Google Analytics is probably the best-known and most popular analysis and statistics tool for websites and apps available to companies. However, there are some stumbling blocks when using it. In this article we explain how it works, where the problems are and whether it is allowed to use Google Analytics without consent.
Google Analytics is the most popular analytics and statistics tool for websites and apps. Having a basic understanding of how the service works is important for further understanding of this article, especially to be able to compare the standard implementation with a possible alternative implementation for Google Analytics without consent.
First, the Google Analytics script is retrieved from the Google server. This could be triggered by a <script> tag in the header of the website or a tag management system such as the Google Tag Manager.
In a second step, the Google Analytics script transmits so-called tracking hits (also called “tracking requests” or “collects”) directly from the browser to Google. These hits then contain the actual tracking information, for example about the page visited, personal information about the user (screen resolution, language, etc.) or the individual user ID stored in a cookie for all users (also called “client ID”).
In summary, there are two major data protection issues that arise when using Google Analytics:
Personal data: Since the Google Analytics script is usually retrieved from a Google server, the IP address and the “user agent” of the visitor inevitably end up at Google. Even data protection-friendly settings such as “anonymised IP address” cannot change this, since the IP address must be sent along with the tracking script when it is called up or when a tracking request (also called “collect”) is sent. According to the most recent Schrems II ruling, this poses a particular problem, as the personal data is transferred to the USA, an area defined as an “unsafe third country”.
Cookies & profiling: In order for Google to recognise users and user sessions, a cookie with a client ID is stored in the browser when the Google Analytics script is retrieved. With the help of this cookie, users can then be assigned across different sessions and time periods. The Google Analytics cookies were classified by various supervisory authorities as requiring consent years ago, but at the latest after the new Telecommunications and Telemedia Data Protection Act (abbreviated in German to TTDSG), website operators are also prohibited from using other ways of storing the client ID (such as local storage or session storage).
A large part of the information actually collected with Google Analytics is not personal and could theoretically be processed without consent. But since the browser metadata (IP address & user agent) is compulsorily transmitted in the standard setup and a cookie is set, it cannot be used without consent. This also applies to the storage of information on the smartphone when using a mobile app!
In order to be able to operate Google Analytics without consent, two modifications to the standard configuration are therefore necessary. Firstly, the service must not store any cookies or similar on the user’s device. Secondly, all personal information must be removed from the tracking hit before it finds its way to Google.
The solution to this is a server tag manager. Instead of sending the data directly from the browser to Google, the data is simply sent from the browser to its own server. This server establishes its own connection with the Google Analytics servers and only transmits information that is not personally identifiable. Sensitive data such as the IP address or the user agent therefore remain hidden. The setting of cookies and a client ID is simply waived.
In Google Analytics, the basic information (e.g. “Which website was visited when and from which device”) still arrives, but Google can no longer draw conclusions about the person who originally triggered the request:
There are various options for setting up a tagging server. However, our recommendation (especially for Google products such as Analytics) is the Google Server Tag Manager. Like the well-known “Web Tag Manager” (the Google service with which various tags and other tracking tools can be integrated into the website with the help of loading rules, so-called “triggers”), the Server GTM is available free of charge for every Google user. A 360° subscription is not required.
The majority of browsers work with so-called “tracking prevention” in the default setting. This means that the browsers try to prevent tracking with the help of various techniques. This works, for example, by reducing the lifetime of cookies or interrupting the data flow to known tracker domains.
With server-side tagging, these problems are automatically circumvented because all data flows through a tagging server on the browser’s own domain. Browser tracking prevention is therefore no longer effective.
We recommend the following set-up to our customers: A Google server tag manager first accepts all data, regardless of whether the users have given their consent or not. Depending on the consent, either only the so-called “basic data” (not personally identifiable) or the complete data set (personally identifiable) is transmitted to Google. Since the data is parameterised in both cases, either the total amount of data or only that of the users with or without consent can be viewed later in Google Analytics.
In all cases, we were able to increase our clients’ data base by at least 30%. In individual cases, there was even an increase of up to 80%.
The reason for this is not only the collection of basic data without consent, but also the circumvention of browser tracking prevention with the help of our own server.