If you use Google Analytics on your website and are in scope of the GDPR, make sure to use the
An IP address is in fact considered personal data and with analytics you’re collecting it without consent.
The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (CHAPTER I, General provisions, Article 4. Definitions).
Since natural persons may be associated with online identifiers […] to create profiles of the natural persons and identify them (Recital #30), IP addresses are a form of personal data.
This is confirmed by the European Commission as you can read on this page.
If your website stores or let a provider, like Google, store personal data (IP address) associated with analytics data, you’re violating the GDPR because you’re doing so without consent or other legal basis.
Moreover, you’re violating the Google Analytics terms of service, that states Analytics customers are not allowed sending personal information to Google.
Since 2010 Google provides a way to anonimize the IP of the visitors, and while the feature is not connected to the GDPR, it’s important for being compliant.
It’s not active by default though and the user must explicitly enable it. More information can be found directly at this Google page.
If you’re running a CMS, you’re probably using a plugin for Google Analytics, and you should make sure the configuration options of the plugin respect the new requirement.
The target date for the new regulation is in few days.
Is your website compliant with it?