0

I am trying to implement a GDPR-compliant site which implements Google Analytics via Google Tag Manager. GDPR status is determined via a cookie, which I do not have control over and is the only method I may use. My understanding is that I need to set the anonymizeIp value in Google Analytics to true based on the value of this GDPR cookie. I'm not quite sure how best to do this. I can make changes in GA or GTM directly or I can conditionally load different GTM snippets on the site. What I cannot do is use a different strategy to determine GDPR status. What is my likely best choice?

As far as I know I can't just drop the standard ga('set', 'anonymizeIp', true); when using GTM. (Though I'm not an expert on this.) Configuring the value via "Fields to Set" in the GA variable inside GTM is also not allowed unless I reset it when the GDPR cookie notes that un-anonymized tracking is allowed.

jshwlkr
  • 335
  • 6
  • 18
  • 1
    You can cross this particular bridge by setting the anonymization feature always to on. Basically the only thing this affects is geolocation. In GA itself this does not make much of a difference, really, since GA only resolves at city level and for that the "anonymized" ("truncated" would be a better term) value is still good enough. However this feature covers only a very small part of GDPR requirements. – Eike Pierstorff Aug 30 '19 at 08:29
  • Have you checked for any syntax gtag('config', '', { 'anonymize_ip': true }); Also please check [CookieYes GDPR](https://www.cookieyes.com) free solution satisfies your needs. – mujuonly Sep 24 '19 at 09:03

1 Answers1

1

GA & GTM are extremely difficult to make GDPR compliant. You should not even load the scripts before getting consent. EU courts have already ruled that analytics does not constitute an "required" service, and thus does require consent, with all the baggage that goes with that.

GA's IP anonymization setting is a cosmetic fob - the act of loading the script has already revealed the user's full IP (and other fingerprintable data) to a corporation outside the EU, and it will also have fully identified them if they happened to have a google cookie set (which is very likely). The anonymization setting may mean that full IPs are not sent to analytics as part of analytics data capture, but by then the damage has already been done. Also, IP anonymization alone is insufficient to deidentify visitors.

GTM very often means that people without technical awareness load third-party extensions that add extra tracking without appropriate consent or control, that you (as the data controller) are liable for.

If you need proper compliance (in the spirit, not just the letter) of GDPR, I recommend self-hosted analytics and tag manager systems such as Matomo or Open Web Analytics.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • This is why DPOs are required to have board-level authority - someone in your org needs to be responsible for it, and be fully aware of the implications. If someone is asking you to do something that's going to break data protection regulations, it's a good time to say "no" or don some flameproof underwear. – Synchro Aug 30 '19 at 14:05
  • 1
    I have donned the underwear. – jshwlkr Aug 30 '19 at 14:31