Using Google Analytics without consent in a legally compliant way: How it works

Google Analytics is the most popular tracking tool, but it also raises many questions about data protection. In standard form, using it even after a consent query is hardly possible in a legally secure manner. However, there is a solution that does not require a cookie popup at all.

Introduction

The application area of Google Analytics is diverse. Here are a few common cases:

1. Statistics (Visitor counter)
2. Content optimization:
   • Harte's Tracking: Demographic evaluations, behavioral analyses, cross-page tracking of users
   • Click paths
3. Ad Optimization (Conversion Tracking, Retargeting)
4. Combination with Google Optimize (Split Tests)

Detailed statistical evaluations can be done very well without Google Analytics. For this, I recommend Matomo without consent or Trackboxx (commercial product of a German provider).

Analyzing click paths for content optimization can be done through Matomo.

For A/B tests analogous to Google Optimize, there are certainly more data protection-friendly solutions available, which I won't go into here.

Optimizing advertisements is at least technically easiest possible with Google Analytics. Legally, however, the complexity can hardly be mastered. As an example of this, the Google Tag Manager should be named, which Google kindly almost forces to link with Google Analytics, although it is by no means necessary. The Tag Manager alone is legally hardly masterable, as my simple investigation already shows.

But what about use cases where Google Analytics makes sense?

Legal problems with Google Analytics

As shown above, Google Tag Manager (GTM) is often used together with Google Analytics. I can only recommend not using GTM without consent. The GTM itself is not needed at all, let alone for loading Google Analytics.

If you need a Google Tag Manager, take something else or find someone who can program. An alternative for frequent cases is my Untagmanager. That won't help you and you can't find a programmer or don't want to pay? If the answer to this question Yes is, then perhaps the term Data Protection has not been deeply enough ingrained in your consciousness. No problem, the market and affected people will regulate it.

Due to the use of Google Universal Analytics cookies, consent is required. This results from the BGH ruling on Planet49 prior to December 1, 2021. According to this, § 15 Abs. 3 TMG must be applied in conformity with Art. 5 Abs. 3 of the ePrivacy Directive. ([1]) ([2])

The cookies are technically not necessary and therefore require consent. Short explanation: Google Analytics can be configured in standard mode so that no cookies are used.

Even without cookies, Google Analytics is consent-based . There are several reasons for this, see the link above in this section. Did you know that all analysis data is always processed in the USA ([1]) ?

According to Art. 13 GDPR, comprehensive information obligations regarding Google Analytics must be fulfilled. These information obligations are often referred to as Data Protection Information. Do you know how the numerous data collected with Google Analytics is processed by the Google Corporation? If so, please share it with me, because I don't know. Also for each individual cookie, name, purpose and lifespan must be named. Do you know the exact purposes of the Google Analytics cookies? I dispute it. ([1])

Further problems with Google Analytics

Since Google Analytics is used worldwide so frequently, websites that use this tool are an easily recognizable and attractive target for attacks.

Hackers can use Google Analytics to extract data from a compromised website easily, unobtrusively, and above all hardly detectable. Setting up Firewall Rules, which could prevent this, appears completely unrealistic for many websites. ([1])

If a website uses Google Analytics, it's almost certain in my experience that the website violates data protection rules. Whoever is looking for a reason to issue a warning might first look for websites that use the Google tracker. By now, everyone should have noticed that Analytics has great potential dangers.

The Solution: Analytics without Consent

The solution for a secure capture of users without consent using Google Analytics is based on a simple principle. For the solution, it goes without saying that it will be operated without technically unnecessary cookies. This is possible because Google Analytics can be used without cookies.

It seems sensible to me to find a solution for a few specific use cases. The linking of Analytics data with Google Ads data is the case that makes most sense to me. Google Ads are a way to display online advertising. Advertisers would like to know how well an ad converts and with which search terms a conversion was triggered. This can all be done without Google Analytics, but who knows that and wants to put in more effort?

It might also be sensible to track the actions of the website visitor more deeply. Many analysis tools only record how a user's click path was and how long they stayed on a page. Some may also be interested in how the user scrolled and similar things.

It is clear: With the standard script of Google Analytics, a GDPR-compliant use is hardly or not possible at all.

There are two solutions approaches, which are differently powerful and differently complicated.

Basic principle

The solution is based on the general principle that when tracking events, a Google server is not called directly from the Google Analytics-script. Instead, the own server of the currently visited website is called. The own server is then informed about the tracking event. The own server now leaves out sensitive information that could imply a personal reference. The rest of the data is sent to the own Google Analytics-account.

The principle is called Proxy. A proxy is a substitute. Many know the term safely from the network world. A proxy is a kind of tunnel. If the tunnel is long enough, the analogy even fits quite well. Because at the end of the tunnel you don't know who drove into the tunnel just now. To round off the analogy, one would have to assume that there is a driver change in the middle of the tunnel that cannot be observed from outside the tunnel.

For Google Analytics, a proxy is therefore created. The proxy now tunnels tracking events over its own server. During this tunneling process, data related to users are anonymized or omitted. Thus, the obligation to ask for consent is waived. It's also important that no cookies are used, because these would require a so-called cookie-popup. A cookie-popup should actually be called an opt-in request or consent popup. By the way, a cookie-popup could even be legally compliant for a self-solution , but not for Google Analytics in its original version.

Solution 1: Direct Call at Page View

This approach only tracks page views. It carries along the browser's system configuration of the user, which means a better data basis. This is known from the Google Analytics standard and is nothing new.

The GA events are sent from the user's browser to a separate server. There sensitive data such as the user's IP address is removed or replaced by completely different values without personal reference for third parties. Whoever uses their own IP address for Google Analytics tracking events is obviously in agreement that they themselves hand over their own network address to Google.

const url = 'your-analytics-script.php';
var data = {dt: document.title,...};
data = jsonify(data);
var sender = new XMLHttpRequest();
sender.open("POST", url, true);
sender.send(data);

The code shows how data can be sent from a browser to its own PHP script. In the variable data all values that are to be transmitted are stored. In the example, the document title is sent to the server. The transmission takes place via HTTP Post so that no problems with the data size can occur (because there is a limitation for the data size when using GET).

On the server, tracking events are then sent on to Google. Google receives no data from any other person if done correctly. Sending to Google can occur in a manner analogous to original tracking, that is over posts to an HTTP address like https://www.google-analytics.com/collect. For debugging purposes, the address https://www.google-analytics.com/debug/collect can be used instead. Alternatively, the Analytics Reporting API can be used, which appears cleaner but also somewhat more complex.

Solution 2: Use of the original script

More elegant, but also more complex and maintenance-intensive is modifying the original Google Analytics script. The script is adapted so that it sends data not to google-analytics.com, but to its own server.

The general approach on your own server for forwarding data to Google is analogous to the first solution method.

Occasionally there are updates of the Google Analytics-Script. Not always do these need to be followed up on. Sometimes it can be that an update is necessary. Then the modified script would have to be replaced by a new modified script. This is possible, but means somewhat more effort. The effort will probably be limited and will only fall due every few months at most.

Conclusion

If one wants to use Google Analytics at all costs, they should do so in this described manner. The legally compliant original version would only be usable after effective consent has been given. Consent is however granted almost never if it is asked correctly. Furthermore, the question arises as to how Google processes which data.

For most use cases, Matomo should be more than sufficient in local installation . Those who use WordPress can also rely on WP Statistics ([1]) ([2]).