Smartphone and computer illustration with Google data
Google

The General Data Protection Regulation (GDPR) and Google Analytics Data Retention Update

  • Written by Robert Padgett Cooper

On May 25, 2018, the EU is rolling out its General Data Protection Regulation (GDPR). We’ve gathered some helpful information to help you understand what the GDPR is, how Google Analytics is preparing to meet the GDPR requirements, as well as how all these changes are likely to affect you.

Why does the GDPR matter? Well, as Ian Lurie put it, “Would you be OK blocking all traffic from the EU? No? Then you had better comply with the GDPR.” In other words, if you rely on website traffic from any country in the European Union, the GDPR applies to you. We highly recommend seeking legal help to make sure you comply with this new law.

The General Data Protection Regulation — What Does it Mean?(GDPR)

The GDPR is a European law that aims to protect EU citizens’ personal information by regulating how the data is collected, stored, and used. Even though this is a European law, if your site gets traffic from any country that belongs to the EU, then it’s important for you to understand this law and comply with it.

Companies that do not comply with this law can face large fines that can go as high as 10 million to 20 million Euros.

What are the rights of a EU citizen under the GDPR?

Under the GDPR, EU citizens have the right to:

  • information about the processing of their personal data;
  • obtain access to the personal data held about them;
  • ask that incorrect, inaccurate, or incomplete personal data be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation;
  • request the restriction of the processing of their personal data in specific cases;
  • receive their personal data in a machine-readable format so they can send it to another controller (a.k.a. “data portability”);
  • request that decisions based on automated processing concerning them or significantly affecting them and based on their personal data are made by natural persons, not only by computers. They also have the right in this case to express their point of view and to contest the decision.

What is Considered “Personal Data”?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information that, when collected together can lead to the identification of a particular person, also constitute personal data. Here are some examples:

  • a name and surname;
  • a home address;
  • an email address such as name.surname@company.com;
  • an identification card number;
  • location data (for example the location data function on a mobile phone);
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

For How Long Can Data be Stored?

To be in compliance with GDPR, data must be stored for the shortest time possible. That period should take into account the reasons why your company/organization needs to process the data, as well as any legal obligations to keep the data for a fixed period of time.

Your company/organization should establish time limits to erase or review the data stored and must also ensure that the data held is accurate and kept up-to-date.

How Does the GDPR Impact US Companies?

Like we mentioned above, even though this law is European, it doesn’t only apply to companies located in the EU since it is meant to protect the data of EU citizens, residents, and anyone inside the EU. For example, if an American is traveling through Europe, their data will be protected by the GDPR, too. So any American site that gets any European traffic must comply with this regulation if:

  1. that site collects or processes the personal data of any EU user
  2. the company’s activities relate to offering goods or services to EU users

Important: It’s not necessary for a financial transaction to take place for this regulation to be enforced.

Even if you don’t have forms on your site where you ask for name, last name, email, etc. your site can still be collecting user personal data if you are using:

  • analytics software like Google Analytics
  • social media pixels, like the ones provided by Facebook and Linkedin when you do paid campaigns
  • click and heatmap software
  • Adwords and other paid software pixels for tracking conversions and doing remarketing campaigns

Steps to Take to Prepare Your Site for the GDPR

Since this law will apply to your business or organization, it’s important to get your site ready by implementing features that will ask users to consent to tracking their data as well as allowing them to update, export, or erase their data. Here are some ways you can do that:

  • ask users to opt-in to anything you want to do with their personal data;
  • advocate for transparency and manage cookie preferences that users can control or opt-out of when visiting your website;
  • allow users to erase or anonymize user data from your WordPress website and plugins when a request is made;
  • allow users to access data and manage user requests for visualization or provide an export of the data;
  • provide the tools for users to request their data through double opt-in confirmations and export the contents in a JSON or XML format for portability;
  • track and log all user activity from consent to notifications, including deletion requests and data recovery with encrypted and secure audit logs;
  • notify users of any data breach.

For more comprehensive checklists please review:

Resources

These two articles explain the GDPR in easy-to-understand lay terms:

Google Analytics Data Retention Update — What to Do & What Not to Do

If you use Google Analytics, you should have received this email from them recently, introducing the new data retention controls:

email from Google Analytics

There are many blogs and articles on the internet saying to update the control to “Do not automatically expire,” however this is incorrect. This setting should be set according to your own company policies like we explained above.

Jenny Halasz, during the Raleigh SEOMeetup Conference that took place on May 15th, 2018, warned about changing settings related to data retention in Google Analytics, since changing the settings could transfer the liability from Google to you.

Google Analytics has stated that the data associated with the data retention control applies to user-level and event-level data associated with cookies, user-identifiers (e.g., User-ID) and advertising identifiers (e.g., DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers).

Unfortunately, it is not clear which Google Analytics reports will be affected by this change. We will only know after May 25th when the data retention settings will start working.

However, we expect that the data affected will fall under these reports:

  • Demographics and Interest reports under the Audience category, which provide insight into characteristics of your users.

demographics menu in Google Analytics

  • Events that collect personal data, for example, tracking a click on a submit button on a form.  Downloads, video plays and other similar events will not be affected since they do not collect any personal data.

events menu in Google Analytics

Traffic reports, that include pageviews, unique pageviews, traffic sources, medium, bounce rate, time on page should not be affected and will not be deleted automatically.

The options they provide for automatically deleting this data is:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • does not automatically expire

When data reaches the end of the retention period, it is deleted automatically on a monthly basis.

If you change the retention period, then any affected data is deleted during the next monthly process. For example, if you change from 26 months to 14 months, then any data older than 14 months is deleted during the next monthly process.

Whenever you modify the retention period, Google Analytics waits 24 hours before implementing the change. During this 24-hour period, you can revert your change and your data will be unaffected.

It is important for each company to set a policy for storing data and for how long it should be stored. It is important to demonstrate the need and reasons why that specific time has been selected.

Editing the data retention settings:

You need to have Edit permission for the property to set these options. Here is the process:

  1. Sign in to Google Analytics.
  2. Click Admin, and navigate to the property you want to edit.
  3. In the PROPERTY column, click Tracking Info > Data Retention.
  4. Under User Data Retention: select the retention period you want.
  5. Reset on new activity: turn the switch on or off.

More Resources on Data Retention

Does your company need help with Local SEO, technical SEO, link building, or content marketing strategy? The team at LOCOMOTIVE Agency can help. Contact us today.