How data protection affects analytics

The world seems to have gone crazy with data protection and privacy policy updates. The reason is the General Data Privacy regulation (GDPR) that came into effect at the end of May 2018. The GDPR was the result of Facebook’s grilling by US senators and other online businesses taking their users’ privacy for granted.

Online businesses and services have had to toe the line and comply with the GDPR, including Google. This has impacted Google services such as Google Analytics, meaning that some marketers need to ensure that their analytics use is allowable under the GDPR.

So, how exactly will the GDPR affect marketers and website owners, as well as their websites and careers? Here are a few things you should know about the GDPR.

What is the GDPR?

The GDPR is a broad reform that protects the private data of European citizens. It gives them more control over how their personal data is used by online businesses and websites. Although it is a European regulation, for now, the chances of other global regions taking similar steps in the future is likely.

Some of the main GDPR regulations are outlined below:

  • Online organisations need to be more transparent and clearly state what information they are collecting from users, why they are collecting it and how it will be used. Information can only be collected if it is directly relevant to its use.
  • This information can no longer be hidden in long privacy policies filled with legal jargon. It needs to be written in plain, unambiguous language and users need to easily agree or disagree with each of the terms. Companies are not allowed to assume the user’s consent via pre-checked boxes or inaction.
  • If a user does not agree to have their information collected, the website cannot block them from accessing content.
  • Users are allowed to see what information a company has about them, and can ask for incorrect information to be amended or deleted. If the user wants their data deleted, the website has to do it instantly and remove all information they may have stored or shared elsewhere. Websites must provide proof of these steps.
  • If a data breach occurs and users’ information is compromised, they must be notified within 72 hours. If a data breach is the result of non-compliance with the GDPR, websites and businesses can be fined up to €20 million or 4% of the company’s annual global revenue, whichever amount is greater.

Do South African websites need to worry about the GDPR?

The GDPR will affect everyone in some way. If a South African business operates in Europe, collects data from European users or employs any Europeans, then the GDPR applies to them too.

If your website gets any visitors from Europe and you collect data from them, then you need to comply with the GDPR. If you offer European languages on your site, such as German and French versions, or if you accept payment in Euros via your website, then the GDPR applies.

However, if your website only supplies services to users outside of Europe (and you don’t collect personal information) then the GDPR does not apply to you, regardless of whether some of your traffic comes from Europe.

GDPR affects Google Analytics

Most website owners have a Google Analytics account to track their traffic and measure various metrics regarding the performance of their site. Since Google is a data processor and Analytics tracks data from your (European) visitors, they have had to comply with the GDPR.

However, your business or website is considered to be the data controller, and therefore you need to ensure that your Google Analytics account meets the GDPR requirements as well.

Google has made some changes to make this easy for account holders. You now have the ability to delete individual users’ information from Google Analytics if the user requests such a step. You can also control data retention settings that dictate how long user data is stored before being automatically deleted (the default is 26 months).

How to comply with the GDPR

To ensure that your Google Analytics account is in compliance with the GDPR, you need to start by accepting the updated Google Analytics terms of processing. Next, check that the data you collect is relevant to its intended purpose.

Check that you aren’t sending any personally identifiable information (PII) to Google Analytics. Sending PII to Analytics is against its Terms of Service, but sometimes it happens by accident when information is sent through a page URL.

PII includes data that can be used to identify an individual when combined with other information, such as an email address, birthdate or an IP address. Speak to your web development team or web host about how to stop sending PII to Analytics. Filters and blockers aren’t always enough; you need to ensure this information isn’t sent in the first place.

Certain information and aggregate data, such as geographical insights and traffic, won’t be affected by the GDPR regulations. You can also enable IP anonymization in Analytics or Google Tag Manager, which replaces the last portion of an IP address with a number to conceal its precise street location.

To anonymize IP addresses, open your Google Analytics tag and go to ‘More Settings’ in the ‘Setting’ menu. Select ‘Fields to Set’ and choose ‘anonymizeip’ in the ‘Field Name’ box. Enter “true” in the ‘Value’ box and save your changes. If you can’t do this yourself, your web development team will be able to edit the Analytics code directly.

Note that pseudonymous information such as user IDs are still fine under GDPR, but you still need to protect it by storing it as alphanumeric identifiers in your database, not written as plain text. This way, if your database is breached, your user IDs will be concealed.

Lastly, if GDPR applies to your website, make sure that your business contact details are included in your Analytics account and clearly on your website.

Update your own privacy policies and cookie notices

To further comply with the GDPR, you need to update your website’s privacy policy, forms and cookie notices. Your privacy policy needs to be written in plain language and inform the user what information you will be collecting and why. This information needs to be written so that even a child can understand it.

Generic cookie consent forms are no longer allowed, you need to be explicit with what information you will collect, how you intend to collect it and what you will use it for. Popups such as “We use cookies to give you a better experience” are not GDPR-compliant.

Other marketing practices that need to be GDPR-compliant

If your business solicits any business from European users, then you need to ensure that all of your marketing methods are GDPR-compliant as well. If you use ‘refer a friend’ promotions to access discounts and specials, the email addresses or usernames of customers’ friends cannot be stored or used for marketing purposes.

Similarly, email marketing will be affected if the receiver hasn’t knowingly signed up for your service. If your business buys contacts lists from other companies or subscribes website visitors without their knowledge, then you risk being fined. Review all of your contacts, especially the European ones, and ensure that they have willingly subscribed to your emails.

If your website offers gated content (such as research papers and webinars that require personal information to access it) then you will need to prove that the information you are collecting is necessary for you to provide the gated content. The information needs to be linked to the deliverable, otherwise, your website is not GDPR-compliant.

To summarise, GDPR will affect most websites and online businesses around the world. More specifically, in South Africa, website owners only need to be concerned about GDPR if they are collecting user information from European visitors or if they conduct any business in Europe or with European users.

It is vital to check that your Google Analytics accounts don’t store any personally identifiable information that can be used to single out an individual from Europe. Likewise, your marketing methods need to line-up with the GDPR requirements. The fines for not complying with the GDPR are very significant.


Sorted Design Agency is a creative company that constantly looks for solutions to other people’s problems. These problems come mostly in the visual format, such as graphic design, logo and illustration, but we’re experts in brand development, website design, and digital SEO campaigns as well.


Based in Pretoria and Cape Town, Sorted has been in the content marketing industry since 2006. We assist your company with its corporate identity by communicating core values through content and articles written for your website, blog and news area. This content is supported by AdWords and social advertising, which facilitates wider reach and audience growth. Turn your website into a business tool.


Sorted also owns two other businesses; InkFish Print Studio – a printing company that handles a range of promotional materials for businesses and other services for individual customers, and Pampiri + Kie – a gifts and stationery store selling online and in-store. Both of these companies operate from Cape Town and Pretoria.


Follow us on Facebook, Instagram and LinkedIn for the best tips on design, marketing and web development. We also share the latest industry news and fresh content to inspire fellow designers, creatives and marketers.



More Posts


This website uses cookies to ensure you get the best experience on our website.