How to Prepare Your Google Analytics Account for GDPR

You probably know by now that GDPR (The General Data Protection Act) goes into effect on May 25th, 2018.

That means you only have one month left to get prepared for GDPR compliance.

While the EU mandates this initiative, all online businesses will be affected by GDPR in some way or another. So even if you don’t operate in the EU, it’s still important to understand how this regulation will change the way analytics, remarketing, and data collection work within your organization.

In today’s video and post, we’ll talk about the impact of GDPR on your Google Analytics data. I’ll do my best to break down Google’s recent email about preparing your analytics account for GDPR compliance. And we’ll look at the new tools Google has added into our analytics accounts to help us with this process.

To learn more about how GDPR affects your Google Analytics data, you can download our GDPR compliance resources.

Disclaimer

Before we get into the details, I want to offer a disclaimer. I don’t have all the answers about how GDPR will affect your use of Google Analytics. The stakes are high, though, so I am producing this video to expand my knowledge of how everything will work. Because of these high stakes, I recommend working with legal counsel to help you understand any GDPR questions specific to your organization.

With that out of the way, I will do my best to interpret Google’s latest communications in this post.

Google’s recent email about GDPR

Google recently sent out an email to all Google Analytics admins about GDPR.

Google Analytics email about GDPR compliance

The purpose of this email was to introduce product updates that will help us get ready for data privacy compliance.

Google Analytics update – Data retention control

One of the product updates Google is introducing is data retention control. This feature will allow you to manage how long Google stores your user data on Google’s servers.

data retention control

Data retention control will go into effect in your account the same day GDPR launches, May 25th.

data retention control

However, you can adjust your data retention settings now. The setting you select will then activate on May 25th, 2018.

Google Analytics data retention settings

Source: Google

Data Retention control settings

The current default for data retention is 26 months. But you can select to retain your user data for a shorter or longer period.

google analytics data retention control settings

 

***Important update: The default data retention setting will cause you to lose data that’s critical to many advanced reporting features. Unless you adjust your setting, Google will purge user data from your account that was collected more than 26 months ago. This setting will take effect on May 25th, 2018.

Your historical user data is essential to your ad-hoc reports. Ad-hoc reporting includes features like advanced segments and table filters. To keep your user data intact you can adjust your data retention setting to “Do not automatically expire.”

 

To learn more about how data retention will affect your Google Analytics account, you can read our detailed post about this setting: Change Your Google Analytics Data Retention Setting, Or Lose Your Advanced Segments.

 

And, to learn about how GDPR impacts data retention and tracking consent, you can refer to this post: GDPR Compliance with Google Analytics – Do You Need Cookie Consent?

User deletion tool

Google has also introduced a user deletion tool. This tool will allow you to remove users’ Client IDs, User IDs, or App Instance IDs from your analytics data.  When a user opts out of tracking, you’ll use this tool to remove their data.

Google analytics user deletion tool

We’ve talked about merging Client IDs, and User IDs for cross-device tracking in one of our past tutorials. We’ve also discussed synchronizing Client IDs for cross-domain tracking. The user deletion will help you undo this type of tracking.

Google has done some back-end work for you

My biggest concern with GDPR compliance has been the difficulty involved with implementation. The regulations will be burdensome for small online businesses and blogs, especially those who don’t have access to the raw data collected by analytics tools (i.e., everyone who uses Google Analytics).

To remind you of the existing data protection tools available in GA, Google also used their recent email to remind us of all the settings that are already available in our accounts.

Tools like:

  • Customizable cookie settings
  • Data sharing settings
  • Privacy controls
  • Data deletion on account termination
  • IP anonymization

google analytics user tracking tools

Not everyone needs to use these tools, but they are available to help you with GDPR compliance.

You have opted-in automatically to these changes in Google Analytics

The next part of Google’s email lets you know that you have opted into their data processing changes. Essentially, Google is making you aware of these compliance related changes. If you want to use their tools, your account is subject to those changes.

google analytics GDPR contract changes

You are responsible for data privacy compliance

Google is taking on the majority of the compliance burden since our analytics data is stored on their servers.

But they are also letting you know that you are responsible for the data you track in Google Analytics.

Google Analytics EU user policy updates for GDPR

Google gives you the tools to track data online. But it’s on you to use these tools appropriately.

That means you need to understand how GDPR affects your measurement techniques. Your tracking and data retention policies and compliance will be up to your organization. And ignorance of GDPR won’t be an excuse for non-compliance.

Stuff you ignored before that you might care about now

The last part of Google’s email reminds us that they have a bunch of other products you probably haven’t been using. Stuff you ignored in the past, but might care about now.

Google data privacy policies

For instance – privacy.google.com/business. I’ve been using Google Analytics since it was in Beta, but I didn’t know that this existed. I’ll have to do some research on this one and provide an update on my findings.

https://privacy.google.com/businesses/

Let’s summarize what we know about Google Analytics and GDPR compliance

1. Google is giving you tools to become GDPR compliant with your Google Analytics data

Google is going beyond the bare minimum. Through new and existing tools, Google is attempting to make GDPR compliance even easier for users.

2. New Google Analytics tools coming on May 25, 2018

Google’s new tools will be active just in time for the May 25th deadline. Not everything is live yet, but Google’s telling us these tools will be in place in time for GDPR.

3. It’s your responsibility to become GDPR compliant

Even though Google’s processes your analytics data, you’re still responsible for how you use that data.

4. Google has lots of resources for you to learn more

Google has put out a lot of information on how to observe GDPR. It’s important to self-educate, just like you’re doing right now by reading this post :).

Ignorance won’t be an excuse for noncompliance.

5. For the most part, it appears collecting analytics data is business as usual

Although GDPR feels like a big deal, it’s not going to change how we operate all that much. If someone opts out of tracking, we need to follow the new requirements. But, for the 99% of users that don’t opt out, we don’t have to change how we use Google Analytics.

6. If someone opts-out from being tracked, you need to understand how to process this request

If you are doing business from the EU, and someone opts-out of tracking, you need to know how to remove their data.

Removing users isn’t something that’s been talked about much to date. Before GDPR, analytics was mostly focused on how to obtain user information, not how to delete it.

I am considering putting out a follow-up video on how to remove users from Google Analytics once this tool is released. If you’d like to see a tutorial on deleting users, then leave a comment below. If we get enough comments, I’ll make sure we include this technique in a follow-up video.

Finally, I have two big questions for you.

How many of you will opt out of tracking?

Are you interested in opting out of tracking as part of GDPR? I plan to continue to allow myself to be tracked. I think that cookies and analytics can improve the user experience in many ways. But, I also understand why users might want more anonymity.

So, leave a comment about why you will or won’t opt out of tracking. I am curious to see how the community feels about this issue.

What are your questions about GDPR?

Do you have questions about data privacy? Leave a comment with your questions, and I’ll do my best to address them in a follow-up video and post.

About the Author

Jeff Sauer is an independent Digital Marketing Consultant, Speaker and Teacher based out of a suitcase somewhere in the world. Formerly of Minneapolis, MN and San Francisco, CA.