All users of Google Analytics are being prompted to edit some new Data Retention settings. You may have received an email about it from Google, or you may have seen a notification like this in your account:
The context behind this new setting is, of course, GDPR.
Because some of the data in Analytics is classed as personal data, Google have put in place these new data retention settings to give businesses control of how long they keep this personal data. You can choose to keep this data for 14, 26, 38 or 50 months. The default setting is 26 months. Alternatively, you can choose ‘do not automatically expire’, which means ‘keep my data indefinitely’.
Why these particular date periods? As far as we can tell, from our research, the periods are arbitrary – Google are just giving us a selection of time periods to pick from, so that if we wish, we can put in our own privacy statements that we’ll be storing the data for x number of months. Remember, under GDPR, we should be keeping personal data for only as long as we need it.
So what happens, if I pick, say, 14 months as the period I want to keep my data? What will happen is that on the 25th May, any “user and event data” in the account that’s older than 14 months will be permanently deleted. Thereafter, once a month, Google will delete the oldest month’s worth of data, so that you only have 14 months of this data at any time.
What is user and event data? Well, we had a little sneak preview of what Analytics will look like with the missing data, and what you’ll see is that some reports will have no data in them any more beyond 14 months while others remain the same as they always have done. So, you won’t be able to see a graph showing the number of Users on the site going back beyond 14 months, but you will be able to see a graph of the Sessions going back through time. So it’s not the case that you’re using all your data altogether – just certain reports. As Google say, “The user and event data managed by this setting is needed only when you use certain advanced features like applying custom segments to reports or creating unusual custom reports.” Now, we do regularly use advanced features of Analytics such as these, but most users don’t, so you may find you don’t mind losing this data.
So – which setting should I pick? That’s a choice made by each individual business owner, so we don’t want to sway you either way. If you want to be comfortable that you’re doing everything you should to comply with GDPR, and you’re not bothered about keeping a bit of historic data you may never use anyway, you might pick any one of the date periods and put that date period in your privacy statement as being the period of time you will retain Analytics data on users and events for. If you feel strongly that you need – or may potentially need in the future – that data to run your business effectively, then you might pick ‘do not automatically expire’ and use legitimate interest as your legal basis for keeping all the data for an indefinite period.
What’s the ‘Reset on new activity’ setting about? Imagine this scenario – you have a repeat visitor to the site who keeps coming back every month. Do you want to delete the user data that relates to them that goes back beyond the last 14 months (if so, pick ‘off’)? Or do you want to keep all the historic information about them for the time being because they’re still regularly using the site (if so, pick ‘on’)?
I don’t know how to change / where to find these settings If you don’t know how to go about changing your own settings, and you’re an Ascendancy client, give us a shout and we’ll talk you through it.
What happens if I do nothing? If you do nothing, Google will automatically select the 26 month retention period and on May 25th all your user and event data from before March 25th 2016 will be deleted.
One final thing to note re IP addresses – you can, in fact, add an extra line to your Google Analytics code that stops it storing the last octet of visitors’ IP addresses. This stops the IP address from being classed as personal data. It does slightly affect the accuracy of, for example, the reports on users’ geographical locations in Analytics. But we are offering this setting as part of our data security package for web development clients, and have applied it to our own site, to reduce the amount of personal data that goes into our Analytics account in the first place.
Lastly – just to say that we’re not, of course, lawyers – this information is the result of a lot of research on our part, but we can’t offer you any legal advice on the subject or steer you towards making any particular choices. But we hope we’ve explained things a bit more clearly and helped you along the way to understanding better what the new settings mean.
To read Google’s documentation on the new settings visit: https://support.google.com/analytics/answer/7667196?authuser=1