5 steps to compliance

At its core, Google Analytics is a free website analysis tool aimed at website managers so that they can better understand the behavior of their customers. But for this purpose, the function goes beyond protecting the personal data collected to obtain these results. Therefore compliance with the new GDPR regulations is essential to prevent the application of sanctions that have been in effect since 2018…

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) or the General Data Protection Regulation relates to the protection of the personal data of a natural person. The identification covers several items, such as his surname and first name, or other personal information (Social Security number, address, bank account, ancestry, etc.). Other factors such as her tastes, the locations she consults the most, and her region are also taken into consideration.

These elements, which are related to each other, help to obtain more or less accurate information about the visitor. It is then used to process personal data. This includes analyzing information about an Internet user and identifying their centers of interest, and possibly their purchasing behaviour.

After that, it is easier to adjust the offers better according to their expectations. Note that if it pertains to a company (name, address, email address, etc.), it will not be included in the personal data category.

Who is affected by the GDPR?

The General Data Protection Regulation (GDPR) relates primarily to the processing of personal data of persons residing in the European Economic Area. Its implementation since 2018 takes into account the development of new technologies and purchasing behavior. These developments reinforce the French Data Protection Act of 1978, allowing each individual to control which user organizations of any kind can make from the data about them.

Step 1: Data Processing Agreement

In accordance with the General Data Protection Regulation (GDPR), website administrators are obligated to request users’ permission to use cookies and to inform them of what will be used next. For CNIL, it is illegal to transfer data to the United States by sites using Google Analytics. In fact, this process has drawbacks in that it is difficult to control the use that will be used later and the security of personal data. The latter can only be guaranteed if all parties enter into a data processing agreement, which is a first step to comply with the General Data Protection Regulation (GDPR).

The Data Protection Agreement (DPA) is a legal obligation that signatories to the agreement must respect, or else severe penalties will apply to them. It is required for any company or individual to process personal data whether within or from the European Union. This agreement is valid between the site host.

It is also necessary when a company outsources email. Note that the process itself is not reprehensible, but you should get the free and explicit consent of the people on the mailing list. The same is true of wages. The only data that can be collected in this case will be limited to surnames, first name, addresses, date of birth and Social Security number, as provided in Article L444-5 of the Labor Code. The data is processed by a person who is appointed as an administrator and then uses the services of the processor.

According to Articles 28-36 of the GDPR, the latter must comply with specific provisions. This includes providing all relevant information, such as the category of personal data you will be working on, but also that of the individuals with whom you are associated. In addition, the data collected must be used for very specific purposes and can only be kept for a period that must be clearly defined. The processor is also required to return or delete personal data upon the expiration of the predetermined period.

Step 2: Determine the retention period of personal data

As mentioned above, data retention is not unlimited. It must conform to what is in keeping with the objectives set, in so far as it is not legally established. In order to allow Google Analytics users to comply with the GDPR, it is now possible to delete all profiles that have not interacted on the site within a 36-month period.

In addition, it is necessary to request their consent every 13 months for the use of cookies. According to Google Analytics, the retention of personal data will be between 14 and 50 months. Without an express agreement, it will be deleted within the next month. Meanwhile, if the owners return to the location where their data was listed, the deletion will be postponed to a later period.

Step 3: Declare the organizations or natural persons responsible for data processing

A section entitled “Managing DPA Details”, located on the Administration page, is available to Data Processing Administrators. They have the obligation to provide three main pieces of information, mentioned in the GDPR, namely the name of the main contact (an organization, company or individual), and information about the data protection officer whose job it is to implement compliance processes within the organization. The protection of personal data of users should be improved and access by third parties should be restricted.

It is also necessary to inquire about a representative of the European Economic Area. The three contacts may be the same for small data processors, while those with multiple accounts are not required to provide multiple contacts.

Step 4: Proxification

CNIL recommends that compliance requires the use of a proxy server, which is a bridge between an Internet user’s computer and the server used by websites. This solution helps maintain the security of exchanges between the two parties. Thus the links in the URLs can be tracked from the referring site. The proxy also allows anonymizing the user ID and all other potential identifiers, such as the IP address or CRM.

When leaving the proxy, the data is supplied with an alias, which reduces the possibility of user re-identification. However, this option is not accessible to small structures, since its implementation is quite expensive, while being quite restrictive. CNIL offers other alternatives to Google Analytics to deal with, including Matomo, which not only aims to measure the audience on the website, but also makes it possible to better understand the browsing behavior of Internet users in order to achieve conversion optimization.

Step Five: Update Google Analytics

For its part, Google announced the replacement of Google Universal Analytics (currently in use) with Google Analytics 4 of 1Verse July 2023. This new version aims to better preserve the personal data collected.


GDPR compliance is a complex process and it is nevertheless necessary to implement it so that you do not receive formal notice. It is therefore necessary to start by configuring Google Analytics so that data processing restricts access to users’ personal data. Among the technical tools available is IP anonymization, which is used to hide an IP address, for example. Please note that it is currently practically impossible for Google Analytics to comply with the regulation, because the collection and transfer of personal data to the United States cannot be ignored.

Leave a Comment