Cardinal Path’s response to COVID-19 Cardinal Path is sharing all we know to help marketers during COVID-19.  Learn more.

Managing GDPR compliance requires learning a new set of tasks. Not only is it an opportunity to grow your skill set, it helps evolve the way users control and access their data. To make sure you cover all the bases in complying with GDPR, we’ve come up a list of tools that we’re sharing with our clients to help them manage the process. Note that use of these tools does not indicate full GDPR compliance; these are just potentially helpful resources for you to consider.

Google Analytics

  • User Deletion API
    • This can be used for user data deletion requests.
    • Must provide a user ID or client ID for use in the API request, as well as the date that the user’s data should be deleted up to.
    • If a user may have their data recorded again after this date if they are not prevented from sending future hits via some other tool or method.
  • Google Analytics Opt-Out
    • Use this tool to prevent further hits from being sent to GA from your site for the current user once they indicate they wish to opt out of GA tracking.
    • Alternatively, you can:
      • Remove the Google Analytics script from pages when users have indicated they wish to opt out.
      • Set the tracker ID to something invalid like UA-BLOCKED.
      • Configure their TMS to block GA tags for users who have indicated they wish to opt out.
  • Google Analytics Methods – getAll and getByName
    • This isn’t quite a standalone tool; it’s an aspect of the analytics.js API that is worth mentioning because of its usefulness.
    • This can be useful for GDPR compliance if you want to pass a user’s GA client ID into a data access/deletion request form.
    • Example: ga.getAll()[0].get(‘clientId’); // returns client ID for the user from the first tracker object created on the page.
    • Example: ga.getByName(‘myTracker’).get(‘clientId’); // returns client ID for the user from the tracker object named “myTracker”.
  • Google Analytics Core Reporting API
    • This is one of many possible tools that can aid in automating data retrieval from Google Analytics. In relation to GDPR, this may be useful if users request to view their own data. Today, this is only possible if clients are pushing their client ID to a custom dimension. However, Google has stated that they will release an update “soon” that will allow developers to access Client IDs via this API.
  • Google Analytics Opt-Out Chrome Add-On
    • For users who wish to not send data to Google Analytics on any site they visit.
    • Compatible with Chrome, Internet Explorer 11, Safari, Firefox and Opera
    • You may choose to mention this option in your privacy content.
  • GA Data Retention Settings
    • Helpful if you would like to state how long user data is retained.
    • Might also be helpful if you get data access or deletion requests from users.


Tag Management

  • Tealium Consent Manager
    • Allows Tealium users to use Tealium to manage consent and make tracking decisions based on given or denied consent.
    • Read more on our blog here.
  • CookieBot for Google Tag Manager
    • Similar to the Tealium Consent Manager, CookieBot has created a script that manages consent logic for use with GTM. The company also offers a WordPress plugin.
    • While E-Nor has not tested CookieBot, it’s an example of a concept that can be adapted to your own needs.

Google Optimize

  • For Google Analytics customers who use Google Optimize, the same tools available in GA can also be used to assist in compliance for testing programs run through Optimize. Here are three examples of how the tools work together:
    • To delete user data from Optimize reports, use the User Deletion API (Optimize reports are built from Google Analytics data)
    • To retrieve data for a specific user, utilize the Core Reporting API (to be Optimize specific you may want to include the experiment ID, variation ID, and client ID as part of your request)
    • If the user wishes to not be included in Optimize experiments or future Optimize data, they can opt out of Google Analytics either via the client’s implementation or the browser add-on. (Confirmed here for Optimize 360; should apply to free Optimize as well but not confirmed.)


  • As part of Google Cloud Platform, there are many ways that data can be managed for access and deletion requests; there isn’t really a list of “tools” other than GCP products themselves.
  • Each approach will be depend on your data capabilities, defined data engineering process, and so forth.
  • This GCP whitepaper contains high-level information regarding GDPR compliance. It states the following on data export and deletion:

“Administrators can export customer data, via the functionality of the G Suite or Google Cloud Platform services, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we will continue offering those after the GDPR comes into force, and working to enhance the robustness of the data export capabilities of the G Suite services and each of the Google Cloud Platform services (consult the Google Cloud Platform documentation for further information).”

“You can also delete customer data, via the functionality of the G Suite or Google Cloud Platform services, at any time. When Google receives a complete deletion instruction from you (such as when an email you have deleted can no longer be recovered from your “trash”), Google will delete the relevant customer data from all of its systems within a maximum period of 180 days unless retention obligations apply.”

Other Resources


State of Digital Marketing Analytics

The 2020 State of Digital Marketing Analytics examines the marketing technology that supports the world's most successful enterprises and highlights the challenges and strategies for navigating the new normal..