Skip to main content

Blog Post

Google Analytics Data Retention Controls and the GDPR

The countdown to the GDPR is entering its last stretch (May 25, 2018 is just around the corner!) and Google recently released some very important product updates to Google Analytics. These updates will need your attention and action, even if your users are not in the European Economic Area (EEA). 

Google sent out an email to Google Analytics admins recently, but you also may have seen the blue announcement banners in your account. The team here at Mediacurrent spends a lot of time each week in analytics account, so we wanted to give you the scoop on what these changes mean because they’re really important. This post will cover the essential elements, but as you’ll see, getting your legal team involved with these discussions is going to be critical.

At this time, there are four primary items you’ll want to keep on your radar:

  1. Data Retention Controls 
  2. EU User Consent Policy
  3. Data Processing Amendment (DPA)
  4. User Deletion Tool 

Part 1: Understanding the new Data Retention Controls

This new control type will determine how long Google will retain user and event data before automatically deleting it. This is indeed just as important as it sounds. We’ll unpack those details below, but the options available for this setting are:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

A subset of the retention controls is the Reset On New Activity option. When enabled, it will “reset the clock” for that user's data retention period. 

Both of these configurations are set at the property level in Google Analytics, which means the settings will need to be updated for each unique Universal Analytics (UA) instance. This is especially important for any of you that might have archives or old site data lurking in an old Google Analytics property! Further documentation can be found here: https://support.google.com/analytics/answer/7667196 

What is Affected by the Data Retention Controls?

According to Google, aggregate data will not be affected by these retention controls. This means that reports created from the aggregated data tables in Google Analytics (like the Audience Overview report, for example) will be preserved even if the more granular data has been deleted. However, only the raw data will be available, which means segments and table filters cannot be applied to those reports if they are outside of the retention period.

This very high-level view of data is useful for basic period over period trend reporting, but it will not provide more granular data like events or user flow data. Those more granular data points are important for analysis, which puts us squarely on the big question: what should we choose? 

Which Data Retention Options Should You Choose?

There is no one-size-fits-all answer here, but aligning the retention period with the typical length of a full sales cycle (how long it takes a user to move completely through the funnel) should cover the majority of typical use cases we see for more granular data. However, if you or your team use Google Analytics features like custom segments, table filters, secondary dimensions, or multi-channel reports (all of which are awesome) you’ll want to be particularly considerate about which retention period you select because those require non-aggregated data to function. 

You’ll want to work with your legal team to review how these configurations fit into your wider approach to GDPR, but we recommend enabling the “Reset On New Activity” setting and retaining as much data as your legal team is comfortable with. 

When it comes time to update these, navigate to Admin, then under the Property column > Tracking Info > Data Retention. 

Part 2: EU User Consent Policy

Your legal team will need to review the updated EU User Consent Policy and determine if there are any updates needed to the privacy policy on the site. That updated policy is available to review here until May 25, 2018: https://www.google.com/about/company/consentstaging.html 

Even if you are not based in the EEA, please consider consulting with your legal counsel if your business falls under the GDPR while using Google Analytics, review/accept the updated data processing terms, and define your path for compliance with the EU User Consent Policy.

Part 3: Data Processing Amendment (DPA)

Similar to the EU User Consent Policy, Google updated the Data Processing Amendment in Google Analytics. The Data Processing Amendment is available under Admin > Account Settings (under the account column). Your legal team should review this document as well. Once your legal team completes their review of the updated DPA, it can be accepted. 

Related to the DPA, you can also add contact information (name, email, address) for the following roles in Google Analytics: Primary Contact, Data Protection Officer (DPO), and EEA Representative. These items are optional, but they’re worth being aware. 

Part 4: User Deletion Tool

Google will have a tool available by May 25, 2018 to help manage users that request to have their data deleted. Specific details about this tool are still sparse, but Google has committed to having this in place by May 25. At this time, Google has not published any documentation yet, but it has been described as an automated tool that will include an API. Details should be available shortly on their APIs for reporting and configuration page (https://developers.google.com/analytics/#apis-for-reporting-and-configu…

Additional Resources
Why Web Analytics Are Important For Your Business | Blog
4 Analytics Metrics That Indicates It's Time For a Redesign | Blog
Google Webmaster Tools 101 | Blog

Davin Post

Meet team member, Davin Post

Davin brings an insatiable curiosity for data, words, creativity, and technology to his role as Senior Digital Strategist. He leverages a background in data and analytics and experience in shaping...

Learn more about Davin >