GDPR and Cookie regulation impact on your website and Google Analytics

Written by Sherlock SEO Agency

I recently posted a post on LinkedIn regarding how to handle cookie setting to comply with the new GDPR regulations going into effect May 25, 2018.

Herewith more info regarding GDPR and websites using Google Analytics.

You’ve probably already heard about the GDPR and Cookie regulation that the European Commission that goes into effect on May 25, 2018. If not, you can find more information at the following sites:


So GDPR is not only for large companies, but also for all companies and organizations regardless of their size that fall under the criteria of GDPR:

  • Based in the EU
  • Collects personal data and/or monitors the behavior of EU citizens

However, what does this mean for you and your website now? After all, you are required to inform visitors on your website about:

  • The way you do data collection
  • the storage of personal data

Here, many companies establish an approach with a roadmap (10 to 13 steps) for collecting, storing and using personal data. For this, clear permission must be given by the visitor or user of the website on their first visit to the website. Personal data are divided into three categories:

  • Personal data such as NAW data (name, address, place of residence), IP address and device IDs (smartphones and tablets)
  • Pseudo-anonymous data: personal data that is processed in such a way that it can no longer be traced without the use of additional information, but that still makes a person individual, such as an encrypted e-mail address or user ID.
  • Anonymous data.

Since your website uses tracking scripts for Google Analytics, the data, collected via these tracking IDs, therefore falls under the GDPR because the person can be traced by additional information and is individualizable (especially regarding personal data and pseudo-anonymous data). So officially, you are not allowed to use tracking scripts by default. But if you state on the website what data is collected and for what purposes it is used, it is allowed. In the past, you could mostly accommodate this with a cookie wall or an implicit opt-in, where you indicated to the visitor that he automatically agrees to the use of these tracking scripts upon further use of the site. As of May 25, however, this will no longer be the case.

So action must be taken. And this is where the story actually begins. In addition to GDPR, there will be additional legislation. In fact, the cookie law is also being completely replaced by an ePrivacy law. But the GDPR is already having an earlier impact on what you are allowed to collect and in what ways. Thus, it is important to review tracking scripts and cookies and hold them against the new guidelines, and incorporate them into the cookie notification where appropriate. Indeed, there are several forms applicable here. Following is an explanation:

Level 1: data collection


To make using a website as easy as possible, technical and functional cookies are used to keep track of certain choices and/or selections made and/or made during a previous visit to the website. These ensure that certain choices and/or selections do not have to be set over and over again.

In addition, analytical cookies are also used that track how visitors use the website, which pages they visit, … These help to improve the website, create new content, … These analytical cookies do not store any personal information.

Approach !

The collection of data a the storage of these cookies cannot be refused since otherwise one cannot visit the website. And since Google Analytics is installed on your website, action must be taken here. Now Google Tag Manager is also installed on your site. That makes it even easier in this case. Thus, the following should be provided:

  • Changes in the use of Google Analytics:
    • Adjust Google Analytics configuration and re-enter processor agreement with Google.
  • Process IP addresses anonymously:
    • Using Google Tag Manager to remove the last part of the IP address of website visitors so that they become anonymous
  • Inform about the use of Google Analytics:
    • Informing the visitor:
      • Google Analytics cookies used
      • A processor agreement is in place
      • the data is processed anonymously
      • ‘data sharing’ is disabled
      • no other Google services are used in conjunction with Google Analytics cookies.

Level 2: personalization of data


Some sites are set up to track past site visits and visitor behavior in a “customer profile.” This way, one can personalize the site by visitor or type of visitor to show more relevant information.This way, one can personalize the site by visitor or type of visitor to show more relevant information. Here I am thinking, among other things, of specific banners on the homepage, promotions that may be of interest to the visitor, custom site structure, …

Approach !
Since this is more specific and does not apply to most sites we will not go into detail here. More info? Contact us.

Level 3: data sharing with third parties


Some websites use functionalities such as plug-ins offered by third parties or third-party tracking scripts. Some examples include:

  • Social share and like buttons
  • Social commenting functionalities
  • Video players
  • Display of relevant ads on the Internet

Approach !

So here it gets a little more difficult. If one or more pages of the site have a video player (Youtube, Vimeo, …) or Social share buttons then your website also falls into the category of level 3. And then if this option is refused by the website visitor, they should either no longer be shown or be discontinued.

Another possibility is that your website uses functional tools or marketing tools such as: Facebook pixel, Hotjar, Google Remarketing, … In this case, if this option is refused by the website visitor, they must be stopped.


As you can notice, the intent of this is not always general and not always obviously possible. With Google Tag Manager, however, we can configure this so that this requirement can also be met.

Specifically, this means that actions are needed to get your website in order because there are also penalties involved. For the level 1 consensus, an adjustment should be made anyway. And for the level 3 consensus, the functionalities used should be looked at to then make an approach from there.

More info? Contact us or book an appointment at

Leave a Comment