization and data integrations. As such, data privacy, and more specifically user privacy is of outmost importance to us.

Privacy by design

Engage comes setup as strictly GDPR compliant by default. This means Engage does not store or collect any personally identifiable information by default. Furthermore, it does not write cookies (other than the ones required for the service to run) and it includes a consent management solution to get you started on the right path. All this gives you full control of the data collected and you may ask for explicit user consent prior to collecting any visitor data.

The Engage consent management solution is built to seamlessly collect and adhere to user consent. Use it to ask for cookie consent as most tools provide, and personal data processing consent for analytics and marketing purpose. You may use it standalone with a popup asking the user for the consent required, or you can integrate any of the most common consent solutions with it. So, if you already use a consent management tool or solution, there is no need to add a new one, just select the integration and we seamlessly adhere to that solution instead. You may also, if needed, turn off the Engage consent management tool altogether.

Engage stores consent provided with every data point collected so you can make informed decisions at every point of data processing throughout your data landscape. This means that a users consent for the particular data provided can be granularly identified in your data collection. Furthermore you can set a consent expiration time to reacquire consent from your visitors after some time has passed. All in accordance with recommendations from the European Union on how to comply with the GDPR.

Data protection and security

Engage protects personal data first and foremost by not collecting anymore data than necessary for the features within Engage. Beyond that, Engage use data encryption in rest as well as in data transfer. From the moment Engage is collecting data to when we dispose of it, we work to keep the personal data encrypted and safe.

Storing personal data

Data storage is turned off by default to avoid having any data processed until proper consent management is in place. Data storage is however required for most features in Engage so it is recommended to activate data storage as soon as you've selected privacy mode (more on that below).

As described above, Engage runs with the privacy mode on by default. But there are a few options to consider when running Engage depending on your use case and how you are obtaining consent. In short, there are three privacy modes: On, Off and Strict.

  • Off - Does not require any consent to store PII and set cookies.
  • Strict - Does not collect any personal data or set any cookies.
  • On - Requires consent to collect data and set cookies

Run in privacy mode Off

Already managing consent with another tool? Great! Then you can set the privacy mode to "Off". In Off mode, Engage does not require consent to collect user data or set any cookies.

Run in Strict mode

If you want to use Engage only as a website analytics tool you may either leave the privacy mode as-is (on), without activating any integration. Or set the privacy mode to "strict". In strict mode, Engage does not collect ip addresses, user id or any other personal data, nor will it set any cookies. But this also means that we can't report on returning visitors and visitor activities over time without user identifiers. To get more in-dept analytics of user behavior we recommend not using the Strict mode.

In Strict mode, Engage does not collect the data required for running most integrations. Hence, no data sharing to third parties can run in Strict mode. For example, the Google Analytics 4 integration can't run in Strict mode since the Google Analytics code that is deployed writes Google Analytics cookies in the users web browser (client identifiers). Which is not allowed in Strict mode.

Run in privacy mode On (default)

When privacy mode is On, Engage collects personal data and sets cookies only when consent is obtained. The consent can be obtained via any of the integrations available for consent, or via the Engage consent management tool.

Enjoy a powerful, GDPR compliant analytics platform

With the data privacy setup in place, a powerful analytics platform springs to life. Depending on your setup, you get anything from website analytics and user insights to advanced analytics such as sales attribution and customer life time value.

Website analytics and realtime reporting

Simple website traffic provides a lot of insights that are valuable to any business. It may not seem as much at a first glance. But website data derived from the traffic is the foundation of all web analytics and a lot of the more complex reports available. Out of the box, Engage serves a few simple, but noticeable insights such as visitor count, unique users and sessions. While simple, they are the foundation on which Google Analytics is built and essentially what most users of analytics tools consumes.

In addition you get reports on the location of your visitors, the pages they visit and from what source they arrived from to help you better understand your visitors and what brought them to your website. Most of these metrics are also available in the realtime report that instantly gives you a view of your visitors on the website.

Custom audiences and segmentation

Create audiences based on your website visitors and use them to filter your analytics data to view deeper insights on granular visitor or customer groups. The same audiences can also be sent to your marketing tools for better ads targeting.

Sales analytics

Are you running an e-commerce store? Engage provides sales analytics out-of-the-box for any e-commerce platform. And specifically for Shopify and Woocommerce merchants we offer a prebuilt solution deployable as an app or plugin to get you started without any setup.

Using one of our apps, E-commerce tracking is automatically added to your store to let you analyze your data in Engage or third party tools like Google Analytics.

Sales analytics includes standard metrics such as sales overview, average order value and order statuses. Use it to get a quick overview of your store performance over time.

Customer analytics

Customer analytics expands upon the sales analytics and provide further insights to your customers. Learn about the lifetime value of your customers, or just how long they tend to stay with your business. Or gain insights in how many new customers the store attract on a daily basis and the repurchase rate of your existing customers. All crucial metrics when determining an optimal cost per conversion in marketing and to better understand the customer journey. The customer analytics report simply aim to provide insights about your customers that help you understand the value of them over time.

Abandoned carts

Gain insights into your abandoned carts and learn about when, where and how often carts are abandoned in your store. Engage also reports on what items was left in the cart and by whom. Most abandoned carts cannot be tied to an identified user, but all can be tied to a visitor for reporting. When identified, you may use cart abandoners as a filter criteria when creating audiences and segments, that can then be sent to your marketing tools.

Collect data once and use it everywhere

Having a robust way of collecting personal data opens a world of opportunities. Create a first party data collection where you have the data ownership, not Google Analytics or Facebook. Owning your data gives you control over it and the power to distribute it only for your use, and not for others to gain from.

Collect better and more complete data

Engage is built to collect data both client and server side. This means Engage can send complete data to third party integrations even when the client side tracking fails. Which, for example, might happen when ad blockers are in play. Platforms like Shopify dispatch server side notifications for certain events like refunds, or order cancellation that can be hard to track using for example the standard Google Analytics javascript snippet for client side tracking.

Use integrations to send consistent data

Engage can send consistent data to third party applications such as Google Analytics 4, Google Ads, The Facebook Pixel, The Meta Conversion API (formerly the Facebook conversion API, CAPI) and many more. Simply activate the integration in Engage to start serving data to a third party application.

Create personalized customer experiences

May it be in marketing, in emails or on your website, personalized experiences are always better than general, one size fits all, solutions. Users have come to expect a certain level of personalization and while they may not like to give up too much personal data, they tend to dislike irrelevant content and messages even more.

Personalized marketing

Send the right message to the right audience, at the right time with custom audiences and customer segments. Build the segments in Engage based on any of the tracked variables, then share them to your marketing tools like Google Ads and Facebook. Or send emails using your email service provider with custom messages.

Product recommendations

Put the right product in front of your customers with AI powered product recommendations that utilize prior user behavior, website traffic and sales patterns to recommend the products the user is most likely to buy. Or automate product alternatives for your user so you don't miss a conversion due to the wrong color or make of a product.

Website owners use product recommendations to boost revenue and order value, while reducing bounce rates and customer acquisition cost.

Conclusion on GDPR compliant analytics tools

While Google Analytics can be GDPR compliant, there are other aspects to consider regarding selecting analytics tools. One such is that Google Analytics probably wont be the only tool you need in order to run proper and good web analytics. Even if you are satisfied with the reporting capabilities of GA4, and don't mind that Google use your data for its own purposes, it is hard to setup data capture that collects all data points every time.

Using a second tool, either for more advanced analytics capabilities or to capture better data is required to get trustworthy insights that will improve your business and marketing. And, if the alternative GDPR compliant analytics tools make Google Analytics obsolete, it might be an idea to consider if GA 4 should be in the mix at all.

Regardless if you decide to use Google Analytics or not, we recommend that you use another tool to feed the data to GA4, that also stores your data for you so you can use it in other integrations, analytics and for personalization purposes. Don't just throw your data at Google and be done with it. Use it as the valuable asset it is.

Get started today.

Access all essential features on a free quota.