Setting up a cookie law compliant Google Analytics tracker

Published by

Erik Driessen

on

The European Union has set up a cookie law that forces websites to inform their users about the cookies they set. The Dutch cookie law is even stricter, not allowing websites to set tracking cookies (e.g. for retargeting) without a cookie consent from the user. Google Analytics also has some features that should only be activated after a cookie consent, and features to protect the users that don’t give one.

This post shows you how to modify the standard Google Analytics tracking code in a way that is compliant with the Dutch law. With this setup, your tracking code should be ready for upcoming cookie law changes in Europe.

The changes

Google Analytics (GA) tracks a lot of information by default. And that’s great for web analysts and online marketeers. But GA has some features that allow you to set up this code with the user in mind, changing the data it collects if a user doesn’t give a cookie consent. The following two features are optional and protect the data that is collected about the user:

  • Anonymize IP: this changes the last number of the IP address to 0, anonymizing it;
  • Force SSL: ensures all data is sent to Google via a secured connection;

Other features require a cookie consent. In this post, we’ll use these two features as an example:

  • DoubleClick display features: for collecting extra demographics data based on the user’s DoubleClick data (only after cookie consent);
  • Set user id: using a user specific identifier for cross device reporting.

The code

To implement the changes correctly, you’ll need access to the user’s cookie opt-in choice in the code. In this example, we’ll use a sample function getUserConsentState() that returns true (for consent given) or false (for no consent given).

Default code

<script>
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
    })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

    ga('create', 'UA-123456-1', 'auto');
    ga('send', 'pageview');
  </script>

The starting point is the standard tracking code snippet that you’ll get from GA, as shown in the example above.

The updated default code

<script>
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
    })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

    ga('create', 'UA-123456-1', 'auto');
    ga('set', 'forceSSL', true);
    if(getUserConsentState() === true){
      ga('require', 'displayfeatures');
      ga('set', 'anonymizeIp', undefined);
      ga('set', '&uid', '1234567');
    } else {
      ga('set', 'displayFeaturesTask', null);
      ga('set', 'anonymizeIp', true);
    }
    ga('send', 'pageview');
  </script>

The updated example above shows the standard tracking code snippet, modified to comply with the cookie law. Keep in mind that both display features and setting the ‘&uid’ parameter are optional, but if you use them they do require a cookie consent. Note that you can enable display features in the interface as well, but the line ga('set', 'displayFeaturesTask', null); explicitly turns off the display features when the there’s no consent.

Use a customTask in GTM

You can also use a customTask to handle the privacy settings for your Google Analytics measurements:

function(){
    return function(model) {
      if({{cookie - consent accepted}} === true){
        model.set('&uid', {{js - example user id}});
        model.set('anonymizeIp', undefined);
       }else{
        model.set('displayFeaturesTask', null);
        model.set('anonymizeIp', true);
      }
    }
  }

Example of a customTask variable you can use in Google Tag Manager. Change the variables to correctly capture a user’s consent and a user ID.

In this example, we enable user ID tracking and disable anonymizeIp when there is a consent. We block display features (asuming that it’s enabled through the interface) and enable anonymizeIp when there is no consent.

Other actions

This post only shows you how to set up the tracking code correctly. Besides this, you’ll need to make sure the settings in GA’s admin area are also compliant:

Other actions

This post only shows you how to set up the tracking code correctly. Besides this, you’ll need to make sure the settings in GA’s admin area are also compliant:

  • Agree with Data Processing Amendment;
  • Disable data sharing settings.

With the code ready, and these settings checked, your GA implementation will be compliant.

Update – 16 November 2016: it turns out you can only disable anonymize ip by setting it to undefined. Setting it to false or not sending it when it was active before won’t work . The code snippet is updated accordingly.

Update – 11 May 2018: Added customTask example.

Leave a Reply

Recent posts