If you are an administrator on a Google Analytics account, you received an email from Google on April 11th about an update required to meet the requirements of the GDPR, a new data protection law that takes effect on May 25, 2018.
A number of our customers have been calling with questions about this update. The email from Google states:
Product Updates
Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
Action: Please review these data retention settings and modify as needed.
General Data Protection Regulation
This update follows stronger regulation for protecting personal data in the European Union. In a nutshell, the General Data Protection Regulation (GDPR) is a regulation requiring businesses to protect the privacy and personal data of EU citizens. The GDPR also regulates how data can be exported out of the European Union. Failure to comply with this regulation could lead to lawsuits, and could be detrimental to businesses.
Companies like Constant Contact and MailChimp are informing customers of this regulation, and are preparing themselves to handle the new EU privacy protection rules.
My Business is in The United States. Why Does This EU Policy Apply to Me?
If you have a public website, or manage an email newsletter, chances are that you are not only receiving website traffic and email signups from people in the United States. The GDPR protects all EU citizens, and if there is a chance that your business is reaching them, you need to comply with these policy updates.
Google Analytics is a platform that collects a myriad of information about website visitors: location, age, gender, occupation, and more (depending on each individual’s Google Privacy settings). Even though your business targets customers in the United States, you likely have a visitor or two coming to your website from other countries. These users may opt in to your newsletter, or they may register to view content on your website, or they may submit a contact form. You need to make sure that your business is handling this information appropriately.
One thing is for sure: Google tracks those visitors, and passes their information on to you in Google Analytics.
So, What Changed, And What Do I Need to Do?
In your Google Analytics Administration, you now have the option to control how long you keep data about your website visitors. You can access this setting in your Google Analytics Property Administration section. Here is a screenshot of what your Admin view should look like, and where to click to edit your data retention length:
Here, you will have the option to choose how long you would like Google Analytics to retain information about your website visitors:
It appears that the default setting is to save user data for 26 months. If you do nothing, Analytics data about your users will likely be removed after 26 months.
Do I Need to Do Anything Else?
In general, we strongly recommend that your website includes a Privacy Policy, so that your website visitors know exactly how much information you collect about them, how you obtain that data, and what you do with it. You can view our Privacy Policy for an example of what this may look like.
If your website includes e-commerce, online forums, or memberships, we strongly recommend that you consult with your business attorney to ensure that the privacy policy on your website is adequate, and that you are doing everything in your power to ensure that information your business collects about website visitors remains secure.
