Google Analytics: Capabilities, Limitations, and Legal Aspects
Read Time 5 mins |
Written by: Max Lucas
Google Analytics without Consent
Google Analytics is probably the most well-known and popular analysis and statistics tool for websites and apps available to companies. However, there are some stumbling blocks when using it. In this article, we explain how it works, the problems, and whether it is allowed to use Google Analytics without the user's consent.
How does Google Analytics work?
Google Analytics is the most popular analysis and statistics tool for websites and apps. Understanding how the service works is important for the reader to understand in this article, especially to compare the standard implementation with a possible alternative implementation for Google Analytics without consent. The following diagram should clarify the process a bit:
First, the Google Analytics script is retrieved from Google's server. The trigger could be a <script> - Tag in the head of the website or a tag management system such as the Google Tag Manager.
In a second step, the Google Analytics script sends so-called tracking hits directly from the browser to Google (also known as "tracking requests" or "collects"). These hits contain the actual tracking information, for example, about the visited page, personal information about the users (screen resolution, language, etc.), or the user ID (also known as "client ID") stored in a cookie for all users.
Data Protection Issues with the use of Google Analytics
Roughly speaking, two major data protection issues arise when using Google Analytics:
Personal data: Since the Google Analytics script is usually retrieved from a Google server, the IP address and the "user agent" of the visitor inevitably end up at Google. Even data protection-friendly settings such as "anonymized IP address" cannot change this, as the IP address must be sent along with the retrieval of the tracking script or the sending of a tracking request (also known as "collect"). According to the most recent Schrems II ruling, this poses a particular problem, as the personal data is transferred to the USA, a space defined as an "unsafe third country".
Cookies & profiling: For Google to recognize users and user sessions, a cookie with a client ID is placed in the browser when the Google Analytics script is accessed. With the help of this cookie, users can then be assigned across different sessions and periods. The Google Analytics cookies were classified by various supervisory authorities as requiring consent years ago, but at the latest after the new Telecommunications and Telemedia Data Protection Act (TTDSG), website operators are also prohibited from using other ways to store the client ID (such as local storage or session storage).
A large part of the information collected with Google Analytics is not personal, so theoretically, it could be processed without consent. However, since the browser metadata (IP address & user agent) is inevitably transmitted and a cookie is set in the standard setup, use without consent is not possible. This also applies to the storage of information on the smartphone when using a mobile app!
A possible solution: Server-Side Tagging
To be able to use Google Analytics without consent, two modifications to the standard configuration are therefore necessary. On the one hand, the service must not store cookies or similar on the user's device. On the other hand, all personal data must be removed from the tracking hit before it finds its way to Google.
"The solution is a server tag manager. Instead of sending the data directly from the browser to Google, the data is only sent from the browser to your server."
The Tagging Server
Another Advantage: Bypassing Browser Tracking Prevention
Nowadays, a large part of the browsers work with so-called "tracking preventions" in the default setting. This means that the browsers try to prevent tracking using various techniques. This works, for example, by reducing the lifespan of cookies or interrupting the data flow to known tracker domains. Server-side tagging automatically circumvents these problems, as all data flows through a tagging server on your domain. Browser tracking preventions accordingly no longer apply.
"With server-side tagging, these problems are automatically circumvented because all data flows through a tagging server on your domain."
What does Google Analytics look like without Consent in Practice?
We recommend the following setup to our customers: A Google Server Tag Manager receives all data, regardless of whether the users have given their consent or not. Depending on the consent, either only the so-called "basic data" (non-personal) or the complete data set (personal) is transmitted to Google. Since the data is parameterized in both cases, either the total amount of data or only that of the users, with or without consent, can later be viewed in Google Analytics.
"In all cases, DWC was able to increase the customer's database by at least 30%. In individual cases, even an increase of up to 80% was recorded."
The reasons for this are not only the collection of basic data without consent but also the bypassing of browser tracking preventions using their server.
Do not hesitate to arrange a non-binding initial consultation with us. We will check your current web analysis and online marketing configuration for free and optimize your Google Analytics settings.
Please feel free to contact us if you have any questions: