May 17, 2018 By BJ,

The General Data Protection Regulation (GDPR) goes into effect May 25th, 2018, and is all about protecting the personal data and behavioral information of consumers. It is specific to the European Union (EU), and only applies if the data subjects (aka, consumers), are in the EU when the data is collected. In addition, it is important to note that a financial transaction does not have to take place in order for this law to kick in; it applies any time personal data or personally identifiable information (PII) is exchanged.

That being said, we aren’t writing this blog post to tell you the ins and outs of the new law. There are plenty of resources that have already been released that do a great job summarizing the regulations, including this article specific to ecommerce marketing by our friends at Klaviyo. Instead, we wanted to make sure you are ready for the related, impending changes in regards to Google Analytics data retention policies. These changes are a result of GDPR, and also go into effect May 25th, 2018.

Even if you are a U.S. company that doesn’t do business in the EU, these changes could affect your Google Analytics account. In short, Google has provided the ability to manually adjust the amount of time that Analytics will store user and event level data, and has currently set the default time period to 26 months. If the retention setting is not adjusted, any data older than 26 months will be deleted beginning May 25th.

The deletion of this data will not affect aggregate reporting, such as main acquisition, behavior, and conversion reports within Google Analytics. It will however, affect the ability to create custom segments, ad hoc reports, and to use custom dimensions with data that has been removed.

Digital Operative has recommended that our clients change their data retention settings from the default 26 months to “Do No Automatically Expire,” which will ensure that historical data remains intact. We do not intend to provide professional advice outside of our existing client-base, and are definitely not recommending this across the board, but here’s what our Web Analyst, Patrick McCarthy, has to say about it:

If I change the setting to “Do Not Automatically Expire,” am I still compliant with the GDPR?

Yes, GDPR regulations do not specify the length of time that data can be retained.

Is there any way to get my data back if Google deletes it?

Nope - Google will remove the data from their servers for good.

How do I get to the section of Google Analytics where I can change this setting?

In Google Analytics admin, navigate to Property Settings, and then Tracking Info. Here you should see a “Data Retention” link - here you will be able to make changes to this setting, and don’t forget to save your changes once updated.

Is Google making any additional changes that will affect my Analytics account?

Google is working on providing Analytics users with the ability to delete specific user data, but we are unsure as to exactly when this feature will roll out.

Why did they make the default time period 26 months?

To put it simply, it sounds like Google would like to free up space for more data and ensure that users are able to compare year-over-year metrics, but is leaving it up to individuals to decide whether they would like to keep historical data.

Here are a couple of other compliance related items that are being recommended in Google Analytics:
  • If currently active, disable the demographics and advertising reporting feature. This reporting does provide deeper insights into audience demographics, but might not be useful enough to justify a risk of GDPR penalties.
  • Take advantage of the “Anonymize IP” feature for your Analytics tracking snippet. Depending on how you are serving your tracking snippet, via Google tag manager or hard coded, there are a couple of steps that you will need to take. Check out this awesome video from Julian at Measureschool for more information.

Conclusion

We hope you found this information helpful in your quest to GDPR compliance! Again, please remember that none of this advice should be taken as legal counsel, and we absolutely recommend that you consult with your legal team to create a GDPR compliance plan as soon as possible.

Please reach out if you have any questions! We are a full-service digital agency that specializes in digital marketing and ecommerce strategy. Check out some of our recent work or contact us to set up a time to chat.

More from the
DO Blog