Some facts about Google Analytics data privacy

The web has to work for users, advertisers, and publishers of all sizes — but users first. And with good reason: people are using the internet in larger numbers for more daily needs than ever. They don’t want privacy as an afterthought; they want privacy by design.

Understanding this is core to how we think about building Google Analytics, a set of everyday tools that help organizations in the commercial, public, and nonprofit sectors understand how visitors use their sites and apps — but never by identifying individuals or tracking them across sites or apps.

Because some of these organizations lately have faced questions about whether an analytics service can be compatible with user privacy and the rules for international transfers of personal data, we wanted to explain what Google Analytics does, and just as important, what it does not do.

Fact: Google Analytics is a service used by organizations to understand how their sites and apps are used, so that they can make them work better. It does not track people or profile people across the internet.

• Google Analytics cannot be used to track people across the web or apps. It does not create user profiles.
• Google Analytics helps owners of apps and websites understand how their users are engaging with their sites and apps (and only their site or app). For example, it can help them understand which sections of an online newspaper have the most readers, or how often shopping carts are abandoned for an online store. This is what helps them improve the experience for their customers by better understanding what’s working or not working.
• This kind of information also includes things like the type of device or browser used; how long, on average, visitors spend on their site or app; or roughly where in the world their visitors are coming from. These data points are never used to identify the visitor or anyone else in Google Analytics.

Google Analytics customers are prohibited from uploading information that could be used by Google to identify a person. We provide our customers with data deletion tools to help them promptly remove data from our servers if they inadvertently do so.

Fact: Organizations control the data they collect using Google Analytics.

• Organizations use Google Analytics because they choose to do so. They, not Google, control what data is collected and how it is used.
• They retain ownership of the data they collect using Google Analytics, and Google only stores and processes this data per their instructions — for example, to provide them with reports about how visitors use their sites and apps.
• These organizations can, separately, elect to share their Analytics data with Google for one of a few specific purposes, including technical support, benchmarking, and sales support.
• Organizations must take explicit action to allow Google to use their analytics data to improve or create new products and services. Such settings are entirely optional and require explicit opt-in.

Fact: Google Analytics helps customers with compliance by providing them with a range of controls and resources.

• When organizations use Google Analytics to collect data from their websites or apps, they control that data. For example, they:
  • Can enable IP Anonymization (or IP masking) on their websites, meaning that full IP addresses are never processed or logged.
  • Have the ability to partially or completely disable data collection on certain pages.
  • Can select how long user-level and event-level data is stored by Analytics before it’s scheduled for automatic deletion from the Analytics account and Google’s servers.
  • Can delete data from the Analytics servers by submitting a request for its removal — including the ability to delete a single user’s data from their Analytics account via the User Deletion API, the User Explorer report, or the User Exploration technique.

Fact: Google Analytics helps put users in control of their data.

• Google makes products and features that are secure by default, private by design, and put users in control. That’s why we have long offered a browser add-on that enables users to disable measurement by Google Analytics on any site they visit.
• Along with providing strong default protections, we aim to give people accessible, intuitive and useful controls so they can make choices that are right for them. For example, visitors can choose if and how Analytics cookies are used by websites they visit, or block all cookies on all or some websites.
• In addition, organizations are required to give visitors proper notice about the implementations and features of Google Analytics that they use, and whether this data can be connected to other data they have about them.
• These customers are also required to obtain consent from users for each visit, as required by applicable laws in their country.

Fact: Google Analytics cannot be used to show advertisements to people based on sensitive information like health, ethnicity, sexual orientation, etc.

• Google Analytics does not serve ads at all. It is a web and app analytics tool. (You can read all about it here.)
• Some organizations do use insights they’ve garnered via Google Analytics about their own sites and apps to inform their own advertising campaigns.
• If a business also uses Google’s advertising platforms, it’s strictly required to follow Google’s advertising guidelines preventing the use of sensitive information to personalize ads — like health, race, religion, or sexual orientation. We never allow sensitive information to be used for personalized advertising. It’s simply off limits.

Fact: An organization’s Google Analytics data can only be transferred when specific and rigorous privacy conditions are met.

• Google Analytics operates data centers globally, including in the United States, to maximize service speed and reliability. Before data is transferred to any servers in the United States, it is collected in local servers, where users’ IP addresses are anonymized (when the feature is enabled by customers).
• The GDPR and European Court of Justice say that data can be transferred outside of the European Union for just this sort of reason, provided conditions are met.
• In order to meet those conditions, we apply numerous measures, including:
  • Using data transfer agreements like EU Standard Contractual Clauses, which have been affirmed as a valid mechanism for transferring data to the United States, together with additional safeguards that keep data secure: industry-leading data encryption, physical security in our data centers and robust policies for handling government requests for user information.
  • Maintaining widely recognized, internationally accepted independent security standards like ISO 27001, which provides independent accreditation of our systems, applications, people, technology, processes and data centers.
  • Offering website owners a wide range of controls that they can use to keep their website visitors’ data safe and secure.
• Our infrastructure and encryption is designed to protect data, and safeguard it from any government access.

And we use robust technical measures (such as Application Layer Transport Security and HTTPS encryption) to protect against interception in transit within Google’s infrastructure, between data centers, and between users and websites, including surveillance attempts by government authorities around the world.