The General Data Protection Regulation (GDPR) and Google Analytics Data Retention Update

  • Written by Robert Padgett Cooper

We gathered helpful information to help you understand what the GDPR is and how it affects you. Also with this new regulation, Google Analytics has been preparing to meet with these requirements that will take place May 25, 2018.

Ian Lurie stated that “if you don’t want block traffic coming from Europe, the GDPR law will apply to you”. We highly recommend seeking legal help to make sure you comply with this new law.

The General Data Protection Regulation – What Does it Mean?(GDPR)

The GDPR is a European law that has the objective of protecting EU citizens’ personal information, and regulates how the data is collected, stored, and used. Even though this is a European law, if your site gets traffic from any country belonging to the EU, then it is important for you to understand this law and comply with it.

Companies that do not comply with this law can face large fines ranging from lower level of up to 10 million Euros and upper level of up to 20 million Euros.

What are the rights of a EU citizen under the GDPR?

They have the right to:

  • information about the processing of their personal data;
  • obtain access to the personal data held about them;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation;
  • request the restriction of the processing of their personal data in specific cases;
  • receive their personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning them or significantly affecting them and based on their personal data are made by natural persons, not only by computers. They also have the right in this case to express their point of view and to contest the decision.

What is Considered to be Personal Data?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

  • a name and surname;
  • a home address;
  • an email address such as;
  • an identification card number;
  • location data (for example the location data function on a mobile phone);
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

For How Long Can Data be Stored?

You must store data for the shortest time possible. That period should take into account the reasons why your company/organization needs to process the data, as well as any legal obligations to keep the data for a fixed period of time.

Your company/organization should establish time limits to erase or review the data stored and must also ensure that the data held is accurate and kept up-to-date.

How Does the GDPR Impact US Companies?

Like we mentioned above, even though this law is European, it doesn’t apply only to companies that are located in the EU since it is meant to protect the data of EU citizens or people located in Europe. If an American is travelling through Europe, he or she will be protected by the GDPR too. In conclusion, any American site that gets European traffic must comply with this regulation if:

  1. They collect or process personal data of any EU user
  2. The company’s activities relate to offering goods or services to EU users

Important: It’s not necessary for a financial transaction to take place for this regulation to be enforced.

Even if you don’t have forms on your site where you ask for name, last name, email, etc. your site can still be collecting user personal data if you are using:

  • Analytics software like Google Analytics
  • Social media pixels, like the ones provided by Facebook and Linkedin when you do paid campaigns.
  • Click and heatmap software
  • Adwords and other paid software pixels for tracking conversions and doing remarketing campaigns.

Steps to Take to Prepare Your Site for the GDPR

Since this law will apply to your business, it is important to get your site ready by implementing features that will ask users for consent of tracking their data as well as allowing them to update, export or erase their data:

  • Asking users to opt-in to anything you want to do with their personal data.
  • Advocate for transparency and manage cookie preferences that users can control or opt-out of when visiting your website.
  • Allow users to erase or anonymize user data from your WordPress website and plugins when a request is made.
  • Allow users to access data and manage user requests for visualization or provide an export of the data.
  • Provide the tools for users to request their data through double opt-in confirmations and export the contents in a JSON or XML format for portability.
  • Track and log all user activity from consent through to notifications, including deletion requests and data recovery with encrypted and secure audit logs.
  • Notify users of any data breach.

For more comprehensive checklists please review:


We found these two articles that explain the GDPR in lay terms and can be of great help to you:

Google Analytics Data Retention Update – What to Do & What Not to Do

If you use Google Analytics, you should have received this email from them recently, introducing the new data retention controls:

email from Google Analytics

There are many blogs and articles on the internet saying to update the control to “Do not automatically expire”, however this is incorrect. This setting should be set according to your own company policies like we explained above.

Jenny Halasz, during the Raleigh SEOMeetup Conference that took place on May 15th, 2018, warned about changing settings related to data retention in Google Analytics, since changing the settings could transfer the liability from Google to you.

Google Analytics has stated that the data associated with the data retention control applies to user-level and event-level data associated with cookies, user-identifiers (e.g., User-ID) and advertising identifiers (e.g., DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers).

Unfortunately, it is not clear which Google Analytics reports will be affected with this change. We will only know after May 25th which is when the data retention settings will start working.

However, we are expecting that the data that will be affected falls under these reports:

  • Demographics and Interest reports under the Audience category, which provide insight into characteristics of your users.

demographics menu in Google Analytics

  • Events that collect personal data, for example, tracking a click on a submit button on a form.  Downloads, video plays and other similar events will not be affected since they do not collect any personal data.

events menu in Google Analytics

Traffic reports, that include pageviews, unique pageviews, traffic sources, medium, bounce rate, time on page should not be affected and will not be deleted automatically.

The options they provide for automatically deleting this data is:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

When data reaches the end of the retention period, it is deleted automatically on a monthly basis.

If you change the retention period, then any affected data is deleted during the next monthly process. For example, if you change from 26 months to 14 months, then any data older than 14 months is deleted during the next monthly process.

Whenever you modify the retention period, Analytics waits 24 hours before implementing the change. During this 24-hour period, you can revert your change and your data will be unaffected.

It is important important for each company to set a policy for storing data and for how long it should be stored. It is important to demonstrate the need and reasons why that specific time has been selected.

Editing the data retention settings:

You need to have Edit permission for the property to set these options.

  1. Sign in to Google Analytics.
  2. Click Admin, and navigate to the property you want to edit.
  3. In the PROPERTY column, click Tracking Info > Data Retention.
  4. User-data retention: select the retention period you want.
  5. Reset on new activity: turn the switch on or off.

More Resources on Data Retention