[snowwrestler]

The suggested Google Analytics implementation today is a collection of three separate Google technologies: the original GA, Doubleclick cookies to track demographics and interest, and Tag Manager to manage them.

The original GA does not give Google useful cross-site user data because it uses only first-party cookies and anonymizes data as it collected it. To my knowledge you can still implement GA this way If you want to. Such an implementation would be GDPR compliant in not tracking any personal data, although your counsel might still say you need to list them as “analytics” cookies in a cookie banner (mine did).

[pdkl95]

> anonymizes data as it collected it

No, they don't anonymize the collected data (for any reasonable definition of "anonymous". The IP address alone gives GA a very close approximation of a unique key, and their own documentation[1] explains the "anonymization" process:

    "... the last octet of the user IP address
     is set to zero ..."

(if the logged event doesn't opt-in to this behavior by adding &aip=1 then GA presumably saves the entire IP. How many GA users bother setting that option?)

The 8 least significant hits of an IPv4 address are the least interesting. The remaining 24 bits gives GA the ASN and is a lot of entropy for fingerprinting. It would be trivial to recover a unique key from the "anonymized" address by combining it with other analytics data, other cookies, timestamps.

[1] https://support.google.com/analytics/answer/2763052?hl=en

[nwellnhof]

Yes, you can configure Google Analytics so that no data is shared with other Google services, at least no data about single visitors. I also came to the conclusion that using GA this way complies with the GDPR and I don't really understand what all the fuzz is about.

[allover]

As someone going through this right now, the main difficulty in being GDPR compliant with GA is the cookie problem.

You can either disable cookies to run GA in cookieless mode [1], which presumably will affect how GA performs, since they can't determine repeat visits (but this might be fine, depending on the type of site you have), or you need to gain active consent to enable analytics cookies [2], which isn't much good if you want metrics for all users, not just those that opt-ed in.

If someone has solved this reasonably, I'd love to hear how! For now it seems like cookieless is my only option.

[1] https://developers.google.com/analytics/devguides/collection... [2] https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

[allover]

> Such an implementation would be GDPR compliant in not tracking any personal data, although your counsel might still say you need to list them as “analytics” cookies in a cookie banner (mine did).

Your council should also have advised you that you need active consent in your cookie banner, since GDPR raised the standard for consent, which is the stumbling block I'm facing. [1]

[1] See "In brief": https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...