[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_how-to-add-google-analytics-to-your-privacy-policy_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"question":43,"content":44,"coverImageWithText":45,"coverImageWithoutText":52,"inlineMedia":57,"id":58,"title":43,"excerpt":59,"locale":8,"slug":60,"authorSlug":10,"automaticTranslated":11,"publishedAt":61,"updatedAt":62,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"cover":52,"languages":63},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Many companies and website owners have questions about privacy policies. When building a business or operating a website, this is not the most exciting part to be working on, but it is important to check this box. To make your life easier, we compiled a list of things you should take into account.\u003C/ContentEditable>\n\u003Cp>\u003Cimg class=\"mx-auto rounded-lg\" src=\"https://assets.simpleanalytics.com/gifs/get-over-with.gif\" />\u003C/p>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#a-note-on-terminology\">A note on terminology\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-is-the-purpose-of-a-privacy-policy\">What is the purpose of a privacy policy?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#do-i-need-a-privacy-policy-for-google-analytics\">Do I need a privacy policy for Google Analytics?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#how-do-you-write-a-privacy-policy\">How do you write a privacy policy?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#an-example-of-a-layered-privacy-policy\">An example of a layered privacy policy\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#google-analytics-privacy-policy-template\">Google Analytics privacy policy template\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#when-should-my-privacy-policy-be-displayed\">When should my privacy policy be displayed?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-information-should-my-privacy-policy-contain\">What information should my privacy policy contain?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#update-new-guidance-on-cookie-banners\">Update: new guidance on cookie banners\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#final-thoughts\">Final Thoughts\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaOne />\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Let's dive in!\u003C/ContentEditable>\n\u003CContentEditable  id=\"a-note-on-terminology\" parent=\"\" tag=\"h2\" :articleId=\"275\">A note on terminology\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">In everyday language, a privacy policy or privacy notice is a document that includes a bunch of legalese about the use of personal data. The two terms are often used interchangeably, but they are not exactly the same in legalese: a privacy \u003Cem>policy\u003C/em> is an internal document, while a privacy \u003Cem>notice\u003C/em> is written for users/customers/visitors etc.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">When people talk about a company's privacy policy, they are more often than not referring to a privacy notice. Even companies sometimes refer to their notices as policies: for instance, \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://policies.google.com/privacy?hl=en-US&utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">the privacy section of Google's terms\u003C/a> is referred to as a privacy policy.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">In this blog we will say "privacy policy" because we are not fans of strict legalese- but it is still good to know that policies and notices are not exactly the same.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-is-the-purpose-of-a-privacy-policy\" parent=\"\" tag=\"h2\" :articleId=\"275\">What is the purpose of a privacy policy?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">The primary purpose of a privacy policy is to inform the reader of \u003Cstrong>what you do with their data, how, and why\u003C/strong>. In the case of the website, a privacy policy will notify the visitor of the processing of their data and the purposes of the processing (website optimization, market analytics, etc.).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">You should tell the reader what data you are processing, on what \u003CNuxtLink to=\"/blog/gdpr-consent-101#do-i-always-need-consent-under-the-gdpr\"  >legal basis\u003C/NuxtLink>, for what purpose, and so on. You should also inform the reader about \u003Cstrong>their rights\u003C/strong> under the GDPR (such as requesting the erasure of the data and filing a complaint). And you must facilitate the exercise of these rights by \u003Cstrong>providing a point of contact\u003C/strong> for any requests or questions they might have.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Keep in mind that a privacy policy directly addresses the user of your service, or the visitor of your website. The information should be as clear and accessible as possible, so \u003Cstrong>use plain language and leave the jargon to the lawyers!\u003C/strong>\u003C/ContentEditable>\n\u003CContentEditable  id=\"do-i-need-a-privacy-policy-for-google-analytics\" parent=\"\" tag=\"h2\" :articleId=\"275\">Do I need a privacy policy for Google Analytics?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">\u003Cstrong>Yes, you do\u003C/strong>. Google Analytics collects cookies and IP addresses which are personal data under the GDPR. You also need consent to process cookies because they fall under the \u003CNuxtLink to=\"https://www.simpleanalytics.com/blog/cookies-101#how-are-cookies-regulated\">\u003Cstrong>ePrivacy Directive\u003C/strong>\u003C/NuxtLink>. This is the case for both first-party and third-party cookies (the latter are associated with a domain different from the one the user is visiting and tend to be more privacy-invasive).\u003C/ContentEditable>\n\u003CContentEditable  id=\"how-do-you-write-a-privacy-policy\" parent=\"\" tag=\"h2\" :articleId=\"275\">How do you write a privacy policy?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">It's not rocket science, but it is not simple, either. Your privacy policy needs to include many specific pieces of information to comply with Art. 13 GDPR. At the same time, it must be \u003Cstrong>concise, accessible, and clear\u003C/strong> to comply with Art. 12(1) GDPR.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">It can be hard to include all the information required while keeping your policy simple and accessible, but a \u003Cstrong>layered approach\u003C/strong> can help you strike a balance. A layered privacy policy provides the most crucial information upfront. It refers the reader to other resources for more detailed information (for example, by linking to different pages or maybe to the relevant headers of a single, more extended notice).\u003C/ContentEditable>\n\u003Cp>\u003Cimg src=\"https://assets.simpleanalytics.com/blog/2022-how-to-add-google-analytics-to-your-privacy-policy/social-image-no-text-privacy-policy-for-web-analytics-no-text.png\" alt=\"how to add google analytics to your privacy policy\">\u003C/p>\n\u003CContentEditable  id=\"an-example-of-a-layered-privacy-policy\" parent=\"\" tag=\"h2\" :articleId=\"275\">An example of a layered privacy policy\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">First, a necessary disclaimer: \u003Cem>this is not legal advice and should not be taken as such. Every notice needs to be tailored to a specific website. Please don't copy-paste your notice from us or from anywhere else on the Internet! If you have some knowledge of privacy law, write one yourself. Otherwise, have an expert draft one for you.\u003C/em>\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">That being said, here's an example template for a layered privacy policy:\u003C/ContentEditable>\n\u003Cblockquote>\n\u003Cp>We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.\u003C/p>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for 6 months. To learn more about Google's data transfer policies, click \u003Cstrong>here\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click \u003Cstrong>here\u003C/strong> to read more about your rights and to find how you can get in touch with us.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Please express your cookie preference:\u003C/ContentEditable>\n\u003Col>\n\u003Cli>I consent to the processing of non-essential cookies\u003C/li>\n\u003Cli>I refuse the processing of non-essential cookies\nWe will not read or write cookies without your consent.\u003C/li>\n\u003C/ol>\n\u003C/blockquote>\n\u003CContentEditable  id=\"google-analytics-privacy-policy-template\" parent=\"\" tag=\"h2\" :articleId=\"275\">Google Analytics privacy policy template\u003C/ContentEditable>\n\u003Cblockquote>\u003CContentEditable  parent=\"blockquote\" tag=\"p\" :articleId=\"275\">We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.\u003C/ContentEditable>\u003C/blockquote>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">You must include \u003Cstrong>all\u003C/strong> the purposes for which you process the data and clearly distinguish between them. This is just an example: if you collect personal data for other purposes as well, you should mention that.\u003C/ContentEditable>\n\u003Cblockquote>\u003CContentEditable  parent=\"blockquote\" tag=\"p\" :articleId=\"275\">With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for x months. To learn more about Google's data transfer policies, click \u003Cstrong>here\u003C/strong>.\u003C/ContentEditable>\u003C/blockquote>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">The link is where you can explain that Google Ireland Ltd. transfers data to Google LLC and that they are using standard contractual clauses to safeguard the data. You should clarify what that means in plain language. For example:\u003C/ContentEditable>\n\u003Cblockquote>\u003CContentEditable  parent=\"blockquote\" tag=\"p\" :articleId=\"275\">Standard contractual clauses are legal clauses written by the European Commission. They are part of a contract between Google Ireland Ltd. and Google LLC, and Google LLC must follow them. Standard contractual clauses tell Google LLC what it can and cannot do with your data.\u003C/ContentEditable>\u003C/blockquote>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">There is no need to reproduce the content of the clauses, but you could provide a link to Google's own documentation.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Please note that \u003Cstrong>providing this information does not make the data transfer lawful\u003C/strong>. Google Analytics is practically banned in four EU countries (Austria, France, Italy and Denmark) because the data transfers between Google Ireland and Google LLC were found to violate Chapter V of the GDPR, and more countries may follow. \u003Cstrong>There is nothing you can realistically do about this\u003C/strong>: if you use Google Analytics, you are accepting a compliance risk. We wrote more about the topic \u003CNuxtLink to=\"/\"  >here\u003C/NuxtLink>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">As a result of this, a debate has sparked on whether all version of Google Analytics are found to be unlawful or only the current version (universal analytics).The short answer is that the violations apply to both versions of Google Analytics. We've written about this more extensively in \u003CNuxtLink to=\"/\"  >this blog\u003C/NuxtLink>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">\u003Cem>(Update: the situation is a little more unclear now due to a new EU-US data transfer framework implemented in 2023. The long legal saga of data transfers is not quite over yet, as the new framework has already been challenged before the EU Court of Justice. In all likelihood, the framework will not survice the Court's scrutiny, and we will all be back to square one- with data transfers being a major problem for EU companies)\u003C/em>\u003C/ContentEditable>\n\u003Cblockquote>\u003CContentEditable  parent=\"blockquote\" tag=\"p\" :articleId=\"275\">You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click \u003Cstrong>here\u003C/strong> to read more about your rights and to find out how you can get in touch with us.\u003C/ContentEditable>\u003C/blockquote>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">This is where you can include information on the right of access, the right to withdraw consent, the right to erasure, the right to lodge a complaint in the Member State where the reader lives or works, and possibly the right to object. If you are processing personal data without consent, be careful to specify which categories of data the user can request you to erase. And clarify that you are responsible for handling requests, not Google.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">You always need to provide contact information for your organization, and if you have a DPO and an EU representative, you must also provide a contact for them. Contact information is really important in practice. Don't just fill in an email and forget about it: \u003Cstrong>make sure requests are forwarded to someone who will actually handle them!\u003C/strong> Companies are often fined for failing to respond to requests promptly.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">If you have a DPO, direct the user to them for any requests- handling them is part of the DPO's job. If you don't have a DPO, then it is good practice to make someone in your organization responsible for responding to requests. Provide a direct contact for them in your privacy policy so that requests don't get overlooked among the organization's mail.\u003C/ContentEditable>\n\u003Cblockquote>\n\u003Cp>Please express your cookie preference:\u003C/p>\n\u003Cul>\n\u003Cli>I consent to the processing of non-essential cookies\u003C/li>\n\u003Cli>I refuse the processing of non-essential cookies\nWe will not read or write cookies without your consent.\u003C/li>\n\u003C/ul>\n\u003C/blockquote>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">This choice must be presented in clear, non-deceiving terms: \u003Cstrong>yes or no\u003C/strong>. If the user says "no," \u003Cstrong>respect their decision\u003C/strong> and don't show them the cookie banner again.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">A user might want to agree to cookies for specific purposes; for example, they may accept first-party cookies for website optimization and refuse third-party marketing cookies. Including a "customize" option is acceptable if the option to refuse all cookies is \u003Cstrong>visible, easily accessible, and clearly worded\u003C/strong>. Don't force users to run through five different cookie settings to say "no," and don't force confusing choices like "accept" versus "customize."\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Many companies don't design the cookie banners themselves and rely on a \u003Cstrong>consent-management platform\u003C/strong> instead. The same suggestions apply: in a nutshell, make sure your cookie banners are clear and allow users to refuse consent easily.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Finally, if you collect some personal data without consent, you should also include that information. For example, you could add a last bit such as:\u003C/ContentEditable>\n\u003Cblockquote>\u003CContentEditable  parent=\"blockquote\" tag=\"p\" :articleId=\"275\">We will still collect some data if you do not consent. Click \u003Cstrong>here\u003C/strong> to learn more.\u003C/ContentEditable>\u003C/blockquote>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">In the link, you can specify what data you collect and on what legal basis.\u003C/ContentEditable>\n\u003CContentEditable  id=\"when-should-my-privacy-policy-be-displayed\" parent=\"\" tag=\"h2\" :articleId=\"275\">When should my privacy policy be displayed?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">If you are using Google Analytics, your privacy policy should be displayed as soon as the user lands on your website. You should also include it on your website so that returning users can access the information easily.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">From a practical standpoint, it makes sense to merge your policy with your cookie banner, as we did in our template. You need a cookie banner anyway, and one annoying pop-up is better than two.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">On a side note, under the GDPR, withdrawing consent should be as easy as it is to give it. So your website should allow users to \u003Cstrong>withdraw consent easily\u003C/strong> in some way. It doesn't really matter how, as long as the option is hassle-free and easily accessible. So it might be convenient to include an \u003Cstrong>opt-out button\u003C/strong> or a similar option in the policy displayed on your website. But please remember that this opt-out mechanism \u003Cstrong>cannot itself collect consent\u003C/strong>: you still need to do that in your cookie banner!\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-information-should-my-privacy-policy-contain\" parent=\"\" tag=\"h2\" :articleId=\"275\">What information should my privacy policy contain?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">\u003Cstrong>Your privacy policy should contain all the information required by Art. 13 GDPR\u003C/strong>. In Google Analytics' case, that would be:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>the purpose and legal basis for the processing\u003C/li>\n\u003Cli>contact details for the controller, the DPO, and the EU representative (if applicable)\u003C/li>\n\u003Cli>the reader's data rights (including the right to file a complaint with a privacy authority)\u003C/li>\n\u003Cli>whether the data will be disclosed to third parties\u003C/li>\n\u003Cli>whether the data will be transferred outside the US, and with what safeguards\u003C/li>\n\u003Cli>how long the data will be stored\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">You can think of Art. 13 as a \u003Cstrong>checklist\u003C/strong> you can go through to ensure your policy is compliant. In fact, we wrote our template with this article in mind. But covering all of the information is not enough: as we said, this information needs to be provided in a clear and accessible form.\u003C/ContentEditable>\n\u003CContentEditable  id=\"update-new-guidance-on-cookie-banners\" parent=\"\" tag=\"h2\" :articleId=\"275\">Update: new guidance on cookie banners\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">In 2023 the European Data Protection Board (that is, the body that brings European privacy watchdogs together) issued some \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">recommendations\u003C/a> on cookie banners. If you want to use Google Analytics on your website, these recommendations (and \u003CNuxtLink to=\"/blog/eu-task-force-cracks-down-on-cookie-banners\"  >our blog\u003C/NuxtLink> about them) are a worthwhile read.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Bottom line: the Board (more exactly, its task force) did not reach complete consensus, but the majority agreed that cookie banners need \u003Cstrong>an easily visible and clearly worded "reject button" in the first layer\u003C/strong>. In other words, you need to give users \u003Cstrong>a fair and transparent choice\u003C/strong> rather than nudging them to accept everything through convoluted and deceiving interface design.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">This aligns nicely with what we wrote beforehand about not forcing confusing choices on your users. We don't have a crystal ball: all of this is really common sense. And it's nice to see that the EDPB is finally taking a stance against \u003CNuxtLink to=\"/blog/content-jujutsu\"  >consent Jujutsu\u003C/NuxtLink> practices that have been commonplace for years.\u003C/ContentEditable>\n\u003CContentEditable  id=\"final-thoughts\" parent=\"\" tag=\"h2\" :articleId=\"275\">Final Thoughts\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Our template provides the information as part of a cookie banner because it's convenient. But to be clear, \u003Cstrong>a privacy policy is not just about cookies\u003C/strong>: if you are collecting any other personal data, you must also inform the user about that.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">One last word: when it comes to privacy, there is a \u003Cstrong>big gap between theory and practice\u003C/strong>. Many websites provide less comprehensive information than required, and very few websites allow consent to be withdrawn easily. So you might get away with it, but you would still not be GDPR compliant.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Bottom line: Omit the required information at your own peril (and feel bad about yourself).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">... what if (most of) this isn't necessary in the first place?\u003Cbr>...what if there is an analytics tool that provides web analytics without the need for an extensive privacy policy?\u003Cbr>...what if you can gather insights into your website traffic without needing a cookiebanner?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"275\">Yep, that's possible... we created \u003CNuxtLink to=\"/\"  >Simple Analytics\u003C/NuxtLink> with this in mind. We wanted to create a web analytics tool that provided insights into website traffic without needing cookies to collect personal data. We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to \u003CNuxtLink to=\"/signup\"  >give us a try\u003C/NuxtLink>.\u003C/ContentEditable>\n","How to add Google Analytics to your privacy policy?","Many companies and website owners have questions about privacy policies. When building a business or operating a website, this is not the most exciting part to be working on, but it is important to check this box. To make your life easier, we compiled a list of things you should take into account.\n\n{% include gif.html slug=\"get-over-with\" alt=\"Spy Kids: Get over with\" width=\"480\" height=\"270\" color=\"#291d21\" %}\n\n{{tableofcontents}}\n\nLet's dive in!\n\n## A note on terminology\n\nIn everyday language, a privacy policy or privacy notice is a document that includes a bunch of legalese about the use of personal data. The two terms are often used interchangeably, but they are not exactly the same in legalese: a privacy _policy_ is an internal document, while a privacy _notice_ is written for users/customers/visitors etc.\n\nWhen people talk about a company's privacy policy, they are more often than not referring to a privacy notice. Even companies sometimes refer to their notices as policies: for instance, [the privacy section of Google's terms](https://policies.google.com/privacy?hl=en-US) is referred to as a privacy policy.\n\nIn this blog we will say \"privacy policy\" because we are not fans of strict legalese- but it is still good to know that policies and notices are not exactly the same.\n\n## What is the purpose of a privacy policy?\n\nThe primary purpose of a privacy policy is to inform the reader of **what you do with their data, how, and why**. In the case of the website, a privacy policy will notify the visitor of the processing of their data and the purposes of the processing (website optimization, market analytics, etc.).\n\nYou should tell the reader what data you are processing, on what [legal basis](https://www.simpleanalytics.com/blog/gdpr-consent-101#do-i-always-need-consent-under-the-gdpr), for what purpose, and so on. You should also inform the reader about **their rights** under the GDPR (such as requesting the erasure of the data and filing a complaint). And you must facilitate the exercise of these rights by **providing a point of contact** for any requests or questions they might have.\n\nKeep in mind that a privacy policy directly addresses the user of your service, or the visitor of your website. The information should be as clear and accessible as possible, so **use plain language and leave the jargon to the lawyers!**\n\n## Do I need a privacy policy for Google Analytics?\n\n**Yes, you do**. Google Analytics collects cookies and IP addresses which are personal data under the GDPR. You also need consent to process cookies because they fall under the [**ePrivacy Directive**](https://www.simpleanalytics.com/blog/cookies-101#how-are-cookies-regulated). This is the case for both first-party and third-party cookies (the latter are associated with a domain different from the one the user is visiting and tend to be more privacy-invasive).\n\n## How do you write a privacy policy?\n\nIt's not rocket science, but it is not simple, either. Your privacy policy needs to include many specific pieces of information to comply with Art. 13 GDPR. At the same time, it must be **concise, accessible, and clear** to comply with Art. 12(1) GDPR.\n\nIt can be hard to include all the information required while keeping your policy simple and accessible, but a **layered approach** can help you strike a balance. A layered privacy policy provides the most crucial information upfront. It refers the reader to other resources for more detailed information (for example, by linking to different pages or maybe to the relevant headers of a single, more extended notice).\n\n![how to add google analytics to your privacy policy](https://assets.simpleanalytics.com/blog/2022-how-to-add-google-analytics-to-your-privacy-policy/social-image-no-text-privacy-policy-for-web-analytics-no-text.png)\n\n## An example of a layered privacy policy\n\nFirst, a necessary disclaimer: _this is not legal advice and should not be taken as such. Every notice needs to be tailored to a specific website. Please don't copy-paste your notice from us or from anywhere else on the Internet! If you have some knowledge of privacy law, write one yourself. Otherwise, have an expert draft one for you._\n\nThat being said, here's an example template for a layered privacy policy:\n\n> We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.\n>\n> With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for 6 months. To learn more about Google's data transfer policies, click **here**.\n>\n> You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click **here** to read more about your rights and to find how you can get in touch with us.\n>\n> Please express your cookie preference:\n>\n> 1.  I consent to the processing of non-essential cookies\n> 2.  I refuse the processing of non-essential cookies\n>     We will not read or write cookies without your consent.\n\n## Google Analytics privacy policy template\n\n> We at awesomewebsite.com use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns.\n\nYou must include **all** the purposes for which you process the data and clearly distinguish between them. This is just an example: if you collect personal data for other purposes as well, you should mention that.\n\n> With your consent, Google Analytics will process and collect your personal data (cookies and IP address) to give us valuable information. Google Analytics will transfer your data to the United States and store it for x months. To learn more about Google's data transfer policies, click **here**.\n\nThe link is where you can explain that Google Ireland Ltd. transfers data to Google LLC and that they are using standard contractual clauses to safeguard the data. You should clarify what that means in plain language. For example:\n\n> Standard contractual clauses are legal clauses written by the European Commission. They are part of a contract between Google Ireland Ltd. and Google LLC, and Google LLC must follow them. Standard contractual clauses tell Google LLC what it can and cannot do with your data.\n\nThere is no need to reproduce the content of the clauses, but you could provide a link to Google's own documentation.\n\nPlease note that **providing this information does not make the data transfer lawful**. Google Analytics is practically banned in four EU countries (Austria, France, Italy and Denmark) because the data transfers between Google Ireland and Google LLC were found to violate Chapter V of the GDPR, and more countries may follow. **There is nothing you can realistically do about this**: if you use Google Analytics, you are accepting a compliance risk. We wrote more about the topic [here](/blog/is-google-analytics-illegal-in-europe).\n\nAs a result of this, a debate has sparked on whether all version of Google Analytics are found to be unlawful or only the current version (universal analytics).The short answer is that the violations apply to both versions of Google Analytics. We've written about this more extensively in [this blog](/blog/is-google-analytics-4-gdpr-compliant).\n\n_(Update: the situation is a little more unclear now due to a new EU-US data transfer framework implemented in 2023. The long legal saga of data transfers is not quite over yet, as the new framework has already been challenged before the EU Court of Justice. In all likelihood, the framework will not survice the Court's scrutiny, and we will all be back to square one- with data transfers being a major problem for EU companies)_\n\n> You have certain rights over your data: for example, you can require us to delete them or to provide you with a copy. We take responsibility for the processing of your data. We are available to answer any question and handle any request from you. Click **here** to read more about your rights and to find out how you can get in touch with us.\n\nThis is where you can include information on the right of access, the right to withdraw consent, the right to erasure, the right to lodge a complaint in the Member State where the reader lives or works, and possibly the right to object. If you are processing personal data without consent, be careful to specify which categories of data the user can request you to erase. And clarify that you are responsible for handling requests, not Google.\n\nYou always need to provide contact information for your organization, and if you have a DPO and an EU representative, you must also provide a contact for them. Contact information is really important in practice. Don't just fill in an email and forget about it: **make sure requests are forwarded to someone who will actually handle them!** Companies are often fined for failing to respond to requests promptly.\n\nIf you have a DPO, direct the user to them for any requests- handling them is part of the DPO's job. If you don't have a DPO, then it is good practice to make someone in your organization responsible for responding to requests. Provide a direct contact for them in your privacy policy so that requests don't get overlooked among the organization's mail.\n\n> Please express your cookie preference:\n>\n> - I consent to the processing of non-essential cookies\n> - I refuse the processing of non-essential cookies\n>   We will not read or write cookies without your consent.\n\nThis choice must be presented in clear, non-deceiving terms: **yes or no**. If the user says \"no,\" **respect their decision** and don't show them the cookie banner again.\n\nA user might want to agree to cookies for specific purposes; for example, they may accept first-party cookies for website optimization and refuse third-party marketing cookies. Including a \"customize\" option is acceptable if the option to refuse all cookies is **visible, easily accessible, and clearly worded**. Don't force users to run through five different cookie settings to say \"no,\" and don't force confusing choices like \"accept\" versus \"customize.\"\n\nMany companies don't design the cookie banners themselves and rely on a **consent-management platform** instead. The same suggestions apply: in a nutshell, make sure your cookie banners are clear and allow users to refuse consent easily.\n\nFinally, if you collect some personal data without consent, you should also include that information. For example, you could add a last bit such as:\n\n> We will still collect some data if you do not consent. Click **here** to learn more.\n\nIn the link, you can specify what data you collect and on what legal basis.\n\n## When should my privacy policy be displayed?\n\nIf you are using Google Analytics, your privacy policy should be displayed as soon as the user lands on your website. You should also include it on your website so that returning users can access the information easily.\n\nFrom a practical standpoint, it makes sense to merge your policy with your cookie banner, as we did in our template. You need a cookie banner anyway, and one annoying pop-up is better than two.\n\nOn a side note, under the GDPR, withdrawing consent should be as easy as it is to give it. So your website should allow users to **withdraw consent easily** in some way. It doesn't really matter how, as long as the option is hassle-free and easily accessible. So it might be convenient to include an **opt-out button** or a similar option in the policy displayed on your website. But please remember that this opt-out mechanism **cannot itself collect consent**: you still need to do that in your cookie banner!\n\n## What information should my privacy policy contain?\n\n**Your privacy policy should contain all the information required by Art. 13 GDPR**. In Google Analytics' case, that would be:\n\n- the purpose and legal basis for the processing\n- contact details for the controller, the DPO, and the EU representative (if applicable)\n- the reader's data rights (including the right to file a complaint with a privacy authority)\n- whether the data will be disclosed to third parties\n- whether the data will be transferred outside the US, and with what safeguards\n- how long the data will be stored\n\nYou can think of Art. 13 as a **checklist** you can go through to ensure your policy is compliant. In fact, we wrote our template with this article in mind. But covering all of the information is not enough: as we said, this information needs to be provided in a clear and accessible form.\n\n## Update: new guidance on cookie banners\n\nIn 2023 the European Data Protection Board (that is, the body that brings European privacy watchdogs together) issued some [recommendations](https://edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en) on cookie banners. If you want to use Google Analytics on your website, these recommendations (and [our blog](https://www.simpleanalytics.com/blog/eu-task-force-cracks-down-on-cookie-banners) about them) are a worthwhile read.\n\nBottom line: the Board (more exactly, its task force) did not reach complete consensus, but the majority agreed that cookie banners need **an easily visible and clearly worded \"reject button\" in the first layer**. In other words, you need to give users **a fair and transparent choice** rather than nudging them to accept everything through convoluted and deceiving interface design.\n\nThis aligns nicely with what we wrote beforehand about not forcing confusing choices on your users. We don't have a crystal ball: all of this is really common sense. And it's nice to see that the EDPB is finally taking a stance against [consent Jujutsu](https://www.simpleanalytics.com/blog/content-jujutsu) practices that have been commonplace for years.\n\n## Final Thoughts\n\nOur template provides the information as part of a cookie banner because it's convenient. But to be clear, **a privacy policy is not just about cookies**: if you are collecting any other personal data, you must also inform the user about that.\n\nOne last word: when it comes to privacy, there is a **big gap between theory and practice**. Many websites provide less comprehensive information than required, and very few websites allow consent to be withdrawn easily. So you might get away with it, but you would still not be GDPR compliant.\n\nBottom line: Omit the required information at your own peril (and feel bad about yourself).\n\n... what if (most of) this isn't necessary in the first place?\\\n...what if there is an analytics tool that provides web analytics without the need for an extensive privacy policy?\\\n...what if you can gather insights into your website traffic without needing a cookiebanner?\n\nYep, that's possible... we created [Simple Analytics](https://www.simpleanalytics.com/) with this in mind. We wanted to create a web analytics tool that provided insights into website traffic without needing cookies to collect personal data. We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to [give us a try](https://www.simpleanalytics.com/signup).",{"alt":46,"caption":47,"small":48,"medium":49,"large":50,"original":51,"averageColorHex":-1,"isDark":11},"Privacy Policy For Google Analytics.png",null,"https://cms-assets.simpleanalytics.com/small_privacy_policy_for_google_analytics_text_d9a4f6e096.png","https://cms-assets.simpleanalytics.com/medium_privacy_policy_for_google_analytics_text_d9a4f6e096.png","https://cms-assets.simpleanalytics.com/large_privacy_policy_for_google_analytics_text_d9a4f6e096.png","https://cms-assets.simpleanalytics.com/privacy_policy_for_google_analytics_text_d9a4f6e096.png",{"alt":46,"caption":47,"small":53,"medium":54,"large":55,"original":56,"averageColorHex":-1,"isDark":11},"https://cms-assets.simpleanalytics.com/small_privacy_policy_for_google_analytics_no_text_94a33175c6.png","https://cms-assets.simpleanalytics.com/medium_privacy_policy_for_google_analytics_no_text_94a33175c6.png","https://cms-assets.simpleanalytics.com/large_privacy_policy_for_google_analytics_no_text_94a33175c6.png","https://cms-assets.simpleanalytics.com/privacy_policy_for_google_analytics_no_text_94a33175c6.png",{"data":47},275,"Adding a privacy policy is not the most exciting part of operating your website. However, it is an essential one. This article outlines what to include to make your life easier","how-to-add-google-analytics-to-your-privacy-policy","2022-11-08T00:00:00.000Z","2024-04-16T12:14:31.129Z",{"en":64,"de":65,"fr":67,"it":69,"es":71,"nl":73},{"slug":60},{"slug":66},"wie-kann-ich-google-analytics-in-meine-datenschutzrichtlinie-aufnehmen",{"slug":68},"comment-ajouter-google-analytics-a-votre-politique-de-confidentialite",{"slug":70},"come-aggiungere-google-analytics-alla-vostra-informativa-sulla-privacy",{"slug":72},"como-anadir-google-analytics-a-su-politica-de-privacidad",{"slug":74},"hoe-voegt-u-google-analytics-toe-aan-uw-privacybeleid"]