GDPR & Google Analytics: Data Retention Controls and Consent

By Tinuiti Team

You are almost certainly aware of the upcoming deadline for the EU’s General Data Protection Regulation (GDPR) to go into effect May 25th of this year. Perhaps you’ve even received an email recently from Google Analytics regarding how they expect you to take action regarding the use of their tools and what you need to do to be compliant with the law’s provisions regarding your website visitors’ privacy and consent.

If you haven’t received the letter, it summarizes the changes that Google is making to the product in order to be compliant with GDPR and how those changes will affect your Google Analytics data. It then relates contract changes, product updates, and the need for users to review and potentially modify their data retention settings.

GDPR Compliance: Customers Must Now Set Their Own Data Retention Policies When Using Google Analytics

Beginning on the 25th of May, Google Analytics’ granular data retention controls will automatically delete user and event data older than whatever retention period you select. You will need to set the retention duration you’d like before May 25th, or it will be set to the default setting of twenty-six months.

These settings will not affect aggregated data reports. Google is also introducing a new automated deletion tool that will allow you to delete all data associated with an individual site visitor. More information on this tool will be made available to developers prior to the May deadline.

Google will also be updating several other features that govern data collection, use, and retention to help users with GDPR compliance.

Consent and Compliance: Contract and User Agreement Updates

Google has been gradually making changes to its contractual terms for many of its products since last August, in anticipation of the enactment of GDPR. Google states that, the new “GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.”

Google is strongly suggesting, even if a company is not based in the EU or conducting business in the European Economic Area, that it still undertake a legal review of its use of Google Analytics and Analytics 360 and its need to comply with the GDPR.

Regardless of the outcome of this review, all users of Google Analytics and Google 360 will have to review and accept new data processing terms, along with defining “your path for compliance with EU User Consent Policy.”

The Big Takeaway

Most of the major changes to Google Analytics and Google 360 will take effect closer to May 25th. That said, preparation will be key to a smooth transition. Again, with the default setting for data retention set at twenty-six months, many users will want to change this setting—this can (and in many cases should) be done now.

For more information specific to GDPR, check out The Marketer’s Guide to GDPR Compliance. Our Analytics team can field client questions surrounding compliance, especially as it related to Google Analytics.

You Might Be Interested In

*By submitting your Email Address, you are agreeing to all conditions of our Privacy Policy.