How To Use Google Analytics’ Data Retention Control Tool For GDPR Compliance In 2018

With the impending doom that has been ushered in with the EU’s General Data Protection Regulation (GDPR) act, the Google Analytics tool has finally gotten around to addressing its compliance. On May 25th, 2018 (the day GDPR takes effect), Google Analytics will activate the Data Retention Control Tool, which allows webmasters and Google Analytics site administrators to select the length of time that data should be kept in the system.

The Data Retention tool allows Google Analytics administrators to determine how long user-id data and even tracking data will stay on the server. The options are 14, 26, 38, and 50 months. Admins also can select “do not automatically expire.” Additionally, webmasters and administrators can reset the retention period on a new activity, meaning that the retention period will reset if new activity from the unique user ID is tracked on your website. 

If a user does not initiate a new session within the expiration/retention period selected, the data associated with that ID will be deleted. GDPR outlines the legal justification in the EU for data collection, use, and retention, but from a Google Analytics perspective, it does not change the way the tool works or will work overall.

These tools are a way to shift the burden of data deletion onto website administrators, webmasters, and other entities that control Google Analytics dashboards and website installations. Google is "providing website owners with a way of self-regulating.”

Essentially, this means setting a data retention tool is completely up to the website owner. For third-party agencies, it means talking to clients about how long they want their data stored in Google Analytics. Furthermore, for third parties, this also questions how long an agency should continue to have access to a website’s analytics if the relationship is strained. 

Always ask the website owner first! It’s up to the company who owns the website to determine how long the Google Analytics dashboard should hold on to their user data. If they are unaware of this new change or don’t have a strong opinion on this policy, the following questions can help determine the length of retention you should set in Google Analytics:

Question 1: How Do You Use the Data?

Surprisingly, Google Analytics is already compliant with a large portion of what is prescribed by the GDPR. Because it relies on unique user IDs, and thereby anonymizes identifying details of the user, Google Analytics ensures private data collection practices.

There is no problem with keeping Google Analytics data for this reason, but we still want to exercise caution when we keep data. GDPR is an EU policy, with future policies regarding data retention funneling down the pipeline. Additionally, North American countries may adopt similar policies.

If you constantly use data to evaluate new visitors to the website, the data retention tool can be set to delete data for people who have not been active on your website for a set period. If you have no use for older visitor data and don’t wish to remarket to those people, setting a short time frame for deletion won’t have too much of an impact on how you use Google Analytics.

If you are someone who relies on old data for decision making, you may want to set the period longer. There is also an option to keep your data indefinitely, but there is still some uncertainty if this option truly allows you to keep all data. 

Question 2: Do You Still Have Access to the Website?

A bigger component of Google Analytics is tracking access. If you are a third party, your Google Analytics account probably has several properties that you never use because you no longer work with that client or administrator. If you no longer need to access the data, it is important to contact the site owner to switch over the property permanently to them and remove administrative access to the account.

This eliminates the need to set the data retention tool, but it is important to let the website owner know about the policy and the amount of data that is stored. Remember, this is just concerning Google Analytics. If you work with customer database files or customer relationship management platforms, there are additional steps needed to follow GDPR.

If you cannot reach the site owner or administrator, or the website has been relocated or removed altogether, it may be time to set the data retention tool for the client. The minimum setting is 14 months, so that would be ideal if you have this type of Google Analytics property.

Question 3: Does the Website Owner Know You Are Still Collecting Data?

This may seem like a no-brainer, but often we set up websites, building them from the ground up, installing tracking and letting it run without close traffic monitoring. While this may have been best practices for all websites, third parties need to be in frequent communication about using Google Analytics on the site unless the website owner explicitly states they want continued tracking on the website. This is where conversations about data retention, access, and continued services can come to fruition!

Question 4: Do You Have Google Analytics Set Up Correctly?

Google Analytics does a great job of giving you all the options you need to be compliant with all forms of data privacy. However, these must be turned on! In the administrator level of any Google Analytics property you own, you can turn on the IP Anonymization tool for Marketing and Advertising, which disguised personal identifiable information as discussed above.

If you are using manual tracking, don’t pull through PII into the Google Analytics dashboard. If you use tag user and event tracking to include these forms of data, this places you in the grey area of compliance/non-compliance.  The online marketing element of GDPR is still vague, and while the policy applies to the EU, there are massive implications for how data collection will be redefined in the next coming months.

Question 5: Do You Know How to Set the Tool?

Okay, so this one isn’t a question to consider regarding your retention period, but rather a visualization of how to find it in your settings. Note, the default setting is 14 months, so unless you specify otherwise, all Google Analytics accounts will default to that setting in May.

Navigate to Google Analytics and locate the administrative settings on the property for which you wish to modify the retention settings. You will find the tool for tracking information – specifically, data retention control tool settings. See below:

Step 1

Step 2

Step 3

Impact

Google Analytics is a source for many of the applications and third-party services to integrate lead traffic data, like Marketo and Salesforce. If you use advanced UTM tracking to pull through personally identifiable information, you are already violating Google’s terms of service.

Keep your UTM tags broad. If you track Lead Source/Lead Source Detail in for traffic, this can give you the sufficient information you need to make actionable decisions in your leads dashboard. Recording every parameter possible is too time-consuming and does not comply with new laws in data regulation.

Depending on the settings in your chosen third-party lead generation software, you may or may not have access to the data once Google Analytics has released it through the data retention control tool. If you are attempting to pull historical data into your platform before the data retention tool takes effect, now would be the best time. These tools will likely become compliant with Google’s data retention tool as well, so only time will tell how long this data can truly be saved.

And there you have it, five questions every Googly Analytics manager needs to consider while moving into May 2018. As GDPR takes full effect, and Google Analytics subsequently rolls out the data retention and deletion tools in full steam, the industry will surely see the change that will prompt immediate action. Be prepared and be smart!

DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Ascedia makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.