You guessed it! Google Analytics is getting its house in order (and helping you get yours in order) for GDPR. Spurred on by this, I thought it might be useful to go over the steps you need to take to make sure you’re complying with GDPR if you’re a heavy user of Analytics.
Google is giving you a big nudge in the right direction with it’s latest message – but also covering it’s own back. When it comes to Analytics usage, and in the terms of GDPR, you (the person who owns, operates and uses the Analytics property) are herein referred to as “the data controller”, and Google is herein referred to as “the data processor”. I did enjoy using some fancy legal terminology just then. Under GDPR, both the data controller and the data processor have responsibility for compliance, documentation and ensuring legitimate processing methods. So, in layman’s terms, you and Google are both seen as responsible should something go wrong. I don’t know about you, but I wouldn’t like to try and get Google to pay the better part of my ICO fines, so it’s in your best interests to ensure compliance within your organisation.
Of the 8 rights afforded to an individual under GDPR, one of them is the right to be informed. An individual whose personal data you process has the right to expect full transparency from your business about the nature of the processing. Specifically:
“You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”
Did you spot the words “retention periods” in there? That’s what Google are getting at.
There are currently no restrictions on the length of time you can retain an individual’s personal data for. The key takeaway here is documentation and transparency – you must keep a record of and clearly inform the user how long you intend to retain their data for.
Google is now giving you a number of options for retaining data in Analytics. After this period of time, it will remove user-level and event-level data associated with cookies, user identifiers (User IDs) and advertising identifiers (DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers). This is particularly significant if you do any sort of remarketing or personalisation on your site. The timescales available are as follows:
- 14 months
- 26 months
- 38 months
- 50 months
- Do not automatically expire
As mentioned above, there are currently no legislative restrictions in place as to how long you are allowed to retain data for, so this is completely up to you. Just bear in mind, if you choose “do not automatically expire”, and even if you inform your users as such, this may come across as a little woolly, which could leave you on shaky ground. It’s worth examining your processing needs and thinking seriously about whether you need to retain a user’s data indefinitely.
Once you’ve made this decision, you’ll need to select the appropriate settings in Analytics. There’s more information on the Google support site.
Informing your users
|Provider||Name||Purpose||More Info||Retention schedule|
Here we’ve given detail of the provider, the names of the cookies used, and the purpose of collecting and processing the data. We’ve also added a shiny new column for “data retention schedule”. This is a pretty common template for a cookies page – so feel free to steal it.
Getting this in place is a 5 minute job you can do this afternoon if you run out of ideas for passing the time andt it will massively help you out in the long-term. If you’d like any more advice on how to navigate GDPR with your marketing and online tracking activities, get in touch.