Google Analytics is installed on hundreds of millions of websites worldwide. If yours is one of them, you're collecting personal data — and both CCPA and GDPR require you to tell your visitors about it. Here's exactly what you need to do.
What data does Google Analytics collect?
Google Analytics collects more personal data than most website owners realise:
- IP addresses — used to determine approximate location
- Device and browser information — operating system, browser type, screen resolution
- Unique client IDs — a randomly generated identifier stored in a cookie that tracks users across sessions
- Browsing behaviour — pages visited, time on page, scroll depth, clicks
- Referral sources — where visitors came from (Google search, social media, etc.)
- Geographic data — country, region, city (derived from IP address)
Even though you don't see a name attached to this data, IP addresses and persistent user IDs are classified as personal data under both CCPA and GDPR.
What does CCPA require for Google Analytics users?
Under the CCPA, if you use Google Analytics you must:
1. Disclose it in your Privacy Policy
Your Privacy Policy must include a section on analytics that names Google Analytics specifically, explains what data it collects, and states how you use that data (website analytics and performance improvement).
2. Disclose the "sale" or "sharing" of data
Under CCPA, sharing user data with Google through analytics may constitute "sharing" personal information for cross-context behavioural advertising — particularly if you use Google Signals or Audience features. If so, you must:
- Include a "Do Not Sell or Share My Personal Information" link on your site
- Honour opt-out requests
3. Have a Cookie Policy
Google Analytics sets cookies in users' browsers. Your Cookie Policy must list the Google Analytics cookies by name, explain what they do, and explain how users can opt out.
✅ You can opt out of Google Analytics tracking yourself using the Google Analytics Opt-Out Browser Add-on. Your Cookie Policy should link to this for users who wish to opt out.
What does UK GDPR require for Google Analytics users?
Under the UK GDPR and UK PECR (Privacy and Electronic Communications Regulations), using Google Analytics requires:
1. Cookie consent before tracking
UK PECR requires you to obtain explicit consent before setting any non-essential cookies — including Google Analytics cookies. This means your cookie consent banner must give users the ability to reject analytics cookies before they are set. Pre-ticked boxes are not valid consent.
2. Privacy Policy disclosure
Your Privacy Policy must name Google Analytics as a data processor, explain what data it collects, state your lawful basis (usually legitimate interests or consent), and disclose that data may be transferred to the US (where Google's servers are based).
3. DPA with Google
Under Article 28 of the UK GDPR, you must have a Data Processing Agreement in place with Google. The good news is Google automatically includes DPA terms in its Terms of Service — but you should verify this and configure your account accordingly.
Does using GA4 make things more compliant?
Google Analytics 4 (GA4) introduced some privacy improvements over Universal Analytics:
- IP anonymisation is on by default
- Data retention periods are configurable (default is 2 months)
- Consent Mode allows you to adjust how Google uses data based on user consent
⚠ GA4 is more privacy-friendly than UA, but it doesn't make you compliant by default. You still need a Privacy Policy, Cookie Policy, and cookie consent mechanism. Simply switching to GA4 doesn't resolve your compliance obligations.
Step-by-step: Making Google Analytics compliant
- Add a Privacy Policy — naming Google Analytics as a processor, what data it collects, and how users can opt out
- Add a Cookie Policy — listing the Google Analytics cookies (_ga, _ga_*, _gid) with their duration and purpose
- Install a cookie consent banner — for UK/EU sites, analytics cookies must be opt-in; for US sites, opt-out is generally sufficient
- Configure GA4 Consent Mode — so analytics respects user consent choices
- Enable IP anonymisation — ensure IP anonymisation is active in your GA4 settings
- Link to opt-out tools — in your Cookie Policy, link to the Google Analytics Opt-Out Add-On
What about other analytics tools?
The same principles apply to any analytics tool that sets cookies or processes personal data — Hotjar, Mixpanel, Heap, Segment, Amplitude. Each one must be named in your Privacy Policy and Cookie Policy, and covered by appropriate consent mechanisms.
The bottom line
If your website uses Google Analytics, you're collecting personal data and you need a Privacy Policy and Cookie Policy that disclose this clearly. DataShark generates personalised documents that specifically name your analytics tools and explain what data they collect — in under 3 minutes, from $14.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →