How to Anonymize IP in Google Analytics?

Google Analytics is a web analytics tool from Google Marketing Platform that tracks website performance and the traffic it receives. 

When a user visits your site, the Analytics tracking code that you added in your website’s pages activates and collects user data and sends them to its server.

Google Analytics also stores a first-party cookie, _ga, on the user’s device. This cookie stores Client ID, which contains user information, such as a unique user or the frequency of visit. 

To collect information such as the visiting user is new or returning, Google Analytics must collect the IP addresses of the visitors. It does so to distinguish and store the geolocation of the website’s visitors.

Google does not consider IP addresses as personally identifiable information (PII); however, it can be used with other information to identify an individual. 

According to GDPR (read the guide to GDPR), any information that can identify a natural person with or without additional information is called personal data. That makes IP addresses personal data under the GDPR.

Therefore, Google Analytics is subject to GDPR. And until and unless the IP addresses of users are modified so that it can longer link to a person, it will most likely violate the law. You need to review your use of the Analytics to make sure you are complying.

Remember that if you are using Analytics, you – the website owner – are the Data Controller. Google acts as your Data Processor, i.e., it collects and processes the data on behalf of you. You decide ‘why’ and ‘how’ the data should be processed. 

Over the last few years, Google has made several changes to its terms and conditions and brought many settings changes to comply with the GDPR. They updated their Data Processing Terms and EU User Consent Policy and now allow data deletion and retention. 

However, these changes still do not guarantee complete GDPR compliance. There are still other things that a website owner needs to take care of at their end. 

One is data auditing, i.e., identifying and making sure your site is not sending any PII to Google. Read more about it here.

Another method and the one this article wants to focus on is “IP anonymization.” 

IP anonymization is the method of masking or anonymizing the IP addresses of users. 

It sets the last three digits or the last octet of IPV4 IP addresses and the last 80 bits of IPV6 IP addresses to zeroes.

For example, an IPV4 address 121.314.31.144 becomes 121.314.32.0 after the anonymization.

The anonymization must be done just after they are sent to the Google Analytics network before the processing begins. 

There are several ways you can anonymize the IP addresses. Let’s look at three such methods:

Using analytics.js

You can anonymize the IP address by adding a code to your Analytic tracking code. In case of analytics.js.library, add the following code:

 ga('set', 'anonymizeIp', true);

The final tracking code after adding this code looks like:

<!– Google Analytics ->
<script >
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-XXXXXXXXX-Y', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');
< /script >
< script async src='//www.google-analytics.com/analytics.js'></script>
<!– End Google Analytics –>

Using gtag.js

In case you use Google Tag Manager (GTM) code on your website, i.e., gtag.js.library, then add the following code to the Analytics tracking code:

{ 'anonymize_ip': true }

The final tracking code after adding this code looks like:

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-XXXXXXXXX-Y"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-XXXXXXXXX-Y', { 'anonymize_ip': true });
</script>

Using GTM settings

GTM has a feature that allows you to enable IP anonymization. All you need to do is make small changes to the tag that fires Google Analytics pageview. 

1. Edit the tag.

2. Click More Settings.

3. Expand the Field to Set option.

4. Click Add Field and set Field Name as ‘anonymizeIp’ and its Value ‘true’.

5. Save and publish.

To check if you have successfully anonymized the IP addresses (in Chrome):

1. Add the chrome extension Google Analytics Debugger.
2. Turn it ON.
3. Now go to the developer tools in Chrome (Ctrl+Shift+I or f12).
4. Click the Console tab.
5. Search for ‘anonymizeIp (&aip) 1’. 

If you find it, that means you have successfully enabled IP anonymization for your site.

You cannot just rely on Google Analytics to be responsible for GDPR compliance. They have done their part with all the updates. You, as a website owner, must do yours.

These are reasonably simple methods to anonymize the IP addresses to avoid any risk of GDPR violation. If you have not done it yet, it is time now. 

Disclaimer: The purpose of this article is to share general information with the readers. It does not guarantee complete compliance with the GDPR. For any such assistance with compliance, we recommend consulting a lawyer or professional.