How to add Google Analytics to your privacy policy?

Published on Nov 8, 2022 by Image of Carlo CilentoCarlo Cilento

A privacy policy1 is a statement that informs a data subject on how their data will be processed. In the case of the website, a privacy policy will notify the visitor of the processing of their data and the purposes of the processing (website optimization, market analytics, etc.).

When building a business or operating a website, this is not the most exciting part to be working on, but it is important to check this box. To make your life easier, we compiled a list of things you should take into account.

Spy Kids: Get over with (static)
Spy Kids: Get over with (animated)

Loading GIF...

  1. What is the purpose of a privacy policy?
  2. Do I need a privacy policy for Google Analytics?
  3. How do you write a privacy policy?
  4. An example of a layered privacy policy
  5. Google Analytics privacy policy template
  6. When should my privacy policy be displayed?
  7. What information should my privacy policy contain?

Let’s dive in! 

1. What is the purpose of a privacy policy?

The primary purpose of a privacy policy is to provide information to a data subject (in this case, the visitor of your website) about the processing of their data, according to the transparency principle2.

You should inform the user about the processing of their data- what data you are processing, on what basis, for what purpose, and so on. You should also inform the user about their rights under the GDPR (such as requesting the erasure of the data and filing a complaint). Also, you should facilitate the exercise of these rights by providing a point of contact for any requests or questions they might have.

Keep in mind that a privacy policy addresses the user directly. The information should be as clear and accessible as possible3. Use plain language and leave the jargon to the lawyers!

2. Do I need a privacy policy for Google Analytics?

Yes, you do. Google Analytics collects cookies and IP addresses which are personal data under the GDPR. You also need consent to process cookies because they fall under the ePrivacy Directive4. This is the case for both first-party and third-party cookies (the latter are associated with a domain different from the one the user is visiting and tend to be more privacy-invasive).

3. How do you write a privacy policy?

It’s not rocket science, but it’s not simple, either. Your privacy policy needs to include many specific pieces of information to comply with Art. 13 GDPR. At the same time, it must be concise, accessible, and clear to comply with Art. 12(1) GDPR.

It can be hard to include all the information required while keeping your policy simple and accessible, but a layered approach5 can help you strike a balance. A layered privacy policy provides the most crucial information upfront. It refers the reader to other resources for more detailed information (for example, by linking to different pages or maybe to the relevant headers of a single, more extended notice).

how to add google analytics to your privacy policy

4. An example of a layered privacy policy

First, a necessary disclaimer: this is not legal advice and should not be taken as such. Every notice needs to be tailored to a specific website. Please don’t copy-paste your notice from us or from anywhere else on the Internet! If you have some knowledge of privacy law, write one yourself, or have an expert draft one for you.

That being said, here’s an example template for a layered privacy policy:

We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.

With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for x months. To learn more about Google’s data transfer policies, click here.

You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click here to read more about your rights and to find how you can get in touch with us.

Please express your cookie preference:

  1. I consent to the processing of non-essential cookies
  2. I refuse the processing of non-essential cookies We will not read or write cookies without your consent.

5. Google Analytics privacy policy template

We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.

You must include all the purposes for which you process the data and clearly distinguish between them. This is just an example: if you collect personal data for other purposes as well, you should mention that.

With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for x months. To learn more about Google’s data transfer policies, click here.

The link is where you can explain that Google Ireland Ltd. transfers data to Google LLC and that they are using standard contractual clauses to safeguard the data. You should clarify what that means in plain language. For example:

Standard contractual clauses are legal clauses written by the European Commission. They are part of a contract between Google Ireland Ltd. and Google LLC, and Google LLC must follow them. Standard contractual clauses tell Google LLC what it can and cannot do with your data.

There is no need to reproduce the content of the clauses, but you could provide a link to Google’s own documentation.

Please note that providing this information does not make the data transfer lawful. Google Analytics is practically banned in four EU countries (Austria, France, Italy and Denmark) because the data transfers between Google Ireland and Google LLC were found to violate Chapter V of the GDPR, and more countries may follow. There is nothing you can realistically do about this: if you use Google Analytics, you are accepting a compliance risk. We wrote more about the topic here

You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click here to read more about your rights and to find out how you can get in touch with us.

This is where you can include information on the right of access6, the right to withdraw consent7, the right to erasure8, the right to lodge a complaint in the Member State where the data subject lives or works9, and possibly the right to object10. If you are processing personal data without consent11, be careful to specify which categories of data the user can request you to erase. And clarify that you are responsible for handling requests, not Google.

You always need to provide contact information for your organization, and if you have a DPO and an EU representative, you must also provide a contact for them. Contact information is really important in practice. Don’t just fill in an email and forget about it: make sure requests are forwarded to someone who will actually handle them! Companies are often fined for failing to respond to requests promptly.

If you have a DPO, direct the user to them for any requests- handling them is part of the DPO’s job. If you don’t have a DPO, then it is good practice to make someone in your organization responsible for responding to requests. Provide a direct contact for them in your privacy policy12 so that requests don’t get overlooked among the organization’s mail.

Please express your cookie preference:

  • I consent to the processing of non-essential cookies
  • I refuse the processing of non-essential cookies We will not read or write cookies without your consent.

This choice must be presented in clear, non-deceiving terms: yes or no. If the user says “no,” respect their decision and don’t show them the cookie banner again.

A user might want to agree to cookies for specific purposes; for example, they may accept first-party cookies for website optimization and refuse third-party marketing cookies. Including a “customize” option is acceptable if the option to refuse all cookies is visible, easily accessible, and clearly worded. Don’t force users to run through five different cookie settings to say “no,” and don’t force confusing choices like “accept” versus “customize.”

Many companies don’t design the cookie banners themselves and rely on a consent-management platform instead. The same suggestions apply: in a nutshell, make sure your cookie banners are clear and allow users to refuse consent easily.

Finally, if you collect some personal data without consent, you should also include that information. For example, you could add a last bit such as:

We will still collect some data if you do not consent. Click here to learn more.

In the link, you can specify what data you collect and on what legal basis13.

6. When should my privacy policy be displayed?

If you are using Google Analytics, your privacy policy should be displayed as soon as the user lands on your website14. You should also include it on your website so that returning users can access the information easily.

From a practical standpoint, it makes sense to merge your policy with your cookie banner, as we did in our template. You need a cookie banner anyway, and one annoying pop-up is better than two.

On a side note, under the GDPR, withdrawing consent should be as easy as it is to give it15. So your website should allow users to withdraw consent easily in some way. It doesn’t really matter how, as long as the option is hassle-free and easily accessible. So it might be convenient to include an opt-out button or a similar option in the policy displayed on your website. But please remember that this opt-out mechanism cannot itself collect consent: you still need to do that in your cookie banner!

7. What information should my privacy policy contain?

Your privacy policy should contain all the information required by Art. 13 GDPR. In Google Analytics’ case, that would be:

  • the purpose and legal basis for the processing
  • contact details for the controller, the DPO, and the EU representative (if applicable)
  • the user’s rights as a data subject (including the right to lodge a complaint)
  • whether the data will be disclosed to third parties
  • whether the data will be transferred outside the US, and with what safeguards
  • how long the data will be stored

You can think of Art. 13 as a checklist you can go through to ensure your policy is compliant. In fact, we wrote our template with this article in mind. But covering all of the information is not enough: as we said, this information needs to be provided in a clear and accessible form.

Final Thoughts

Our template provides the information as part of a cookie banner because it’s convenient. But to be clear, a privacy policy is not just about cookies: if you are collecting any other personal data, you must also inform the user about that.

One last word: when it comes to privacy, there is a big gap between theory and practice. Many websites provide less comprehensive information than required, and very few websites allow consent to be withdrawn easily. So you might get away with it, but you would still not be GDPR compliant.

Bottom line: Omit the required information at your own peril (and feel bad about yourself).

… what if (most of) this isn’t necessary in the first place?
…what if there is an analytics tool that provides web analytics without the need for an extensive privacy policy?
…what if you can gather insights into your website traffic without needing a cookiebanner?

Yep, that’s possible… we created Simple Analytics with this in mind. We wanted to create a web analytics tool that provided insights into website traffic without needing cookies to collect personal data. We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to give us a try.

  1. To be pedantic, this is actually a privacy notice. A.privacy policy is an internal document that lays out rules and guidelines on the processing of personal data within an organization. The two terms are often used interchangeably, even by privacy professionals. 

  2. Art. 5(1) GDPR. 

  3. Art. 12(1) GDPR. 

  4. Art. 5(3) ePrivacy Directive. 

  5. WP29 Guidelines on transparency under Regulation 2016/679, par. 35 and 36. 

  6. Art. 15 GDPR. 

  7. Art. 7(3) GDPR. 

  8. Art. 17 GDPR. 

  9. Art. 77 GDPR. Also see WP29, Guidelines on transparency under Regulation 2016/679, Annex, p. 39. 

  10. This only applies if you process data based on legitimate interest: see Art. 21 GDPR. 

  11. Yup, this can be lawful- but not for cookies. See Art. 6(1) GDPR and our blog on consent

  12. To be clear, you still need to include general contact information for your organization. 

  13. Legal bases are a complicated topic. Our blog on consent briefly touches upon the principle of lawfulness and a couple legal bases other than consent. We might come back to the topic at some point. 

  14. Art. 13 GDPR 

  15. Art. 7(3) GDPR.