Germany is well known for its fierce stance on privacy and its data protection authorities had accomplished one thing: to get Google to adapt some of their practices regarding the implementation of Google Analytics into German websites.

Update February 2020: all of the earlier guidance on the site of the Hamburg data protection authority has been deleted. Newer guidance hasn’t been issued, but there are some breadcrumbs one can find that we’ll link to in the article below.

Update mid-2017: The authority of Hamburg has provided new docs about a compliant use of GA, in German only.

Update December 2016: The authority of Hamburg has disabled their guides, to reassess the situation.

Update September 2016: Google has published their Privacy Shield certification, and updated the terms for using Google Analytics in Germany, including the contract for data processing

On datenschutz-hamburg you can find a document called Guidelines for Hamburg-based website operators using Google Analytics, that outlines in detail what you have to do in order to use Google Analytics in a compliant way in Germany.

Note: read this post in German instead: Aufsetzen der Datenschutzerklärung bei Nutzung von Google Analytics.

Get started quickly with iubenda + Google Analytics

Take these two actions to get started with iubenda to generate a privacy policy with Google Analytics clauses:

  • Sign up/Sign in;
    1. Choose the “Google Analytics with anonymized IP” clause;
    2. Optional: Choose the “Direct text embedding” option to display the privacy policy on your site;

Read the rest of the post for more details.


Since we’ve first published this guide a lot has changed and the guides we originally linked to, don’t exist any longer.

However, the Tätigkeistbericht, of the authority of Hamburg of 2019 (published in 2020) gives some pointers about what’s changed:

  • Google Analytics has changed and in addition to helping the website owner to analyse their traffic, it helps Google extract information
  • There’s a new court decision by the CJEU dated the 1.10.2019, C-673/17 „Planet49“ which requires explicit consent for the setting of cookies

In order to use Google Analytics and iubenda the way it is intended by the German data protection authorities you have to follow the two processes outlined below:

1) Things you are required to do regarding Google Analytics

To quote the data protection authority of Hamburg: To use Google Analytics in a compliant way, you as the website operator must implement the following measures as a minimum

  1. Sign agreement: you must conclude (in writing) the data processing agreement prepared by Google. This agreement can be found here.
  2. Privacy policy & opt-out: inform about your use of Google Analytics in your privacy policy. Inform about their opportunity to object, and link to this opt-out extension made by Google: http://tools.google.com/dlpage/gaoptout?hl=de. This part, the privacy policy generation, is what iubenda helps you with.
  3. Opt-out II: you should implement your own opt-out link for the privacy policy. The reason for this is that Google’s extension works mainly for non-mobile browsers. Therefore, the more mobile visitors you have, the more important this opt-out option will be. When you use iubenda, we will add such an opt-out link to the privacy policy automatically, but you have to additionally follow the instructions below for it to work perfectly.
  4. IP-Anonymization: You need to use the anonymization function provided by Google in your Google Analytics snippet called “_anonymizeIp()”. Read more about the anonymization part here.
  5. Delete old data: if you haven’t used Google Analytics with the anonymizeIp() function so far, you are required to delete prior data because it is considered to have been collected unlawfully.

Read about these requirements in more detail here.

Update 2017: The English pdfs on the Hamburg DPA were suspended, therefore we’re linking to the updated German version here instead.

In the newest Taetigkeitsbericht [German], the authority concludes that its earlier guides aren’t to be followed any longer and that at the very least the following is needed to run Google Analytics in a compliant fashion:

1. a contract for the data processing pursuant to Art. 28 DSGVO should first be concluded between Google LLC and the website operator.

2. in addition, if the “standard setting” is selected, the website operator is also required to conclude a “Controller-Controller-Agreement”, from which it follows that both Google and the website operator act under their own responsibility and reserve the possibility of their own further processing of the data.

3. taking into account European case law (ECJ, ruling dated 29 July 2019, Ref. C-40/17), the standard setting recommended by Google can therefore be assumed to be a joint responsibility pursuant to Art. 26 DSGVO. Therefore, the HmbBfDI is also of the opinion that consent pursuant to Art. 6 para. 1 lit. a DSGVO is required for the use of Google Analytics or similar services. (this, according to the authority follows from the ECJ ruling dated 1.10.2019, Ref: C-673/17 “Planet49” and Google itself that obliges the website operator to take reasonable steps to give the user transparent, comprehensive information.

In other words, compared to the good old days, in addition to a privacy policy, you are expected to show a cookie banner and only place those cookies after you’re received consent from users [which iubenda helps you do].

Of the same opinion, by the way, is the Bavarian authority, that requires prior explicit consent for Google Analytics.

2) How iubenda can help you regarding Google Analytics

  1. Sign up/Sign in and add the Google Analytics clause called “Google Analytics with anonymized IP” to the privacy policy.
  2. No longer necessary: Use the “direct text embedding” option for our privacy policy on your site. There is no way around it if you want to closely follow German practice. The way the Javascript is set up by Google, it will only work and effectively opt-out your users like this from your site.
  3. Before you place a Google Analytics cookie, make sure you show a cookie notice and get the user’s consent [for that you can use the Cookie Solution].

Other posts to read regarding Google Analytics

The process looks more complicated than it is. Basically you have to

  • make sure you follow the requirements as outlined by the data protection authorities – details
  • iubenda will help you with crafting a privacy policy – details

If you want to do additional reading, you will find other relevant posts here in this list below:

Let us help you to do this.

Generate privacy policy for Google Analytics


This used to be part of the guide, we’ll keep it here for archiving purposes:

  1. Integrate the Javascript code* for the opt-out provided by Google, it needs to be placed on every page BEFORE the Google Analytics snippet. Here are Google’s instructions.

*the Javascript snippet provided by Google that must be placed before Google Analytics (basically, what iubenda will do for you: if you have integrated Google’s code above correctly into your site, we will show an opt-out success message, if not, we will send people to Google’s opt-out mechanism that opts-out only part of your audience – if you want this to work, you need to embed the privacy policy on your own site):

// Set to the same value as the web property used on the site
var gaProperty = 'UA-XXXX-Y';

// Disable tracking if the opt-out cookie exists.
var disableStr = 'ga-disable-' + gaProperty;
if (document.cookie.indexOf(disableStr + '=true') > -1) {
  window[disableStr] = true;
}

// Opt-out function
function gaOptout() {
  document.cookie = disableStr + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';
  window[disableStr] = true;
}

Privacy Policy for Google Analytics RemarketingHow to find the Google Analytics Data Processing AgreementHow to find the Google Analytics Data Processing Agreement

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app
www.iubenda.com

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now