Google Analytics and GDPR – how will your business be affected?

Google Analytics recently emailed users about the latest development in its data retention policy, and has asked all businesses that use the platform to review this policy and abide by it with effect from 25th May 2018 to comply with the General Data Protection Regulation (GDPR).

This move will ensure that people’s information is protected and used accordingly and also protects Google Analytics from legal issues regarding data storage and handling. Just recently, Facebook received a lot of bad press for its negligence in protecting customer data in the Cambridge Analytica incident that had inappropriately acquired about 50 million Facebook profiles.


What does this mean for businesses using Google Analytics on their website?

It is important to note that the essence of Google Analytics is to help track how users access and navigate your website. It provides a detailed analysis for your website through relevant statistics such as:

  • how visitors found your website
  • how long visitors stay on your site
  • which pages they visited
  • visitors’ demographics, country location, browser and device type used

 These details help you to understand your website visitors and improve their user experience by supplying them with relevant content based on their search terms, interests, location and by displaying it properly to suit their browser and device types.

 It also helps businesses using AdWords advertising and targeting to show only relevant ads to the right people. Google Analytics helps you to determine and share content that the website visitor or online searcher is interested in.

These details are stored on analytics servers and are accessible via your dashboard. You can refer to them whenever you need them. Up to now Google’s data storage was quoted to be around 25 months (two years), but we’ve now seen the data of several accounts retained for longer than two years. That is going to change, as Google Analytics itself announced: “The Google Analytics data retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from analytics servers.”

The updated data storage duration periods will now be:

  • 14 months
  • 26 months
  • 38 months
  • 50 months
  • Do not automatically expire

 It’s important to note that even though GDPR is to take effect within the EU from 25th May 2018, Google seems to be enforcing this new policy for all Google Analytics users. A comment in their email reads: “Even if you are not based in the EEA [European Economic Area], please consider together with your legal department or advisors whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as defining your path for compliance with the EU User Consent Policy.”

How to stay GDPR compliant using Google Analytics

Every business that has a website should use Google Analytics. But now you have a compliance dilemma: how do I stay compliant with GDPR regarding Google Analytics data?

Since no two businesses are the same, data usage and storage will also vary. The ideal approach will be to review your website and business objectives and decide which of the data storage duration option suits your objectives. If your website is purely informative and doesn’t offer commercial services or doesn’t require ads to drive traffic to the website for example, you might not need to have historical data that spans beyond the last 14 months period.

If however you offer commercial activities on your website such as e-commerce, and think it’s important that your business retain data for a period longer than 50 months for future reference, then it’s advisable to choose the “Do not automatically expire” option for the time being. Google has highlighted how to select storage duration settings in five easy steps.

There will be clearer information to help you further streamline your data collection with your business objectives, in line with GDPR, when this policy takes effect on 25th May 2018. Then you can adjust accordingly.

It is also important to include a “use of cookies” element in your website privacy policy and possibly as a pop-up that appears when people visit your website, so visitors know that their visit is being tracked to improve their experience. Make sure you give visitors the opportunity to accept or reject these cookies.

Finally, check out these posts to learn how you can stay GDPR compliant in other aspects of your business and to understand the benefits the GDPR provides for targeted communications and business growth.