In light of the EU's GDPR and its recent amendments, Google Analytics (GA) has had to adapt its services to ensure continued compliance. Analytics has always been a touchy area when it comes to data privacy since the data collected is often unique personal information. GA is one of the web's most popular analytics tools. Therefore, it's vital for all merchants to use GA cookies properly. Below we've listed some suggestions to help you reach full compliance without sacrificing the benefits the GA suite brings. Below are the most common types of data collected by GA cookies:
- Browser and device information
- Session statistics
- Approximate geolocation
- Unique advertising identifiers
» Do non-EU eCommerce stores have to be GDPR compliant↗? Discover when GDPR applies to US eCommerce stores↗ Develop a Clear & Comprehensive Privacy Policy The first step of any compliance efforts is to develop a privacy policy that sets out everything your website does to collect, process, and share user data. Cookies are a big part of this process, and GDPR requires you to list and explain what each cookie you use does, including the GA cookies. A guide on how to develop effective eCommerce privacy policies↗ is a great place to start. You can use sample privacy policies as well as privacy policy generators to help you start this process. If you're uncertain, ask a legal expert to help you. Taking a look at competitors' or partners' policies to check if you've covered everything will also help. » Are privacy policies and cookie policies the same? Compare the difference between cookie and privacy policies Implement a Cookie Banner Because GA cookies are third-party and non-essential, a website must first receive a user's consent before using them. The easiest way to do that is to have a cookie consent banner that informs the users of cookie use and requests consent. A cookie notification must fulfill the GDPR cookie consent banner requirements↗ and contain the following elements:
- Present clear cookie information
- Link to privacy and cookie policies
- Offer consent options to opt in or out, with an optional cookie dashboard
» What does cookie non-compliance mean? Read up on the importance of cookie compliance for eCommerce↗ Get Cookie Consent From Users While consent is usually obtained through the cookie banner, it's important to ensure that this consent is received before any of the GA cookies requiring consent are used. Just a notification of their use is not enough, since the user's data and privacy are considered sensitive, and any pre-consent data collection will result in non-compliance. » Are there cookies that don't require consent? Find out which cookies are considered strictly necessary↗ Enable IP Anonymization IP addresses are like the addresses of the internet, almost as sensitive as a person's real address. Collecting anonymized IP addresses is a good practice and won't affect metrics and data collection much. IP anonymization involves just collecting a portion of an IP address (162.254.xxx.xxx instead of the whole 162.254.206.227), and GA can be set to do this with its "IP masking" feature. Develop an Opt In/Out Functionality As part of GA cookies' consent settings, they should be disabled by default and also remain off if the user opts out of their use. Websites often assume that users will blindly select "Accept" or "Opt In", but they should always keep blocking all non-essential cookies if the user chooses to opt out. While this can be done on a website level using GA integration settings and other tools, individual users can also universally opt out of all GA cookies. Set Data Deletion Parameters As part of GDPR, every person must have the option of viewing and deleting information collected about them. GA lets you export all information about a specific user. You should enable the "restricted_data_processing" parameter in your global site tag in GA settings for all users from the EU, California, and any other jurisdictions with strict data privacy regulations. GA has a default time limit for deleting data (known as the data retention time limit). It can be updated as below:
- Sign in to Google Analytics↗
- Click Admin and navigate to the property you want to edit.
- In the Property column, click Tracking Info (for web properties) or Data Settings (for GA4) and then Data Retention.
- Under User and event data retention select the retention period you want.
- Click Save. Numbered List Audit Your Data & Pseudonymous Identifiers for PII Finally, you should audit all GA for its collection of personally identifiable information (PII). Google generally does a good job of assisting websites to comply with data regulations, but it's still a good idea to go through all its settings and your website to ensure everything is compliant. Pay special attention to anything that collects PII and identify ways to anonymize the information. » Which website cookies should you watch out for? Discover the types of website cookies you should know about Conclusion Recent updates in data privacy have caused Google to focus more on aggregated data collection, with a better balance of user privacy and measurement performance. Take note of each of the above suggestions so that you can keep your users safe and avoid any regulation violations. » Worried about maintaining GDPR compliance? Partner with PieEye↗ for the perfect solution
How to Handle Data Subject Access Requests (DSARs) in GA
When someone requests their personal data under GDPR Article 15, you need to pull everything GA has collected about them. This includes session records, device IDs, approximate location, and any custom events you've tracked.
Your process should be:
- Receive the request — typically via email to a privacy contact
- Log it with a timestamp — you have 30 days to respond
- Extract GA data — use GA's user-ID feature or custom segments to isolate their activity
- Cross-reference other systems — check Shopify customer records, Klaviyo subscriber data, email lists, and CRM platforms for additional personal data
- Compile and deliver — send all collected data in a machine-readable format (CSV, JSON)
For Shopify stores, this is especially important because GA data often connects to customer profiles in your backend. Someone's GA session might link to their order history, email address, and browsing behavior across visits. You need systems in place to quickly connect these dots.
Set up a DSAR log in a simple spreadsheet or document management tool. Track who requested data, when, and what you provided. This demonstrates good-faith compliance if regulators ever audit you. Many mid-market brands overlook DSARs because they think GA is just "anonymous" analytics — but once you've connected a session to a customer email or order, that data becomes personal and must be retrievable on demand.
Testing Your Cookie Banner Before Launch
A broken or poorly configured cookie banner can actually make your GA setup non-compliant. Before you go live, test that:
- The banner appears before GA loads (not after)
- Rejecting all cookies actually prevents GA from firing
- Google Tag Manager (GTM) respects your consent settings
- The "Details" or "Preferences" button actually shows what you claim to collect
- Mobile and desktop versions both work correctly
Use your browser's Network tab (F12 Developer Tools) to verify GA requests don't fire until consent is given. Look for collect or google-analytics calls — if they appear before a user clicks "Accept," you have a problem.
Test across different browsers and devices. Some analytics tools delay cookie loading, which creates a gap where data gets collected without consent. Your cookie banner platform should have built-in testing tools, but manual verification catches edge cases.
Managing GA and Meta Pixel Consent Together
If you're running Facebook ads alongside GA, you're probably using Meta Pixel on your Shopify store. Both tools have separate consent requirements and data-sharing implications.
GA and Meta Pixel handle consent differently:
- GA needs explicit consent for non-essential cookies before any tracking fires
- Meta Pixel requires consent and you must notify users that data is shared with Meta for ad targeting and retargeting
When someone rejects cookies on your banner, both tools should stop collecting immediately. But if your GTM setup isn't careful, Meta Pixel might fire even when GA doesn't — or vice versa.
Set clear rules in GTM: create a "User Consent" variable that blocks both GA and Meta Pixel until consent is given. Document this in your privacy policy so users understand their data flows to multiple platforms. If you use dynamic product ads or catalog-based retargeting, Meta is linking their pixel data to your product inventory, which adds another layer of data processing you need to disclose.
Documenting Your Processing Activities for GA
GDPR Article 30 requires you to keep records of all data processing — called a Record of Processing Activities (RoPA) or Data Processing Inventory. GA isn't exempt.
Your RoPA entry for GA should document:
- Purpose: Analytics, user behavior tracking, conversion measurement
- Legal basis: Consent (since GA cookies need opt-in)
- Data categories: Device IDs, IP addresses, session data, approximate location, event parameters
- Recipients: Google (and any analytics agencies or consultants who access your GA account)
- Retention: Whatever you set in GA's data retention settings
- Sub-processors: Google's sub-processors (check Google's Data Processing Amendment for the list)
Keep this documentation updated. If you change your GA retention period or add new custom events, update your RoPA. This isn't just a compliance checkbox — it helps you spot where personal data is flowing and reduces risk.