New laws around data and privacy are right around the corner, and yet there remains much confusion around exactly what we’re supposed to do about it. For most American marketers, the new European law is the most serious privacy legislation ever encountered, and the first time there’s been a legal requirement to react to, rather than the vague and ever-present threat of individual litigation. We first wrote about the law last year after it was passed, and that piece remains an important (and perhaps increasingly relevant) primer on the subject.

There are many ways in which your organization should respond to these new consumer protections, but today we’ll focus on what it means for you if your organization uses Google Analytics.

If you have only recently become concerned about (or even just aware of) the European Union’s General Data Protection Regulations (GDPR) and how it affects you and your Google Analytics account, you are not alone. Interest has spiked in recent weeks:

Google Trends shows searches for “Google Analytics Data Retention” and GDPR spike in April.

Much of this interest was triggered by two alerts from Google Analytics: a blue in-app banner at the top of all Google Analytics reports warning of “recently launched new Data Retention controls that may affect your data starting May 25”, and a corresponding email to Google Analytics administrators with an alarming subject line (“[Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR)”). These alerts have triggered a wave of blog posts summarizing what is known and what has been shared by Google, and a corresponding wave of comments and posts in forums begging for more clarity about what these changes actually mean.

What is the practical effect?

Much of the coverage begs the question: “What does GDPR mean for you? You will be subject to GDPR!” But what are the practical effects, and what should you do about it?! This question is hard to answer because it largely hinges on the question of enforcement. As we discussed in our post about GDPR last year, violating GDPR could result in severe fines, no matter where you conduct your business, or it could result in a simple slap on the wrist warning, or your violations could go unnoticed and un-penalized. The outcome depends on how and to what extent the EU chooses to enforce their new law, which we cannot predict.

The practical reality for most marketers, however, is that GDPR is most likely to affect you through the services you depend upon, as major service providers (like Google) are the companies this law was written for. To keep themselves out of the EU’s legal cross-hairs, they will make changes to their own documentation and practices to protect themselves, and in some cases those changes will trickle down to you. The example of this that we’re focusing on today: Google Analytics’ new Data Retention controls.

What you should know about GDPR and Google Analytics:

  • If your website can be viewed by people in the EU (and it almost certainly can be) the new law applies to your organization.
  • As of May 25, 2018, by default, Google Analytics data from more than 26 months ago may become unavailable for certain analyses.
  • You can control that, and you can change how long your data stays available to you.
  • Most high-level metrics, such as total site visitors or bounce rate, will not be affected by this.

What you should do about it:

  • If you have been planning to do deep, custom analyses on your Google Analytics data from two years ago or more, change your Data Retention settings TODAY to a time period that saves your data.
  • Document what data you collect in Google Analytics (including your new Data Retention settings), and update your site’s privacy policy to reflect this information.
  • Internally, document your governance around who has access to data collected about your audience, and how that data may be used.
  • Ensure that your website and email marketing use appropriate disclosures and gather user consent over the collection and use of their data.
  • If you are at all uncertain about any of the above, seek both technical and legal assistance in ensuring your compliance with the new law.

There are three major themes here: control your data, bolster your governance, and protect yourself legally.

On the danger to your data

Very little has been published about exactly how the new Data Retention policy will change what is possible in your Google Analytics account. What we do know is that data that is older than your own policy settings will be deleted, but that aggregated reports based on that original data will not be affected. The best documentation about aggregated vs. non-aggregated data in Google Analytics actually comes from their help page about sampling. This passage in particular explains it well:

“If you modify a default report in some way, for example, by applying a segment, filter or secondary dimension, or if you create a custom report with a combination of dimensions and metrics that don’t exist in a default report, you are generating an ad-hoc query of Analytics data.”

Think about the reports you use on a regular basis. Do you depend upon custom reports in Google Analytics? Do you use segments to understand the behaviors of specific audiences? Do you often “dig deeper” on GA’s basic reports by adding secondary dimensions? If yes to any of these, your analyses will be affected by the new Data Retention policy.

The next question is “When”. From all GA accounts we’ve reviewed so far, the default Data Retention policy settings are 26 months, with data set to renew on new activity. What this means is data from every user will last more than 2 years, and thereafter data will be lost only for users who didn’t return (or, more accurately, whose activity couldn’t be traced back to the same user). A lot of technical nuance is buried in that last point, but suffice it to say that “some” of the users you haven’t seen in 2 years will start to have data about their visits deleted, even though top-line summaries based on that data will be retained.

To give an example of the above, if you had 100 visitors on Feb 20, 2010, 20 of those people came to your site from Twitter, and just one of those people was using a Palm Pilot, you could go to you GA account today, and see:

  • 100 people visited
  • 20 people came from Twitter
  • 1 person was using a Palm Pilot
  • 1 person that came from Twitter was using a Palm Pilot (based on a custom query)

After GA’s new default Data Retention policy comes into effect, you will still be able to go back to Feb 20, 2010 and see:

  • 100 people visited
  • 20 people came from Twitter
  • 1 person was using a Palm Pilot

But you should NOT expect to be able to ask the custom query of “devices by source”:

  • 1 person that came from Twitter was using a Palm Pilot

This is the practical effect of the new policy. So what should you do about it today? If you think you are likely to be asked to perform any kind of custom analysis on data from more than 2 years ago, then you need to go into your Google Analytics property settings (or “properties” if you control multiple) and update the date range to preserve original data tables for the time period you expect you’ll need.

This is what matters to you as an analyst or a marketer who has yet to make effective use of the data you’ve been collecting for all these years.

These settings have implications have governance and legal implications that go well beyond analysis, however, and get at the expectations of the European Union, and because of them, the expectations Google is now placing upon you.

Policies around privacy, in Google’s own words

To understand in further detail what Google wants us to know and do, let’s talk through a few highlights from their communications about the new law. There are a range of relevant messages and posts, from the relatively anemic support documentation about the GA Data Retention feature itself, and a Google blog post about their response to GDPR overall, to a relatively hidden primer on GDPR compliance (scroll to the bottom, note the accordion section “CMO checklist” if you are in charge of your marketing.)

From Google’s email to all Google Analytics administrators, it is worth calling with their specific call to action:

“Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.”

This blog post does not serve as legal advice, but you would do well to assume that your business is in scope of GDPR, as even a single visit to your website from someone covered by the law exposes you to it. Defining your path to compliance with Google’s EU User Consent Policy (note: that link may change, as the content may move and replace the existing policy). That document is by far the toothiest and sternest language I have seen from Google on this subject. Here it is in full:

EU user consent policy

Please note: The text on this page will replace the existing EU User Consent Policy on May 25, 2018.

If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.

Properties under your control

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:

  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

Properties under a third party’s control

If personal data of end users of a third party property is shared with Google due to your use of, or integration with, a Google product, then you must use commercially reasonable efforts to ensure the operator of the third party property complies with the above duties. A third party property is a site, app or other property that is not under your, your affiliate’s or your client’s control and whose operator is not already using a Google product that incorporates this policy.

What this says is that Google expects you to secure ‘consent’ for the use of cookies and the use of data collection tools (like Google Analytics or advertising tools like Google Ads or Facebook Ads) on your users in the EU (typically this means pop-ups, affirmative clicks, and prominent links to up-to-date privacy policies.) Google expects you to keep track of people who have given consent, and to provide a way for your users to “opt out” of their participation in your use of these tools. This ties to the concept of the “right to be forgotten,” as GDPR gives your EU visitors the right to demand a summary of what data you’ve collected about them, and to demand that you remove that data from your systems (or otherwise make it so the data cannot be linked back to them). Lastly, in a move that seems less surprising in light of the recent Cambridge Analytica scandal, Google also expects you to have documentation about how your data is used by you and your own organization, as well as third parties, and to summarize this governance in your published privacy policies.

If you do not adhere to these expectations, Google reserves the right to close your Google Analytics account.

Here, as before, the severity of this threat comes down to a question of enforcement, and how aggressively Google will pursue organizations that do not adhere to these policies. One of the criticisms of EU privacy laws has been that the EU does not possess the technical capacity to enact enforcement themselves—there are hundreds of cases of European governments pursuing American companies over privacy issues, but that is nothing to the millions of websites that are likely to be in breach of GDPR . Google, however, as a provider of many data services in question, does have this technical capacity, and could very well become an enforcer of the EU’s privacy law as they strive to adhere to it themselves.

For most people, the most tangible threat of these new changes to Google Analytics is that data will be deleted if it ages past the “data retention” period set in Google Analytics settings. What many people do not realize is that Google has always had a data retention policy, and only ever promised to keep Google Analytics data for 24 months. Before now, however, we’ve never been aware of Google ever enforcing that policy. What we see now with this new Data Retention settings panel and Google’s clear communication about when and how data will be deleted is that Google is getting more serious about enforcement of privacy policies, in light of GDPR. And if Google is getting more serious about privacy, marketers should too.

What you should do, Right. Now.

  • For every Google Analytics account you are responsible for, check the Data Retention settings in Admin > [Your Property Name] > Tracking Info > Data Retention and ensure that it matches your expectations and needs
  • Ensure that your privacy policy is updated to detail your data practices (including any changes you may have just made to data retention)
  • Work with whoever is responsible in your organization to ensure that you have internally documented your data practices and can comply with the requirements of GDPR (and can protect yourself if challenged)
  • Review our blog post about the broader implications of GDPR
  • Contact us if you need any help with any of this!