How to implement GDPR-compliant IP anonymization in Google Analytics

Anonymizing IP addresses in Google Analytics is nothing new and has been standard procedure for several years, but now it’s more relevant than ever with the enforcement of the European Union’s General Data Protection Regulation (GDPR). Anonymizing a user’s IP address in the Google Analytics tracking code is one of the most important steps you need to take towards becoming GDPR-compliant.

Anonymizing IP addresses in Google Analytics

The tracking code that has been considered standard until now does not fulfill all new data protection requirements. That’s why an additional code snippet has to be added to the already implemented Standard Google Analytics Code (both for Universal Analytics Code and gtag.js).

Universal code:

   ga('create', 'UA-XXXXXXXX-X', 'auto'); 
    ga('set', 'anonymizeIp', true); 
    ga('send', 'pageview');

gtag.js code:

gtag('config', '<GA_TRACKING_ID>', { 'anonymize_ip': true });


This function, defined in Google’s internal JavaScript library, will delete the last 8 bit of an IPv4 address before Google processes it further, effectively anonymizing the address (e.g. 8.8.8.8 will turn into 8.8.8.0.)

This happens while the request is still in memory, so Google will neither store nor process complete IP addresses at any given time.

Double-checking IP anonymization

It’s always safest to double-check whether the implementation has been successful: you can check it via Chrome Console or Firebug in Firefox. The request parameter has to contain “aip=“. 

Request parameter contains “aip=”

For more input on the topic, head over to Google’s Measurement Protocol: https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters  

In order to fully prepare your Google Analytics for GDPR compliance, there are many other points that have to be implemented or checked. If you have more questions, please contact us anytime.

Learn about our Analytics check