What GDPR Means For Your Google Analytics Data

What GDPR Means For Your Google Analytics Data

by Natalie Henley

Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. You may not rely on this as legal advice, or as a recommendation of any particular legal understanding.

Data Retention Controls Email from Google Analytics  

If you haven’t already seen it, brace yourself for a forthcoming email notification from Google Analytics about data retention controls and a May 25, 2018 deadline.

One of them looks like this:

Data Retention Email

What You Can Do

Follow the instructions and set Google Analytics to the data retention level that is in your comfort zone.

Please note: I am neither legal counsel nor your Digital Marketer, which makes giving a sweeping recommendation challenging. I have to also re-state that talking to legal counsel is always recommended, regardless of your companies size or location.  Here are some sample scenarios.

1. You are an SMB in the US, you don’t have EU customers or any locations in the EU.

Setting it to not automatically expire or a longer time length of expiration might be ok.

2. You are a mid-market business in the US, you rely on GA and also run a pretty aggressive marketing program.

Talk to your digital marketing team about how far back they are using session level data for your marketing programs (e.g. paid retargeting).   

3. You are a major business, you’ve got locations in the EU and even if you don’t, the EU probably knows who you are.

Talk to a lawyer.

Wait…What…Why?

Why is Google Doing This?

User Privacy

Google is working to get in compliance with the new, upcoming GDPR regulations about data privacy, particularly because they are a global entity. The GDPR is the General Data Protection Regulation, and it comes from the EU and related countries. The purpose of the GDPR is to enforce a recent court ruling that states individuals are the owners of their data, not the business or websites that collect it. #ThanksFacebook. The ruling is specific to EU customers and most American businesses didn’t know it was happening, but it still matters — especially if you are a global company.

With the looming arrival of GDPR and the ease with which you and anyone else can unsubscribe or report spam, it’s important to treat people like people instead of leads.

Ok – *whew* I’m not in the EU, so this doesn’t matter to me, right?

Point #1

Technically a company doesn’t need to be in the EU for this to apply. If you get website traffic from the EU or have any customers who live in the EU, then this pertains to you.

Now, you might go to a legal level on this one to the tune of, wait, can the EU pass a regulation that applies to my company if I’m not based there? Moreover, could they actually fine me or penalize me if I’m not under their jurisdiction?  

The answer is…geez I’ve got no clue, I’m not a lawyer and I don’t know your business or customers. I’m just laying out what the policy says and what to do if you want to be relatively squeaky clean on this one.

I did find this resource for you on an interview from Linda Priebe who stated “”While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years.”  

So, basically, if you are big enough and the US wants to do the EU a favor, US authorities can agree to come after you under the umbrella of the International law. #funtimes

Side note: If you are located in the EU, disregard that paragraph – this totally applies to you, in addition to a boatload of other stuff you probably should care about in order to be in compliance.

Bigger side note: Just setting your client retention data to expire doesn’t put you in compliance with GDPR. There’s more stuff you need to do (Sorry if you thought this was going to be a set-it-and-forget-it kind of issue)… especially if you have the collection of demographic and affinity data turned on in Google Analytics.  

Here’s a great post in laymen’s for marketers on GDPR and compliance. 

Here is another post on the steps you should take to get into GDPR compliance.

Point #2

If you don’t do anything, it’s going to set to a default of 26 months. In other words, if you don’t do anything, Google is still going to dump your old data.

Therefore it doesn’t matter whether you are in the EU or not, this setting will affect everyone.

I hope you don’t have a headache and are sticking with me…

How Big of a Deal Is This?

Before you panic and log into your Analytics expecting to see flatlines on your data, please realize this isn’t affecting every report you rely on as a business. What this is deleting is session-level data that allows you to pinpoint specific individuals (like an IP address), the collection of demographic and affinity information, and the User Explorer report.

Let’s Break Down what Google is Telling Us

(bullet points extracted from the email in the picture above)

  • Any user and event data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in Google Analytics.

What this means: Each month Google will be dropping data past the retention period you set on your website. Here is their mostly vague article on this

  • Deletion will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than your retention setting.

What this means: There are some cool reports that you probably won’t be able to reach back and get. This is where it’s going to get a little murky, as Google hasn’t provided a list of what reports aren’t going to be available.  

Here’s what I can find

  • Source, medium and campaign information associated with conversion events. 
  • Raven Tools took a guess at what reporting will be affected.
    • Creating Ad-Hoc reports
    • Applying a custom segment
    • Secondary dimensions
    • Table Filters

Here’s my best guess at additional reports that might be affected:

  • Anything using session-level dimensions seems like it would be up as fair game.
    • Session
    • Bounces
    • Bounce Rate
    • Session Duration
    • Average Session Duration
    • Unique Dimension Combinations
    • Hits
    • Anything you’ve done with custom dimensions will probably need to be reviewed, especially if it’s a session-level scope.    

Reports based on aggregated data will not be affected.

What this means: Some of the standard reports you are used to probably won’t be affected.

We’re Going to Test It!

Testing Data Retention

We are going to go ahead and set our data retention to expire and we’ll let you know what happens and what reports we can’t get any more.

Stay tuned for what we find out and what reports seemed to be affected. 

That’s a Wrap

In general, I know I’m supposed to end with a pithy conclusion, structured in a block of text wishing you well and also giving a call to action that if Google Analytics confuses the crap out of you, we can help.

Instead, I’ll end with:

  • This is confusing and complicated. 
  • I don’t think losing session-based information from 2 years ago is a big a deal to most small and medium business. I’m probably not going to lose sleep about holding onto data we won’t ever use.
  • I do think violating GDPR, especially if you have any ties to the EU, is a gigantic deal and you should be careful. Do not take this lightly.
  • In all of this, I think it’s a positive outcome for Digital Marketers to take a look at how we are using and storing data and ensuring we are being squeaky clean with data privacy and security.
  • We should all prepare for something similar to become the law of the land here in the United States. It may take a while but we should be ready.  

Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.