The most important thing that I always see in the wild, is consent messages that have the trackers enabled by default, so pressing ok or consent will track you. This is explicitly not allowed. As this post says, you do not need consent for cookies necessary to function, but all tracking has to be opt-in. And the law explocitly says that having all checkboxes filled in by default does not count as consent!
If you have anonymizeIP enabled, then no, they don't have to agree. GA took precautions, they trim the IP on EU servers. Also they assure you (I think in their ToS) that they don't store the original IP address.
This means they don't have any personally identifiable information, and it doesn't fall under the GDPR.
What they can't ensure though, is that users store personally identifiable information in their events. So if you do that, you have to take your own precautions. Basically you should just stop doing that. Since afaik, GA doesn't allow selective deleting of data, so as soon as a GDPR delete request comes in, you'd have to delete all of your GA data.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The most important thing that I always see in the wild, is consent messages that have the trackers enabled by default, so pressing ok or consent will track you. This is explicitly not allowed. As this post says, you do not need consent for cookies necessary to function, but all tracking has to be opt-in. And the law explocitly says that having all checkboxes filled in by default does not count as consent!
So wait, does this mean that having Google Analytics on your page is against the GDPR is they didn't agree to it?
The question is if your analytics collect personally identifiable information, such as IP addresses.
If you have
anonymizeIP
enabled, then no, they don't have to agree. GA took precautions, they trim the IP on EU servers. Also they assure you (I think in their ToS) that they don't store the original IP address.This means they don't have any personally identifiable information, and it doesn't fall under the GDPR.
What they can't ensure though, is that users store personally identifiable information in their events. So if you do that, you have to take your own precautions. Basically you should just stop doing that. Since afaik, GA doesn't allow selective deleting of data, so as soon as a GDPR delete request comes in, you'd have to delete all of your GA data.