You probably received an email from Google the other day.
Google emailed their Google Analytics customers with a long email about GDPR and data retention controls.
They advised that you need to “review these data retention settings and modify as needed” before May 25th when GDPR becomes enforced.
If you’re like me you probably ignored it…but I had the day off today and thought it might be worth reading again.
The email subject line was:
“[Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR)”
To prevent you having to try and interprete their long email I thought I would put together a short guide as to what it means, does it affect you and what you need to do.
Basically, it’s all to do with GDPR (I’m sure you’ve heard loads about this), which is the EU’s General Data Protection Regulation and comes into force on May 25th.
We have another, much longer post, in progress for all the ins and outs of GDPR but for the purposes of explaining the Google email we won’t touch on this too much.
To summarise the legal requirements, Article 5 (e) of the GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.
There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes).
Recital 39 of the GDPR states that the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.
Organisations must therefore ensure personal data is securely disposed of when no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
The key paragraph in Google’s email relating to data retention is:
“Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select.
Note that these settings will not affect reports based on aggregated data.”
Roughly translated this means you need to go in and set your data retention policy manually before May 25th otherwise historic User and Event data will be deleted monthly once it reaches the retention period.
That last sentence is also very important.
“...these settings will not affect reports based on aggregated data…”
This means aggregate website analytics such as:
Will NOT be affected.
So what is ‘User and Event‘ Data?
“Implementing User Data Import requires that you be able to generate unique identifiers for your users and send them to Analytics by appending these IDs to your tracking code.”
This is why GDPR impacts the retention of this kind of data – it can be used to identify individual users.
“An event is a user interaction with your site or app that you specify and collect data about by modifying your tracking code as described in the body of this article.”
Again, see the emphasis on tracking ‘user interactions‘.
You may not even be sure if you use User and/or Event data.
Do you setup Custom Segments or Remarketing Audiences?
If the answer is yes, then you use this data.
If you just use Google Analytics to track aggregated data such as:
Then User and Event data is probably not a priority for you.
Thankfully, updating these settings are really easy to do!
You may be immediately presented with a warning like this which indicates that you need to review these settings:
Which brings you to the detail you are looking for:
There are options to retain ‘User and Event Data’ for the following periods:
User and Event data will then be deleted monthly when it reaches the specified retention period.
You’ll notice the ‘Reset on new activity’ switch…
This means that the retention period will be reset every time that the specific user re-visits your website.
If they are a frequent visitor the applied retention period will never be reached, to give an example:
If your retention period is set to 14 Months (as ours is), and your user visits your website on Month 13, Day 25, the counter is reset back to zero.
So there is a further 14 months retention period applied before their User and Event data is deleted.
To me this goes a little against the spirit of GDPR but cleverly Google have put you in control and in charge of your specific website settings.
There is no ‘one size fits all’ answer to this.
If you only use Google Analytics for the basic aggregated reports and statistics then I’ll be bold and state that you should err on caution and just apply the minimum retention period as you don’t use the data.
If you use custom segments and remarketing then you need to align these Google Analytics settings with your own internal GDPR policy on user data.
If you want to know more about GDPR this is the official website to ‘educate the public’:
Good luck and we will be back with simplified version guidance on how to interpret and implement GDPR compliance for all website and small business owners this weekend –
Hi, I’m Nigel, Founder of Devon Media a Devon based digital media agency.
With over 20 years consultancy experience working with blue chip companies I’m a natural problem solver – a perfect character trait for the ever changing landscape of SEO.
Feel free to ask me anything, always happy to help out firstname.lastname@example.org
And if you’re on Facebook why not swing by our group and say Hi…