What are the GDPR Google Analytics Data Retention Settings?
In preparation for the General Data Protection Regulation laws coming into effect on 25th May 2018, Google has been making changes to its policies and tools.
Please be aware that the information contained within this overview does not constitute legal advice and you should seek your own legal professional for guidance on implementation of GDPR for your own organisation.
GDPR classifies cookies, IP addresses and other online identifiers as personal data which fall under its remit. When you logged in to your Google Analytics account recently you are likely to have seen a blue banner at the top of your window which says:
“We've recently launched new Data Retention controls that may affect your data from 25 May 2018. To dismiss this message, please visit your property’s Data Retention settings under Admin > Property > Tracking Info and click 'Save'. Learn more”
What Are The New Settings?
The Data Retention settings allow website owners to specify how long personal data can be stored in Google Analytics, from 14 to 50 months or “Don’t automatically expire” and whether or not this period of retention should reset when there is a new “event” from a user.
You can see the Google Analytics help page here: https://support.google.com/analytics/answer/7667196
What Will This Affect?
This does not affect all data in Google Analytics, only that data which relies on cookies, user-identifiers or advertising-identifiers.
Google has been extremely vague about exactly how this will impact usage of Google Analytics reports simply saying “These controls do not affect most standard reporting” and “The user and event data managed by this setting is needed only when you use certain advanced features like applying custom segments to reports or creating unusual custom reports.”
This suggests that the extent to which this will impact you depends on how much you use custom segments or custom reports on data that is more than 14 months old (the shortest data retention duration).
We believe that this will impact your ability to segment data outside of your retention window by: demographics, location, device, browser, ultimately anything which has been tracked about an individual user.
However, Google has been extremely unclear and we will have to wait and see on 26th May.
- GDPR stipulates that all personal data stored and processed by data controllers and processors should have one of 6 legal basis for storage. Read these on the ICO website
- The processing of this personal data should be necessary for the stated purpose, if there is a means of achieving the same thing without processing personal data then that route should be taken
- Article 5 of GDPR "Principles relating to processing of personal data" (e) states:
Personal data shall be: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');”
- Article 5 (e) is somewhat unclear for Google Analytics purposes. The data is being stored for statistical purposes and it is in the Legitimate Interest of your business to store and analyse the data. However, at what point does that historical data become redundant and therefore is no longer necessary? This is an important point to consider and should inform your decision on how to configure the settings.
- Whatever duration you decide on should be clearly stated in your website’s Privacy Statement along with the reason you are storing personal information for that duration
- If your organisation was audited by the ICO and they deemed that you were illegally storing or processing personal data then you would be subject to severe fines
- Google will default set the data retention setting to 26 months, which suggests that the Google legal eagles believe there is a sound argument for this duration of personal data storage