Google Analytics is probably the most well-known and popular analysis and statistics tool for websites and apps available to companies. However, there are some stumbling blocks when using it, particularly regarding limitations and legal aspects. In this article, we explain how it works, the problems, including limitations and legal aspects, and whether it is allowed to use Google Analytics without the user's consent.
Google Analytics is the most popular analysis and statistics tool for websites and apps. Understanding how the service works is important for the reader to understand in this article, especially to compare the standard implementation with a possible alternative implementation for Google Analytics without consent. The following diagram should clarify the process a bit:
First, the Google Analytics script is retrieved from Google's server. The trigger could be a <script> - Tag in the head of the website or a tag management system such as the Google Tag Manager.
In a second step, the Google Analytics script sends so-called tracking hits directly from the browser to Google (also known as "tracking requests" or "collects"). These hits contain the actual tracking information, for example, about the visited page, personal information about the users (screen resolution, language, etc.), or the user ID (also known as "client ID") stored in a cookie for all users.
Roughly speaking, two major data protection issues arise when using Google Analytics:
Personal data: Since the Google Analytics script is usually retrieved from a Google server, the IP address and the "user agent" of the visitor inevitably end up at Google. Even data protection-friendly settings such as "anonymized IP address" cannot change this, as the IP address must be sent along with the retrieval of the tracking script or the sending of a tracking request (also known as "collect"). According to the most recent Schrems II ruling, this poses a particular problem, as the personal data is transferred to the USA, a space defined as an "unsafe third country".
Cookies & profiling: For Google to recognize users and user sessions, a cookie with a client ID is placed in the browser when the Google Analytics script is accessed. With the help of this cookie, users can then be assigned across different sessions and periods. The Google Analytics cookies were classified by various supervisory authorities as requiring consent years ago, but at the latest after the new Telecommunications and Telemedia Data Protection Act (TTDSG), website operators are also prohibited from using other ways to store the client ID (such as local storage or session storage).
A large part of the information collected with Google Analytics is not personal, so theoretically, it could be processed without consent. However, since the browser metadata (IP address & user agent) is inevitably transmitted and a cookie is set in the standard setup, use without consent is not possible. This also applies to the storage of information on the smartphone when using a mobile app!
To be able to use Google Analytics without consent, two modifications to the standard configuration are therefore necessary. On the one hand, the service must not store cookies or similar on the user's device. On the other hand, all personal data must be removed from the tracking hit before it finds its way to Google.
"The solution is a server tag manager. Instead of sending the data directly from the browser to Google, the data is only sent from the browser to your server."
The solution is a server tag manager. Instead of sending the data directly from the browser to Google, the data is only sent to a proprietary server from the browser. This server in turn establishes its connection with the Google Analytics servers and only transmits the information that is not personally identifiable. Sensitive data, such as the IP address or the user agent, therefore remain hidden. There is simply no use of cookies and a client ID. In Google Analytics, the basic information (e.g. "Which page was visited when by which device") still arrives, but Google can no longer deduce the person who originally triggered the request.
There are different possibilities for the setup of a tagging server. However, our recommendation (especially for Google products such as Analytics) is the Google Server Tag Manager. Like the well-known "Web Tag Manager" (Google's service that allows various tags and other tracking tools to be integrated into the website using loading rules, so-called "triggers"), the Server GTM is free for every Google user. A 360° subscription is not required for this. So-called "clients" must then be created within the Server Tag Manager. Clients are the endpoints that receive incoming analytics data, manipulate it accordingly, and then forward it to the Google server. Google offers its client templates for Analytics and Ads, which can be used, but they are not suitable for running Google Analytics without consent. Instead, your client template has to be developed, which receives the data accordingly. The development of this template is not quite trivial; the basis for this is advanced knowledge of the technical functionality of Google Analytics and JavaScript capabilities.
Nowadays, a large part of the browsers work with so-called "tracking preventions" in the default setting. This means that the browsers try to prevent tracking using various techniques. This works, for example, by reducing the lifespan of cookies or interrupting the data flow to known tracker domains. Server-side tagging automatically circumvents these problems, as all data flows through a tagging server on your domain. Browser tracking preventions accordingly no longer apply.
"With server-side tagging, these problems are automatically circumvented because all data flows through a tagging server on your domain."
We recommend the following setup to our customers: A Google Server Tag Manager receives all data, regardless of whether the users have given their consent or not. Depending on the consent, either only the so-called "basic data" (non-personal) or the complete data set (personal) is transmitted to Google. Since the data is parameterized in both cases, either the total amount of data or only that of the users, with or without consent, can later be viewed in Google Analytics.
"In all cases, DWC was able to increase the customer's database by at least 30%. In individual cases, even an increase of up to 80% was recorded."
The reasons for this are not only the collection of basic data without consent but also the bypassing of browser tracking preventions using their server.
Do not hesitate to arrange a non-binding initial consultation with us. We will check your current web analysis and online marketing configuration for free and optimize your Google Analytics settings.