Over 30 million sites use Google Analytics, so many marketers no doubt have the same question: is Google Analytics LGPD compliant?
The answer is "yes", but you should ask for consent first.
To make your GA usage LGPD-compliant, then, there are a couple steps you need to take, which are detailed below. The information pertains specifically to Google Analytics browser/website tracking - not to Google’s Firebase SDK, a tool for in-app analysis.
Please note, we are not a law firm. Please view this as informational, not legal advice, and speak to a lawyer before coming to a conclusion.
Table of Contents:
The LGPD is a Brazilian privacy law going into effect August 1, 2021. The LGPD regulates, amongst other things, how organizations may obtain, use, and store the personal data of Brazilian residents. For a detailed overview, read our LGPD summary. Its key highlights are:
Google Analytics is a free website tool that collects anonymized data on site visitors, aggregates it, and offers reports on where the traffic is coming from, what pages they browsed, for how long, etc.
As such, since you are sharing your visitors’ PII with a third-party, this is information you must disclose to users.
The answer is likely "yes" - since it involves the collection/sharing of PII - but do know there's no 100% clear answer to this, as Google Analytics is not mentioned in the text.
Regardless of whether you choose to ask for consent or not, there are still steps you need to take to be fully compliant. Those actions are listed below.
It must also detail - for every data use case - what information is being collected, why, how, and to whom it’s sent.
"We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have - or ask us to delete any GA data - please delete your ga cookies, reach out to us via this form, and/or install the Google Analytics Opt-Out Browser Add-On."
Understanding the LGPD’s data rights isn’t difficult: if they ask to delete or see their data, you must do it. This includes any Google Analytics data you or Google has on them.
What’s more complicated is figuring out how to honor that request from a technical standpoint. Even this is doable, though, and below lists multiple ways to delete or access their GA data.
First, ask the user to provide their Google Analytics ClientID. To find this, they’ll need to go to their browser’s settings and manually look at what cookies are stored. They should find one named
_ga, which is the Google Analytics cookie, and within it is a string like
The user’s ClientID are the numbers before and after the final period (in this case,
318596131.1556642125). If they have multiple
_ga cookies on their browser, they should send all of the ClientIDs.
If you are relying on UserIDs instead of ClientIDs (the differences are here), then you must grab the ID yourself (for instance, if you know their email and have their UserID tied to it).
Next, use Google's User Explorer Report to pull any data associated with this ClientID or UserID, and then send that user this information.
Alternatively, you could use Google's User Activity API to pull the data. The API Response will look like:
_gacookies on their browser. This would delete their cookie’s ClientID
Alternatively you could use Google's User Deletion API and their ClientID/UserID to delete any data Google has on them.
Without doing this step, Google would store that user's data for 26 months, violating the LGPD deletion request. So you must manually delete their data via one of these steps should they request it.
This would be applicable if you are asking for consent before sending the user's anonymized data to Google. In this case, you would need to block the GA tag for non-consenting users.
What happens if Google Analytics somehow gets breached? Google would send an email to you first, but it’s on you to then contact your affected users. If you don't already have a plan in place, the UK’s Information Commission Office has a great guide on what you need to do. It was created for the GDPR but is just as applicable to the LGPD.
Fortunately, Google has been very proactive in regards to these laws, as noted in their security compliance page. Their actions include:
Nonetheless, there are still actions to take to limit what data you send Google.
https://email@example.com a form fill-out, as they would be sent to GA
_gacookie lasts on the user’s browser for 24 months. Fortunately, you can set this expiration period to whatever you want via the
cookieExpiresparameter in the GA tag. For instance, hardcoding it to
0turns it into a session-based cookie, and the ClientID will expire when they exit the site
To use Google Analytics and stay LGPD compliant, you'll need to:
Of course, further rulings may make this information obsolete, so we’ll track and report on any obvious changes.
Chris has worked in ad tech for over fourteen years in a variety of roles - giving him customer support, PM, and marketing perspectives from both the advertiser and publisher sides. He's the VP of Marketing at Kevel.