Is your Google Analytics account ready for GDPR?

You’re probably getting sick and tired of hearing about GDPR these days. We’ve covered it in a number of posts before (like this one), but it is a really big deal that every business and business owner needs to pay attention to. After all, the punishment for a data breach of the GDPR law is huge – €20,000,000 Euro or 4% of global turnover (whichever is higher).

However, there has been one question looming over the Digital Marketing industry; what about Google Analytics?

After all, Google Analytics collects and compiles an incredible amount of data, most of which count as “identifiable data”. As this comes under (and is the entire point of) the GDPR law, there has been serious concern about how much data we will actually get from Google Analytics moving forward.

Google’s long silence

One of the biggest concerns that many within the Digital Marketing industry had stemmed from Google’s relative silence on the subject. There had been almost no communication regarding GDPR and Google Analytics until early March.

Then, what tiny pieces of communication we did get didn’t really help the situation. Actually, it made many people feel even more nervous. A single email newsletter was sent out from Google that effectively said the following (paraphrased);

We are currently looking into making Google Analytics compliant with GDPR.

This was a bit of a shock as, out of all businesses, you would expect a company like Google (who rely on data to make money) to have their GDPR plans in place already. Instead, we were shown the human side of Google as they revealed that they still had not sorted out their GDPR policy. They didn’t seem to have any answers about how to make Google Analytics work, following the release of GDPR on 25th May.

Guesswork and theories

Due to the lack of a definitive plan of action regarding Google Analytics and GDPR, many business owners and people working in the Digital Marketing industry started to put together their own theories. There ranged from “nothing will change” to “we won’t have any data to use for our strategies anymore”.

On top of this, there was a strange occurrence that happened across multiple different properties within Google Analytics. For the first week of April, a portion of data was attributed into Direct, no matter what channel generated that data. This also caused a number of Digital Marketers to worry that this was the future of Google Analytics.

In essence, Google’s continued silence meant that everyone was in the dark, trying to find out what was going to happen without any assistance from Google itself.

A break in the silence

The first slice of information that we received from Google came when we logged into Google Data Studio at the start of May. We were greeted by a notification telling us to update the details of our Data Protection Officer.

It finally seemed as though Google was moving forward with their GDPR compliance. However, the same information was not requested by Google Analytics. In fact, nothing was requested by Google Analytics. Ths, once again, lead to slight concern about the future of the data that Digital Marketers need for campaigns to reach to their full potential.

It wasn’t until the second week of May, just 17 days before the date that GDPR comes into force, that Google finally sent out information regarding Google Analytics’ new Data Retention Controls.

What are Google’s data retention controls?

As part of their preparation for GDPR, Google have released a new Data Retention Control section to Google Analytics, with a brief explanation on it here. However, this brief explanation can be slightly confusing as to what actually happens with the data collected. As such, we’re going to break it down and make it easier to understand.

Retention period

The new Data Retention Controls that Google have implemented revolve around how long Google Analytics holds on to specific user data. This can be set within the Google Analytics admin section’s Tracking Info area, under Data Retention. There are a total of five options;

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

Which retention period you choose to use will affect how you need to write your GDPR-compliant Privacy Policy, as you will need to clearly state how long you will hold a user’s information for.

There is no “one size fits all” recommendation that can be made about which retention period to use, either. Every website has a different use of and need for data, so it entirely depends on what is right for your business.

Standard page view analytics

One very important thing to note about the new Data Retention Controls is that they only affect the personally identifiable information. For example, this can include user data such as location, demographics, mobile device, IP address and browser choice.

What these controls do not affect is the standard Google Analytics page view tracking. In order words, general data such as Sessions, Bounce Rate, Revenue and Session Duration will not be affected. Therefore, even after the Data Retention Period you have chosen expires, you will still have the basic level of Google Analytics data.

Detailed user analytics

For the more detailed user data collected by Google Analytics, under the new GDPR legislation, it will be deleted from all records once the Data Retention Period has expired. On top of this, you are also unable to make any backup of this data without written and/or expressed consent of the individual being tracked.

That means that this data will eventually be lost to your business unless you chose the “do not automatically expire” Data Retention Period.

Therefore, you are probably wondering what anyone would choose the other options for a Data Retention Period. The reason for this is because the data only exists in Google Analytics for a set amount of time. After that timeframe has expired, a Data Protection Officer needn’t worry about it anymore.

Data retention period reset

The final aspect of the Data Retention Controls is how the retention period resets for users. In essence, each time a user creates a new Session on the website, the retention period restarts. This means that it is entirely possible to keep a user’s data indefinitely, as long as they keep coming back to the website.

For example;

  • User visits the website, starting a 14 month Data Retention Period.
  • The same user comes back within the 30 day cookie period.
  • The 14 month Data Retention Period countdown resets, whilst keeping the previous data on the user.

For businesses with repeat customers, this can be perfect as it means that they will be able to hold onto the data for longer periods of time. However, those businesses that typically have a very low or non-existent repeat customer base will lose the personally identifiable data at the end of the Data Retention Period.

The long road ahead

Now that we are on the verge of GDPR hitting the world, it really is time to start sorting out your GDPR-compliant Privacy Policy. This will need to include the fact that you use Google Analytics, as well as what you use it for and how long you keep records of user data.

Therefore, you need to make sure you have sorted out the Data Retention Controls within your Google Analytics property – otherwise, you won’t be able to make your Privacy Policy GDPR-compliant.

If you have any questions about Google Analytics or are concerned about how to utilise the new Data Retention Controls, then don’t hesitate to get in touch with us today. We are happy to help.

Written by Gareth Torrance

Hello there. I'm Gareth, the Digital Marketing Manager at Brave. With almost a decade of experience in PPC and SEO, I've seen everything from Pandas and Penguins to the horrible time that was Mobilegeddon. As an Adwords Certified Google Specialist, I have lived through almost every major shift in the industry! And that makes me feel old.

Google Partner
Bing Ads
Brightpearl Partner
Marketing Society