On your quest for the best way to set up a GDPR compliant website for your small business, you are likely to come across complicated guides intended for more complex websites.

In case your website has a simple, blog-like structure, collecting only necessary cookies required for normal functioning of the website, look no further. There is no need for you to explore complicated guides, or take any unnecessary steps such as grouping cookies or enabling your users to select which cookies to accept.

Google Analytics is a useful tool which can help you understand the mechanism of websites better. In website Privacy Policy, you can often notice that administrators advise the visitors to turn off the Google Analytics option in their browser, but is it enough? Unfortunately, the answer is NO. In this case, you act as the Data Controller, which means that the protection of the data of your visitors lies in your hands.

The Google Ads Data Processing Terms list the categories of data collected by Google Analytics. Acting as a Data Processor, in this case, Google will accumulate:

        online identifiers, including cookie identifiers;

        Internet protocol addresses and device identifiers;

        client identifiers.

If you have a simple website that collects no additional data (other than the essential information required for the optimal performance of your website), here are two basic steps you can follow to make your website GDPR compliant:

 1. Filter out personal data

The first step would be to check your page URLs, titles, and other dimensions to ensure that no personal data is collected. Sending personally identifiable information to Google Analytics is against its Terms of Service, but sometimes, it happens accidentally if you’re unaware that the information is suppressed in a page URL. If the personal information of your users is collected this way, we advise you to contact your web development team to find an adequate way to avoid it. Unfortunately, in this case, using only filters in Analytics to block the collection of this information isn’t enough. 

2. Turn on IP Anonymization in your Google Analytics account

The GDPR may not be able to identify every piece of personal data. However, combined with another piece of information, even unidentifiable information can be obtained. Before this regulation became effective, the IP address wasn’t even regarded as personal information. Today, the IP address is classified as online PII (personally identifiable information). IP addresses are very important since they can help us locate where the traffic is coming from, but under the GDPR, we are not allowed to track this personal information, unless we obtain the consent. If you don’t have a cookie banner which allows the user to provide a clear and freely given consent on collecting the full IP address, then you will need to switch off that option in Google Analytics. You will still be allowed to get general information about the traffic, which may not be as precise, since the last number in the IP address will be replaced with a zero. This can be done through the Google Tag Manager, or by entering the right code. 

Cookies are considered the “tricky” part of the GDPR. Prior to taking the aforementioned steps and adjusting your Google Analytics account settings, make sure to list and review all the data collected on your website. Using nothing but a social media button can make things slightly different.