#Discussion :: GDPR Compliance – Google Analytics Setup Proposal

NOTE: I want to start this post with a big disclaimer over it I’m not publishing it in order to tell anyone how they should be doing the Google Analytics tracking to comply with the GDPR / CCPA .

The goal of this post being able to start an open discussion about the reliability of this exposed method and any final decision should be taken the site owners under their own responsability.

One of biggest issues I ( my clients ) are hitting when implementing a hard “cookies-consent wall” is that they would likely lost all the attribution info for at least all the people that bounces. Which can be a disaster if you use Google Analytics for reporting about how your investments in marketing are working. ( not to mention that losing the info about pageviews, sessions, for all that many amount of traffic ).

Let me show you my proposal for setting up Google Analytics for when the users didn’t yet selected an option for their cookies preferences:

Then, what are we doing here:

  • If the current user didn’t yet selected his preference, we’ll be launching a pageview hit to Google Analytics
  • This is not an standard hit/tracker initialization. It’s a stateless tracker with all the cookies writing disabled, the IP Anonymization enabled and with the AdsFeatures forcely set to false.
if (!userConsent) {
  ga('create', 'UA-123123123-123', 'auto', {
    'storage': 'none',
    'storeGac': false,
    'anonymizeIp': true,
    'allowAdFeatures': false
  // We'll save the current clientId into a variable,
  // if later on, the user gives it's consent, we'll be using 
  // to write the cookie
  ga('set', 'customTask', function(tracker) {
    window._gacid = tracker.get('clientId');
  ga('send', 'pageview');

At this point when the user lands we’ll be launching a pageview in order to track that session start, but no cookie will be used ( if the users reloads a new clientId will be genarated ). If at some point the user accepts the cookies, we’ll write down the uses random-generated-clientId into the cookie and we’ll be able to properly track the user journey.

All the tracking happens ( imo ) in a first-party content, and we’re respecting the user privacy while we takes a decision. It’s just an extra “anonymized” session starting hit, that will allow to keep a vision from where our traffic is coming.

Of course after the user has choosen not to be tracked, so this should only be used while our “consent-cookie” is not present, from that point on, we should obey to what our cookies states.

I really feel this respects the GDPR since there won’t be any cookies if the users doesnt’ explicitly allow it, and we’ re taking extra steps to protects the user privacy in all other ways we can when sending the hit.

In any case, I’m not a lawer nor an expert on user-privacy, so I’d love to have feedback from other people on this.

DISCLAIMER: This post in NOT mean to show a law-approved way to use Google Analytics. Please get a proper advise from an user-privacy expert or from your lawer before implementing your tracking the way is showed on this post.


  • At Superweek Analytics Summit there was a big debate wether GA without IP & no remarketing could be considered “legitimate interest”.

    Or even if the simple fact of firing an event to GA telling “no consent” is considered legit.

    There’s always to aspects: the strictly legal aspect, and the “marketing engineer” take on data collection.

    I’m no lawyer, so I won’t provide any legal advice. But I have taken a strong and very simple position: #NoConsentNoTracking. Period. No Exception. Thus, not even fire a “no tracking” event to GA… in fact, no GA at all. But I know this is extreme and many of my pears have different opinions.

    One last thing: remember, GDPR is NOT about wether there is a cookie or not. It is about informed consent to collect personal data.

  • This approach opens a conversation about whether statistical data collected by GA, even in a stateless way, should be considered personal data or not.

    I’d like to think that if we made clear to the user that his navigation would be anonymous but still collected for statistical purpose this approach would be just fine.

    • yep, my point is that I don’t really need to track the “user” at the landing point, i need to “track” the session attribution in order to be able to have a vision about how my campaigns are traffic works. That’s
      why the approach removes any user-traceable data until it’s explicitily accepted by the user. Is that user bounces, the only data that we’d be collecting whould that we had a visit from source/medium, which imo can’t be considered PII or going against GDPR.

      For example on this approach I don’t see any “technical” difference, with for example loading an image with a cachebuster parameter from a CDN, we could look at CDN logs and calculate the attribution from there. And i don’t feel that’s an issue looking to the GDPR. I think that as long to take the needed steps to make that hit 100% not traceable, and I don’t think a random and stateless parameter could be considered PII at all.

  • Not commenting on the legals of this, but it is interesting, and thanks for sharing. I’ve been thinking it would be useful to have a ‘normal’ GA property with data only collected where users have opted in to that type of cookie use. But then also useful to have some indication of what I need to multiply that data by to get closer to the ‘true’ level.

    I imagine with this approach the data in GA would look very odd – users and sessions would be inflated for starters – so you’d want to do this in a separate property.

    Would you store the traffic source somewhere and attach that to each subsequent hit so you can attribute conversions back to marketing activity? I guess you’d need to expire that after some time/after a transaction.

  • Hi David,

    Thanks a lot for sharing your point of view on this problematic tracking part with GDPR.

    In France, with the recent (january 2020) positions and recommendations of the CNIL – they want a strict application of the law with no tracking until the user has accept the consent except for analytics solutions which are compliant without tracking like Matomo Analytics, I share the vision of Stéphane Hamel.

    They also wrote that Google analytics will never be compliant without consent regardless of all the parameters you can have applied (storeGAC, allowAdFeature, forceSSL, anonymiseIP, cookie duration, …) to GA.

    In UK, they have the same recommendations with a strict application like we can see in this document: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-the-cookie-rules/#comply6
    Consent required.
    You are likely to view analytics as ‘strictly necessary’ because of the information they provide about how visitors engage with your service.
    However, you cannot use the strictly necessary exemption for these. Consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not.
    If you use device fingerprinting for analytics instead of or alongside cookies, you should note that doing so is not exempt from the consent requirements either.

    What about the ePrivacy ? Is it above GDPR laws ? Because in the last version, they legitimize the use of analytics cookies:
    Article 21a: “Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example of website design and advertising or by helping to measure the numbers of end-users visiting a website,
    from https://data.consilium.europa.eu/doc/document/ST-13808-2019-INIT/en/pdf november 2019

    It’s a very important of our job to understand what we can implement or not and which is the best solution for our clients to understand what happen on their websites and which channels are cost efficient.

  • Hi David,

    Interesting approach & discussion. I was playing around with a similar approach in GTM but my events tags keeps setting the ga cookies even with fields set to ‘storage’: ‘none’, ‘storeGac’: false, on the event tag. Do you know what I am missing?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.