linkedin-icon-whiteInstagramFacebookX logo

How to Become GDPR-Compliant With Google Analytics, Email Marketing, and FB Ads

How to Become GDPR-Compliant With Google Analytics, Email Marketing, and FB Ads


There is a lot of buzz around GDPR lately as the D-day (25th May) approaches near. Although Digital Marketing companies and many businesses have been contributing to the hue and cry around it since long.

So, the big question is- what is GDPR (followed by many bigger questions)?

GDPR stands for General Data Protection Regulation and, is a regulation in EU law for data protection and individual privacy that would become enforceable on 25th May 2018. The law was adopted in 2016 and would replace the 23-year-old EU legal act- Data Protection Directive once enforced.

There are adverse implications if you do not comply with GDPR, the penalties of which could tune into €20 million or 4% of total revenue (the world over).

GDPR is a data regulation which concerns the control and processing of personal data. Personal data of the EU citizens to whom any good/services are being sold even if the company is not based in the European Union.

The regulation would have a widespread impact on the various marketing technologies we use as digital marketers and one of them is web analytics. Google Analytics is a web analytics tool extensively used across the world. There are about 50 million websites which are configured with GA. GDPR would have a major impact on GA.

As per GDPR, Google Analytics is your data processor if you are using GA and you are the data controller. As a data processor, it makes it important for GA to be compliant with GDPR.

How GDPR would impact Google Analytics

Well, there are various ways to become GDPR-compliant which would save you from a lot of hassle. Here are 5 ways to tune in with the regulation.

Review PIIs-

PII or Personally Identifiable Information is the data which could potentially identify a specific individual. There are various combinations of data sets like Google Analytics report and existing data that could identify an individual and GDPR would count it has PIIs. Google Analytics terms already prohibit collecting PIIs and the GDPR would tighten the noose. To comply with the regulation check the page URLs and titles for PII collection, you might be transmitting to marketing tools.

Review Pseudonymous Identifiers-

As we all know pseudonymization is a procedure that replaces PIIs with artificial identifiers making the data unidentifiable. GA uses these pseudonymous identifiers like User IDs, hashed data, transaction IDs which is an acceptable practice (also by GDPR). All you need to do about this is, update your ‘Privacy Policy’ that tells the user of what data is being collected and the purpose of it. You also should go for the opt-in option that would ask for the consent of the user.

Hit IP Anonymization-

GDPR in its definition of PII considers an IP address as a PII as Google uses the IP to provide geolocation data. GDPR compliance needs that you should turn on the IP anonymization and to enable this a code change is required. This can be done either by Google Tag Manager (GTM) or you would have to edit the code directly.

Opt In/Opt Out Consent Option-

Gaining consent for tracking in GA constitutes an important part in GDPR, although more importantly how you are gaining the consent. Collecting user ID and other pseudonymous identifiers gaining consent from the user is imperative. The ‘cookie consent’ would no longer be considered gaining a consent, rather you would have been more explicit on it. The best way that is the most common also is getting an overlay modal that pops up (once the website loads), to ask the user for his/her consent.

Clear Privacy Policy-

Privacy policy has always been a part of internet business but with the new regulation, you need to change the whole approach to writing one. GDPR needs a privacy policy written in a clear, precise and understandable way as it focuses on the users. The privacy policy is not written for lawyers and that is why it should be in a simple language that can be understood by a layman. Also, it should be precise to the point, telling the user what, how, why, who of the information collected. To create a privacy policy you can use any of the best privacy policy generators available, although you would have to tweak and modify it to suit your business and company.

Another marketing technology that would be impacted by GDPR would be Email Marketing. Email marketing delivers the marketing campaigns personally which makes it effective than other broadcasts making it a growing marketing technology. According to Radicati’s 2016 Email Statistics report, email would be used by 3 billion people by the year 2020.

GDPR would not consider the contacts collected by after the enforcement date i.e. 25th May 2018 but the regulation would apply to your existing contacts as well.

How GDPR would impact Email Marketing

If you are using Email marketing, GDPR would like you to-

Review your contacts-

You need to check or have an audit of all the contacts you have been adding to your Email marketing database from all those years. Check if you know the geographies of these contacts, when you added them to the repository, check if you have been taking the consent of the contacts, how you got them to your database.

Privacy Policy-

You need to check your privacy policy and surely you would have to change it. You have to add all the details of how you collect, store, transfer, and process the data of the users in a very clear language and precise way.


GDPR would require you to provide the ‘unsubscribe’ option clearly and in a simple way. For that, you should use the unsubscription link in all the marketing communications so that a user can unsubscribe to the marketing communication that is talked about or to all of your communications. The unsubscription process should be very simple, enabling the user to unsubscribe in a single click. Asking a user to login your web page to unsubscribe is not recommended. GDPR also would empower the user to get his/her data erased completely by directly emailing to you.

Separate Consent-

As of now signing up may be considered as accepting terms and conditions and hence taken as consent. Although GDPR requires separating the consent from signing up, so that the user should be able to clearly understand if they are giving a consent to receive the emails.

Active opt-in-

The data subject’s consent relies on the clear opt-in boxes being used. Pre-ticked boxes will not be sufficient to confirm consent under the new regulation.

Facebook has evolved as an indispensable marketing technology but with the recent data scandal, it would have to keep itself out of any kind of controversy.

How GDPR would impact Facebook Ads

Informing your prospects-

As an advertiser, you would have to inform your prospects about the data you are collecting like- what you would be doing with their data and with whom you would share it.

Facebook Pixel-

If you are using Facebook Pixel you would have to obtain consent from prospects such as:
The data collected by the retail websites about the products people view for the purposes of ad targeting.
Blogs that use cookies to collect demographic data about readers.
Facebook advertisers who install the Facebook Pixel to measure ad conversions.


Since Facebook owns Instagram, Instagram will be as GDPR compliant as Facebook is. You don’t need to do anything extra to use Instagram ads or acquire additional consent.

Custom Audiences-

When you upload a custom audience to Facebook using a data file, Facebook is a mere data processor and so, you will be responsible for complying with GDPR standards (before that information is uploaded to Facebook). It is not possible as of now as there is no tool to do this but Facebook is in the process of developing a Custom Audiences permission tool that will require you to provide proof.

Leads Ads-

Facebook Lead ads are a great business tool and here is what Facebook has to say about GDPR compliance with leads- “In the case of lead ads, both Facebook and the business are data controllers, thus, both parties are responsible for ensuring compliance.”
This means both you and Facebook need to let your prospects know that you’re processing their data. Luckily, Facebook makes it pretty simple to link your lead ad to your privacy policy, allowing you to collect consent in real time.

While the main focus here was Google Analytics, Email marketing and Facebook ads these steps also apply to other marketing technologies as the core remains common i.e. data permission, data access, and data focus.

Remember, GDPR isn’t designed to stop businesses from communicating with their customers. In fact, it will lead to an increase in data quality, which is why it’s an opportunity to delve deeper into the needs of prospects and customers.

Contact us to get your website/app evaluated for GDPR compliance.


We are not a law firm and this blog post is based on our research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. The sole purpose of the blog is to give information to the readers and advises you seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggestions, please comment and provide sources, as appropriate.


Liked what you read?

Subscribe to our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Blogs

Let's Talk