Webbanalyswebbanalys

GDPR compliant anonymize IP

Since IP addresses are considered PII, anonymization is required in order to be GDPR compliant. Also manage your data retention!

Check IP anonymization in Google Analytics

Google Analytics anonymized IP indicatorOnce IP anonymization is active in Google Analytics tracking in order to eliminate IP data being stored, a simple check will ensure that it is indeed active. By hitting F12, surfing to an appropriate page and then selecting "Network" in the menu bar of the developer console the requests become visible. Applying the search phrase "aip=" to the search box should bring up the anonymization parameter with the value 1 which means things are in working order.

If this parameter does not appear, and checks have been done to ensure the Google Analytics is indeed running on the page, then the anonymization settings for the tracking needs to be validated. Do notice that if the user input for consent blocks any tracking on the site (which it should up to approval is given) then that needs to be done first.

The data retention issue

Data retention setting in Google AnalyticsIt is extremely crucial to be aware of the simple fact that anonymization of IPs in digital analytics tracking solutions does not solve the issue with IPs stored in web server logs.

The data retention settings in Google Analytics provide a partial solution to the storing of IP data, unfortunately the data retention settings are flawed as the minimum retention rate is more than a year. Instead of settings in months it should have had selections of X days/weeks/months.

This means that if IPs are not anonymized by the owner of the tracking account them IP data might exist for a very long time on a server. The same applies to any server log, and with no access to log files of sites on shared web servers as well as dedicated servers, without access IP data will not be managed properly.

Anonymization of IPs doesn't happen magically in server logs, for these either automated processes need to be activated or log retention managed.

---