Embed MonsterInsights GDPR-compliant in a WordPress Website!

MonsterInsights GDPR compliant in WordPress websites

You want to integrate Google Analytics into your website, but don’t have the time to go through complex instructions that simply overwhelm you? Then you’ve probably already come across the cheeky purple monster with the big magnifying glass – also known as MonsterInsights. The WordPress plugin is supposedly the best and most straightforward solution for using Google Analytics.

In this article, we explain whether MonsterInsights is really worth it and which better alternative exists for the privacy-compliant integration of Google Analytics.

Attention: This article is not legal advice! We as developers of WordPress plugins and contractors of website projects have dealt intensively with this topic, as it is essential in our daily work. However, we are neither lawyers, nor can we guarantee the completeness, timeliness and accuracy of the following information. In case of doubt, always consult a lawyer.

What is MonsterInsights?

MonsterInsights = website analysis made easy? The purpose of MonsterInsights is to integrate Google Analytics easily and quickly into websites – without having to be a techie nerd. Within a few clicks, a wide range of different, complicated tracking functions can be set up, such as e-commerce tracking. Using this function, webshop operators can, for example, determine best-selling products and conversion rates. In general, the collection of such data helps to optimize one’s own website (identifying strengths and weaknesses) and to take targeted marketing measures.

If you are now wondering what tracking means, how it works and on what legal basis it is based, it is worth reading our article on web tracking.

Collected tracking data can be viewed directly in the WordPress dashboard and the website operator is spared the tedious clicking through the Google Analytics interface, which is often perceived as confusing.

Due to its beginner-friendly setup and usability, MonsterInsights is considered a popular solution in terms of Google Analytics plugins, alongside other plugins such as Analytify.

MonsterInsights features include (directly in your WordPress):

  • Real-time statistics
  • E-Commerce-Reports
  • SEO-Ranking-Reports
  • Reports on user behaviour
  • GDPR compliance

👉 We will discuss the latter in more detail in the course of the article.

What is Google Analytics?

Google Analytics is a service of the search engine giant Google. To date, Google Analytics has been the undisputed favourite in terms of analysis tools for websites. By embedding a tracking code in the code of one’s own website, it is possible to track visitor behaviour on the corresponding website and thus collect valuable information – such as dwell time and click behaviour.

Therefore, it makes perfect sense to incorporate a tracking tool like Google Analytics into a website to measure and analyse traffic.

Visitor data that Google Analytics collects, among other things:

  • Origin (Where does the visitor come from?)
  • Dwell time (How long does the visitor stay on a website?)
  • Device type (smartphone, computer, tablet)
  • Type of web browser (Mozilla Firefox, Google Chrome, Safari, etc.)
  • Operating system (Windows, macOS, Chrome OS, etc.)
  • Source (How did the visitor get to the website: via a social media network, Google search, another website, etc.?)
  • Downloaded files
  • Clicking behaviour (Which elements were clicked on?)
  • Watched videos
  • and much more

Is Google Analytics compliant with the GDPR?

The analysis tool is a thorn in the side of many data protectionists – and rightly so. The basic version of the tool is free of charge. But what is really still free these days? Unfortunately, almost nothing, and that is also true in this case. Because, as the saying goes: data is the new oil.

As a service of the gigantic data octopus Google, you agree to allow all collected data to be stored by the company when using Google Analytics. This primarily involves aggregated information about user behaviour.

What is the difference between MonsterInsights and Google Analytics?

It is often mistakenly assumed that Google Analytics and MonsterInsights are two separate analytics services – but this is not the case.

Google Analytics is a must-have for many website operators when it comes to tracking website traffic. MonsterInsights is practically the cherry on top of the cake, which makes tracking really palatable due to its universal functions.

Theoretically, you can set up Google Analytics on your WordPress website without MonsterInsights, but the manual setup can quickly overwhelm you.

Google Analytics is the service that allows you to collect and aggregate analytical data to better understand your website visitors.

MonsterInsights is a WordPress plugin that helps you implement Google Analytics into your WordPress website quickly and easily.

Is MonsterInsights compliant with the GDPR?

Data protectionists are often annoyed by the topic of tracking, because in most cases personal data is collected, collated and possibly passed on.

Since MonsterInsights is considered the optimal Google Analytics plugin solution and it advertises itself as being GDPR compliant, it is natural to assume that MonsterInsights meets the requirements for compliance with the General Data Protection Regulation.

In principle, MonsterInsights is a plugin by means of which the tracking of user data can be implemented in accordance with the GDPR. However, the conditions explained in the following section must be met for correct implementation.

Legal basis within the EU

Before we show you how you can integrate Google Analytics with MonsterInsights, let’s take a closer look at the legal background of web tracking.

According to the GDPR, tracking of visitors (if personal data is collected) is generally not permitted. In this case, “generally not allowed” means not without the active and informed consent of the visitor (opt-in procedure).

In addition, according to Article 7 of the GDPR, the following points must be fulfilled:

  • The visitor must be informed about the purpose of the data processing in an easily understandable way
  • Consent must be visible to the relevant visitor at all times
  • Consent must be revocable for the corresponding visitor at any time
  • Documentation of consent by the website operator (to fulfil the duty of disclosure)

An alternative option for tracking in line with data protection is the creation of completely pseudonymised or anonymised user profiles. In this case, only data that is not personal may be collected or such data is made unrecognisable by using pseudonyms (e.g. number sequences).

The WordPress plugin Statify does exactly that. It tracks user data, but without collecting personal data.

In our article about brilliant GDPR plugins for a legally compliant WordPress website, we listed further plugins that support you in making your website data protection compliant.

What do I need to use MonsterInsights in a privacy-compliant way?

In order to be able to use the Google Analytics plugin in a data protection compliant manner, we recommend that you fulfil the following criteria.

✅ Consent of the visitor

Why you need consent and how you can legally obtain it, we have already roughly covered in the previous section.

However, the issue of data processing in the USA plays an extremely relevant role here. Since the end of the Privacy Shield (informal agreement on data protection between the EU and the USA, which was negotiated from 2015 to 2016), the USA has been considered an insecure third country in terms of data protection.

Google Analytics is a service of the US company Google. You can probably already guess the problem. As a service of a company based in the USA, special care must be taken to obtain the consent of visitors to the processing of personal data in a legally compliant manner.

In the following instructions, we will show you exactly how to obtain the lawful consent of your visitors.

👥 Anonymize IP Tag

Behind the term is nothing less than the anonymisation of IP addresses. Since these are considered personal data in many countries, the obligation to make them unrecognisable is therefore a logical consequence. An IP address is changed or shortened in such a way that the user cannot be clearly identified. For example, 111.234.564.133 → 111.234.564.X

🤝 Data processing agreement

The point of such an agreement is that website operators who use the services of external companies – who process user data on their behalf – must conclude a contract with them. This is intended to ensure that the company commissioned by the website operator processes the data in a data protection-compliant manner.

The legal basis for this is GDPR Article 28.

The obligation to conclude exists, for example, when using Google Analytics.

How do I integrate MonsterInsights quick & easy in compliance with the GDPR?

Congratulations, you’ve now reached the eagerly awaited core of the article! (Or you skipped the previous sections and landed right here 😉).

To finally answer the question of all questions: How do I integrate MonsterInsights into my WordPress website in a privacy-compliant way?

Answer: The best and easiest way is with Real Cookie Banner. Because without it, it will be difficult, since MonsterInsights itself is not easily GDPR-compliant, as you have already noticed. Real Cookie Banner, on the other hand, takes care of everything you need to consider when it comes to data protection-compliant integration – without a lot of effort, being a developer owl or having to read novels written in legalese.

Further steps that you should follow for a correct integration of the analysis plugin are shown below.

Did you know that you need to configure Google Analytics in a privacy-friendly way? You should do this in addition to integrating Google Analytics after consent (with MonsterInsights). We explain 17 important Google Analytics settings and more in our knowledge base!

Integration of MonsterInsights with IP anonymisation

  1. Go to Plugins > Add New in the left menu bar.
  2. You will now be shown a view where you can add new plugins.
  3. Enter “MonsterInsights” in the search field Search Plugins…
Add MonsterInsights Plugin
  1. You will now be shown a selection of different plugins. We are looking for the little purple friend of MonsterInsights.
  2. Click on Install now and then on Activate. Et voilà, the plugin is ready for use.
  3. After the initial setup (don’t panic, MonsterInsights is super easy to set up thanks to a guided configuration), go to the settings of the plugin. To do so, click on Insights > Settings in the left menu bar.
MonsterInisghts Settings
  1. Click on Engagement in the menu above.
  2. Here you will find the option Anonymize IP Addresses. You need to activate this option to tell Google that IP addresses should not be saved in full when the information you track is logged. This means that it is no longer possible to assign which information belongs to which IP address. By shortening/changing the IP address, it is still possible to see which country or city the visitor comes from, but the specific user is no longer identifiable.
  3. Optional: If you wish, you can view the integration of the Anonymize IP tag in the code of your website. To do this, open your frontend in a separate window by right-clicking on the name of your website.
Open Frontend In New Window
  1. Right-click on any free space and select View Page Source.
Embedded Anonymize IP Tag In Code
  1. In the code of your website you can now see that MonsterInsights embeds Google Analytics. Furthermore, "anonymize_ip" : "true" is displayed. This means that Google should not save the IP address in full during the integration.

Integration of MonsterInsights with Real Cookie Banner

If you thought the previous integration was easy, watch out now. With the beginner-friendly cookie consent plugin Real Cookie Banner, you can easily obtain and log opt-in consent. With the help of the Cookie Banner, you can integrate MonsterInsights, but also just Google Analytics, into your WordPress website.

After installing the plugin and setting up the banner, proceed as follows:

  1. Click on Cookies in the left menu bar.
  2. You will now be shown a view in which you can configure your cookie banner. In the upper menu, you will see the tab Services (Cookies). Click on this.
MonsterInsights Cookie Set Up
  1. Here you can now create a service (cookie) for MonsterInsights. Since we have been busy, we have already created the template for MonsterInsights for you (in the PRO version). If you want, you can use it directly without making any adjustments.

Since Real Cookie Banner already takes care of setting up the service for you, we have skipped this step here.

Important: MonsterInsights must be installed and set up so that you can use the corresponding template.

It’s worth having a look: In our knowledge base you will find instructions on how to create a service (cookie) and a corresponding content blocker.

Creating Service For MonsterInsights
  1. Before you save the template, Real Cookie Banner informs you that a content blocker should be created for the use of the service. We have already preset this setting for templates for certain services. If you do not remove the tick from Create content blocker for this service, you will be forwarded directly to the corresponding template after clicking on Save.
  2. Again, we’ve covered everything we think is necessary already in the template, so all you have to do is scroll down and save the content blocker.

The content blocker ensures that Google Analytics is only integrated once the website visitor has given their consent.

Real Cookie Banner as an awesome alternative to MonsterInsights

The cookie plugin not only takes care of obtaining and documenting opt-in consent in accordance with data protection regulations. With Real Cookie Banner, you can also avoid using MonsterInsights altogether if you are only interested in an uncomplicated integration of Google Analytics.

In addition, many GDPR features that are only available in the PRO version of the MonsterInsights plugin are already included in the free version of Real Cookie Banner.

Conclude an order processing contract

According to GDPR Article 28, the integration of the Google Analytics analysis service via a commissioned processing is no longer permissible if Google Analytics is used with the default settings set by Google (as of 2020) (e.g. non-legitimate retention period of data). It is advisable to conclude a commissioned processing agreement within the meaning of the GDPR Article 26 to regulate the joint responsibility between the website operator and Google.

Such a contract is also necessary in the case of changed default settings.

Now we will show you how to create such a contract.

  1. Open Google Analytics via analytics.google.com
Google Analytics Dashboard
  1. Here we have to distinguish between two cases:
  • Case 1: You have a Universal Analytics property (e.g. UA-127382571-1)
  • Case 2: You have a Google Analytics 4 property (e.g. G-127369357)

Depending on which variant you use, the appearance of your interface varies. You now have to click on the administration button at the bottom left (case 1) or only on the cogwheel (case 2) to get to the admin area.

Google Analytics Settings
  1. Click on Account and select the correct account.
  2. Now click on Account Settings.
  3. Scroll down to Data Processing Terms. Now you have reached the order processing contract with Google. For older accounts, you must manually agree to this contract once. If you create a new account, you already accept the contract when you create the account. You can also read through the contract if you feel like it 😉
Google Analytics Admin Settings

Settings for Data Minimisation

According to Article 5 of the GDPR, default settings should be made as data protection-friendly as possible. However, this is not the case with Google Analytics, as Google wants to collect as much data as possible.

On the one hand, you can manually set at account level which data you want to share with Google that you collect via Google Analytics.

GA Account Settings Data Collection
  1. Go to Account Settings > Data Sharing Settings.
Data Collection Settings GA
  1. Many to all ticks are set by default. It is best to remove these manually so that no data is shared with Google.

In addition to data minimisation, you can also define the retention period of the collected data.

To do this, proceed as follows:

  1. In the second column, select your property and go to Tracking Info > Data Retention.
GA Data Retention Settings

Important: You will only find the data under Data Retention if you use a Universal Analytics Property (starts with UA-). If you use a Google Analytics 4 property, you will find the corresponding settings under Data Settings > Data Retention.

    1. Google has set the retention period of user and event data that can be uniquely assigned to a user to 26 months by default. Likewise, the option Reset on new activity (for Google Analytics 4: Reset user data on new activity) is activated. However, this is not within the meaning of Article 25 of the GDPR.

Accordingly, change the duration to 14 months and deactivate the option.

In the Google Analytics 4 property you can set 2 or 14 months.

Not all data collected in Google Analytics is deleted, but only data that can be clearly assigned to a user. Consequently, you have not lost the most important data even after the 14 months have expired!

Mention MonsterInsights and Google Analytics in the Privacy Policy

In order to fully comply with the data protection requirements for the use of MonsterInisghts and Google Analytics, you must also mention the analytics service in your privacy policy.

According to Article 12 and Article 13 of the General Data Protection Regulation, your privacy statement must cover, among other things, the following information:

  • Legal basis and scope of data collection
  • Duration of the storage of the collected data
  • Reference to IP anonymisation
  • Information on the right of withdrawal