Over the past year Google has shared how they are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today they are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This is important and requires action even if you are not based in the European Economic Area (EEA).
Today Google introduced granular data retention controls that allow users to manage how long their user and event data is held on googles servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
Action: Users of Anlaytics should review these data retention settings and modify as needed.
Before May 25, Google will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Googles Developers site shortly.
Google say they remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.
Contract And User Consent Related Updates
Google has been rolling out updates to their contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement customers current contract with Google and will come into force on May 25, 2018.
In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.
- For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for their review/acceptance in their accounts (Admin ➝ Account Settings).
- For Google Analytics clients based in the EEA, updated data processing terms have already been included in their terms.
- If you don’t contract with Google for your use of our measurement products, you should seek advice from the parties with whom you contract.
Updated EU User Consent Policy
Per Googles advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google’s EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.
Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.
Find Out More
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view their data processing terms.
Google say they will continue to share further information on their plans in the coming weeks and will update relevant developer and help center documentation where necessary.