Web analytics tools such as Google Analytics (also known as GA4) are nowadays often considered indispensable for understanding and analysing the behaviour of website visitors. Google Analytics is undoubtedly one of the most well-known tools in this category – and free, at least for most website owners. In this article, we will explain in detail how you can integrate Google Analytics into your WordPress website with the most privacy-friendly settings possible and thus set it up in compliance with the GDPR. There are many settings to adjust that you have probably never seen before in order to use the tool in a privacy-compliant way!
What is Google Analytics and what is its main purpose?
Google Analytics 4 is a free web analytics service from Google that provides you as a website operator with detailed insights into the behaviour of your website visitors. One of the main goals of using Google Analytics is to help you as a website operator to effectively optimise your website by providing you with comprehensive data on visitor traffic, visitor sources, user behaviour, conversion rates and much more.
With Google Analytics, you as a website operator can, for example, find out exactly how many visitors your website has, where they come from, how long they stay on your website and which pages they visit. It also provides information about the success of marketing campaigns and the ranking of the website in search engines. You can use this data to make informed decisions to improve the website and achieve your goals. In addition, the data collected can be used in other (Google) products, e.g. to optimise advertising campaigns in Google Ads or to target individual website visitors with personalised advertising.
Put simply, you can use Google Analytics to improve your website in order to attract more visitors to your website and earn more money. All in all, it sounds very tempting, doesn’t it?
When can it pay off to work with Google Analytics?
Using Google Analytics can be very worthwhile because it allows you to understand the way your website is used, optimise your website for a better user experience, identify the most effective marketing measures and make data-based decisions. In theory, the Google Analytics tool sounds like a dream, but the reality is that very few website operators even begin to utilise the possibilities of Google Analytics and mainly diligently collect data for Google by integrating it on their website.
Google Analytics is a very extensive and complex program. Before using Google Analytics, we therefore recommend that you thoroughly check in advance whether this service offers you any real added value compared to other data protection-friendly analysis tools and whether no other service for processing the data of your website visitors is suitable for you. Simpler and more data protection-friendly services as alternatives to Google Analytics are, for example, Matomo or Statify.
To summarise, Google Analytics can be a very useful tool for improving website performance and online marketing if you know how to use it and how to interpret the analysis results.
Data protection with Google Analytics and criticism
Google states in various places that it has taken many steps to ensure that the data collected by Google Analytics is processed securely, anonymously and in accordance with the GDPR. However, it is easy to lose track of all the documents on data protection at Google, as Google offers a general privacy policy, data processing conditions, a special privacy policy for Google Analytics and many other documents. However, the confidence of many experts and competent courts, particularly with regard to compliance with European regulations, is limited.
One of the main criticisms levelled at Google’s extensive data processing is the lack of an actual opportunity to check how Google itself handles the data, how long the data is stored and for what purposes it is used.
Measures for the GDPR-compliant use of Google Analytics in WordPress
Google Analytics is not very data protection-friendly in its default settings. You could assume that Google wants to collect as much data as possible for you and, above all, for itself, regardless of whether this is necessary. But what steps do you need to take and what options do you need to adjust in Google Analytics in order to ensure that you work in a privacy-friendly way and meet the data protection requirements as comprehensively as possible? We will go through all the steps with you in detail so that you can use Google Analytics in your WordPress website in compliance with data protection regulations!
In the following, we assume that your Google account is already set up, that you are in your Google Analytics account and that you have already set up a property for your website there.
Obtaining consent for Google Analytics in WordPress
Before using Google Analytics on your website, you need the consent of your website visitors. We have described what exactly you need consent for on your website in another article. You can use Real Cookie Banner for the privacy-compliant integration of Google Analytics.
Embed Google Analytics directly via Real Cookie Banner (recommended):
If you have installed Real Cookie Banner in your WordPress, you can integrate Google Analytics easily with the help of our ready-to-use service template (in PRO version available).
1. Navigate in your WordPress backend to Cookies > Services (Cookies) and click on “Add service” to create the service.
2. Search for “Google Analytics – Analytics 4” and choose template.
3. Enter your “Google Analytics Measurement ID” in the service and click on “Save” to create the service. You can find your Measurement ID in the Analytics Dashboard under Admin (gear icon) > Property settings > Data collection and modification > data streams > [select your steam] > Select “Copy”-icon at Measurement ID.
From now on, Google Analytics will be embedded directly after the consent of your website visitor!
Obtain consent for Google Analytics embed via script or third-party plugin:
If you have installed Real Cookie Banner and you have already integrated Google Analytics on your website, our scanner will automatically find the service and show you the appropriate service template.
1. Navigate in your WordPress backend to Cookies > Scanner. In the search results, click on the Google Analytics tile (or the plugin that you use for this, such as MonsterInsights) on “Create now” to create the service.
2. Enter your “Google Analytics Measurement ID” in the service. You can find your Measurement ID in the Analytics Dashboard under Admin (gear icon) > Property settings > Data collection and modification > data streams > [select your steam] > Select “Copy”-icon at Measurement ID.
3. Click on “Save” to create the service and gut automatically to the content blocker configuration for this service. With the content blocker, we ensure that the service is not embedded out before your users have given their consent.
Explain Google Analytics in the privacy policy
In addition to obtaining consent, there should of course also be a reference to the use of Google Analytics in your website’s privacy policy. It should explain in detail that Google Analytics is used and how the data is used.
Please ensure that the data protection generator or lawyer who creates your privacy policy adds a corresponding passage. We have described in an article what you need to bear in mind when creating your privacy policy with a generator.
Conclude a data processing agreement for Google Analytics
You also need to conclude a so-called data processing agreement (DPA) with Google. The agreement is automatically concluded with Google when the Google Analytics account is created.
You can find the data processing agreement in your Google Analytics account with a reference to the date on which you accepted the agreement under Admin (gearwheel) > Account settings > Account > Account details > Data Processing Terms.
Comply with the principles of data processing
As the website operator and therefore the data controller, you must also always comply with the principles for the processing of personal data in accordance with Art. 5 GDPR. So what do you need to pay particular attention to when using Google Analytics on your WordPress website?
- Legality: You always need a legal basis for the processing of personal data. As described in more detail above, the legal basis required to use Google Analytics is consent.
- Purpose limitation: Personal data may only be collected for specified, clear and legitimate purposes. Before using Google Analytics, you should therefore think carefully about the reasons why you are processing the data of your website visitors through Google Analytics and communicate this transparently to your website visitors in your cookie banner and privacy policy.
- Data minimisation: The processing of data must be appropriate for the purpose and limited to what is necessary for the purposes of processing. This means that you may not process more data from your website visitors than you actually use.
- Storage limitation: The data may only be stored in a form that allows the identification of data subjects for as long as is necessary for the purposes for which it is processed. This means that you must not store data for too long and must delete it when you no longer need it.
You should take all these principles from the GDPR into account with the correct settings in Google Analytics. Don’t worry, we’ll explain step by step how to proceed!
If you are still convinced that you want to use Google Analytics on your WordPress website, then you should make the most data protection-friendly settings possible in order to comply with all of the aforementioned points as well as possible. However, the criticism remains that it is unclear how Google itself actually handles the data of your website visitors in the long term.
Privacy-friendly settings in Google Analytics
As described above, you should load Google Analytics on your website with consent of your website visitors. However, this is not yet sufficient to use Google Analytics in compliance with data protection regulations. You also need to reconfigure settings in Google Analytics that collect too much data or share it with third parties. We will go through all the relevant settings!
At the beginning of the explanation, we have shown you the click path (marked with 📍) so that you can find the settings as easily as possible in your Google Analytics account.
Data sharing settings
Let’s start with the settings for sharing data with Google. These determine which data collected on your website is passed on directly to Google and for what reasons. Many settings are preset when you set up Google Analytics.
Google products and services
📍Admin (gearwheel) > Account settings > Account > Account details > Data sharing settings > Google products and services
We recommend that you do not tick this box. If you were to agree to the release of “Google products and services”, the relationship between Google and you as a website operator would change from order processing in accordance with Art. 28 GDPR to joint responsibility in accordance with Art. 26 GDPR. In this case, you would be jointly responsible with Google for the data processing, and you would have to “jointly” determine the purposes and means for which the data processing may take place. As it is generally not possible to check exactly which data is processed by Google and how, it would not be advisable to officially authorise Google to process the data of your website visitors for its own purposes.
Modeling contributions & business insights
📍Admin (gearwheel) > Account settings > Account > Account details > Data sharing settings > Modeling contributions & business insights
We recommend that you remove this default tick unless you actually use the “Predictions, modelled data and benchmarking” activated by Google and they provide you with more comprehensive and meaningful business statistics. If you do not know what benefit this setting really brings, this strongly suggests that it does not fulfil a purpose that justifies data processing.
Technical support
📍Admin (gearwheel) > Account settings > Account > Account details > Data sharing settings > Technical support
Google describes the following in its documentation: “Customer support is only available to sales partners and customers who purchase Google Marketing Platform advertising products or Analytics 360 products directly from Google.”
So if you do not belong to one of the groups mentioned above, we recommend that you uncheck this box, as this data sharing is of no use to you.
Account Manager
📍Admin (gearwheel) > Account settings > Account > Account details > Data sharing settings > Account Manager
This setting is only relevant if you spend a significant amount of money on Google Ads or other Google advertising platforms and an account manager (personal contact) is provided to you by Google. So if you are not actively working with Google and spending a lot of money on their services, we recommend that you uncheck the first box.
Below this, you will find the option to give Google sales experts access to your account. However, these are not Google employees directly, but other companies or agencies that are commissioned by Google and that you have to pay for their support. If you do not want to use this service, we recommend that you do not tick the second box.
Settings for data collection and changes
Next, we will look together at the settings for how Google Analytics collects and subsequently analyses the data of your website visitors.
Optimised analyses
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data streams > Web stream details [name of stream] > Events > Enhanced measurement > [all options]
You can select which events on your website should be tracked by visitors. These include page views, scrolling, clicks on external links, website searches, form interactions, video engagement and file downloads. We recommend that you check which events actually help you on your website. If, for example, it is irrelevant to you that an interaction with a form has taken place or which scrolling processes there are on the website, then you should uncheck these boxes. However, if this information for analysis fulfills your defined purpose of data processing, then you can, of course, leave the checkmarks as they are.
Redact data
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data streams > Web stream details [name of stream] > Events > Redact data
You can set whether email addresses and other URL search parameters should be removed if they are saved in Google Analytics. This relates to GET parameters that are saved directly in the URL, such as https://beispiel.de/?firstname=alex&[email protected]
. If you transfer data from a contact form in this way, for example, you should leave the default tick for “Email” as it is and, if necessary, define your own search parameters to prevent Google from storing (personal) data unnecessarily.
Cross-domain Linking Configuration
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data streams > Web stream details [name of stream] > Google tag > Configure tag settings > Configure your domains > Cross-domain Linking Configuration
The data of your website visitors can be saved and assigned across domains. This setting is only relevant if you operate different websites with different domains/subdomains and want to merge the analysis data from these different websites. When using cross-domain analyses, you should always check whether the merging of the data fulfills an actual purpose, and you should inform your website visitors transparently about this, e.g. in your cookie banner.
Allow user-provided data capabilities
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data streams > Web stream details [name of stream] > Google tag > Configure tag settings > [Show more] > Allow user-provided data capabilities
You can configure how you handle data from users who are logged into the browser with their Google account. This is only relevant for you if you use Google Ads or other Google advertising platforms, i.e. if you place adverts via Google. Google states in the settings that the associated data is hashed in order to protect it and is only sent to Google accounts that have consented to such use. We therefore recommend that you remove the pre-set tick from “Allow functions for data provided by users” if you do not make any advertising bookings and therefore its purpose is not fulfilled.
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data streams > Web stream details [name of stream] > Google tag > Configure tag settings > [Show more] > Override cookie settings
Here you can set how long the cookies used by Google should be stored. The duration of cookie storage should generally be as short as possible and should only be stored for as long as it fulfills its purpose. So ask yourself the following questions to determine the correct cookie lifespan for your case:
- How relevant is it to (re)recognise a user?
- How important is it to recognise a user after a certain period of time? And how long should such a period ideally be?
By answering these questions, you can clarify for yourself, for example, whether you really need to recognise a website visitor who visited your website 8 months ago. We also generally recommend that you store cookies on your website visitors’ end devices for a maximum of 13 months, as most browsers today are limited to a maximum storage period of 13 months anyway.
Keep in mind that if you make changes here, you should also make these changes in your cookie banner!
Google Signals data collection
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data collection > Google Signals data collection
A link to so-called Google signals is also possible. Google signals are session data from websites that Google can link to the Google account of website visitors in which personalised advertising has been activated. By linking data with these logged-in users, cross-device reports, cross-device remarketing and the export of cross-device conversions to Google Ads are possible. If Google signals are activated, data from your website visitors and information from Google accounts of logged-in users is linked in Google Analytics. This is only relevant if you use Google Ads or other Google advertising platforms, i.e. if you place adverts via Google. We therefore recommend that you only use Google Signals if you actually need the extended advertising functions and otherwise leave them deactivated.
Granular location and device data collection
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data collection > Granular location and device data collection
You can customise settings for the processed location and device data of your website visitors. We recommend that you deactivate the detailed collection of location and device data, which is activated by default, if you do not need this information and it does not fulfil any purpose, e.g. if it does not bring you any added value to know where the website visitors come from in detail and which devices they use.
Advanced Settings to Allow for Ads Personalization
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data collection > Advanced Settings to Allow for Ads Personalization
This setting is only relevant if you use Google Ads and if you actually use it for the following reasons: for the personalisation of ads, in addition to measurement, in connection with the use of functions such as Google Signals, User ID, ad integrations and/or if you activate the transfer of data to Google.
We therefore recommend that you select “do not allow” for the geographic settings so that Google does not have the opportunity to process more data that is not relevant to you anyway.
User Data Collection Acknowledgement
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data collection > User Data Collection Acknowledgement
At this point, Google offers you the opportunity to confirm that you have all the necessary authorisations/rights to disclose information about your website visitors. Please consider very carefully whether you really want to and can confirm this. We recommend that you do not to confirm the collection of user data, especially because this does not put you at a disadvantage. Once you confirm that you have the necessary data protection declarations and rights of your website visitors for the collection and processing of their data, you can no longer undo this.
Data retention
📍Admin (gearwheel) > Property Settings > Data collections and modifications > Data retention
You can choose whether the event data collected by Google Analytics should be stored for 2 or 14 months. This only applies to the storage of event data associated with cookies, user IDs or advertising IDs. Aggregated statistics (without personal data) are retained even after deletion. We recommend that you store the data in Google Analytics for as short a time as possible and no longer than is necessary for your purposes.
However, if you use Google Ads intensively or work with a sophisticated tracking concept to create specific target groups, processing this data for 14 months may be perfectly legitimate to safeguard your commercial objectives.
Data display
Finally, let’s have a look at the data display settings in Google Analytics, where you can define target groups and link Google Analytics with other Google products, for example.
Audiences
📍Admin (gearwheel) > Property settings > Data display > Audiences
Here you can define audiences. You can use audiences to categorise your website visitors into different user groups according to dimensions, measured values and events, for example. This allows you to reach the right people when running campaigns, for example. On the one hand, there are predefined target group suggestions (e.g. demographic data, (non-)buyers, technology used, gender, age) and on the other hand, you can create your own customised audiences. You should only create audiences if this classification fulfills a purpose for you.
Reporting Identity
📍Admin (gearwheel) > Property settings > Data display > Reporting Identity
This setting is used to analyse the behaviour of your website visitors across devices and platforms in Google Analytics. This is only possible when using Google Signals and is switched off by default. If you use Google Signals at all, you should only allow the data to be merged with this setting if there is a legitimate purpose for doing so. Otherwise, you can also select the “Observed” variant, in which only the user ID, Google signals and device ID are merged.
Product links
📍Admin (gearwheel) > Property settings > Product links > [linked product]
This setting is only relevant if you use other Google products and want to link them to your Google Analytics account. In order to minimise data, you should think carefully about which other Google products you really need and to which you share your data from Google Analytics. Please note that if you use product links, you should make this transparent to your website visitors in your privacy policy and in the cookie banner.