Google analytics and GDPR: what you need to know

Google analytics and GDPR: what you need to know

If you’re a regular user of Google Analytics, you may have noticed recently that a message in a little blue bar appeared on your dashboard, talking about “data retention”. You may have noticed the familiar date attached to this policy change – 25th May 2018.

You guessed it! Google Analytics is getting its house in order (and helping you get yours in order) for GDPR. Spurred on by this, I thought it might be useful to go over the steps you need to take to make sure you’re complying with GDPR if you’re a heavy user of Analytics.


The legislation

Google is giving you a big nudge in the right direction with it’s latest message – but also covering it’s own back. When it comes to Analytics usage, and in the terms of GDPR, you (the person who owns, operates and uses the Analytics property) are herein referred to as “the data controller”, and Google is herein referred to as “the data processor”. I did enjoy using some fancy legal terminology just then. Under GDPR, both the data controller and the data processor have responsibility for compliance, documentation and ensuring legitimate processing methods. So, in layman’s terms, you and Google are both seen as responsible should something go wrong. I don’t know about you, but I wouldn’t like to try and get Google to pay the better part of my ICO fines, so it’s in your best interests to ensure compliance within your organisation.

Of the 8 rights afforded to an individual under GDPR, one of them is the right to be informed. An individual whose personal data you process has the right to expect full transparency from your business about the nature of the processing. Specifically:

You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”

Did you spot the words “retention periods” in there? That’s what Google are getting at.


Data retention

There are currently no restrictions on the length of time you can retain an individual’s personal data for. The key takeaway here is documentation and transparency – you must keep a record of and clearly inform the user how long you intend to retain their data for.
Google is now giving you a number of options for retaining data in Analytics. After this period of time, it will remove user-level and event-level data associated with cookies, user identifiers (User IDs) and advertising identifiers (DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers). This is particularly significant if you do any sort of remarketing or personalisation on your site. The timescales available are as follows:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

As mentioned above, there are currently no legislative restrictions in place as to how long you are allowed to retain data for, so this is completely up to you. Just bear in mind, if you choose “do not automatically expire”, and even if you inform your users as such, this may come across as a little woolly, which could leave you on shaky ground. It’s worth examining your processing needs and thinking seriously about whether you need to retain a user’s data indefinitely.
Once you’ve made this decision, you’ll need to select the appropriate settings in Analytics. There’s more information on the Google support site.


Informing your users

The second part of this task is making sure visitors to your site or app are informed of your retention schedule. The easiest and most common way to do this is through your privacy or cookies policy. It’s already best practice to include a list of cookies you use on a dedicated page on your site (here’s ours). So for Analytics specifically, you can now add a line detailing how long the user data is retained for. For any other tracking or apps you use which collect user data or use cookies, it’s worth checking in with them around data retention and how to navigate this within their environment.

If you are currently looking at your screen a bit blankly because you don’t have a cookies or privacy policy page – it’s a very good idea to, you know, get one. “The right to be informed”, as you’ll have read above, also covers the purposes of processing data. This means you’ll want to inform website users of why you collect certain data and how you use it. Let’s take an example from our cookies page:

Provider Name Purpose More Info Retention schedule
Google Analytics _utma
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Google Privacy policy Data removed after 38 months

Here we’ve given detail of the provider, the names of the cookies used, and the purpose of collecting and processing the data. We’ve also added a shiny new column for “data retention schedule”. This is a pretty common template for a cookies page – so feel free to steal it.

Getting this in place is a 5 minute job you can do this afternoon if you run out of ideas for passing the time andt it will massively help you out in the long-term. If you’d like any more advice on how to navigate GDPR with your marketing and online tracking activities, get in touch.