The E.U.’s General Data Protection Regulation becomes effective on May 25. Google and other data gathering services are protecting themselves by allowing users to control the data retained from customers and website visitors. Any public website worldwide is essentially subject to the GDPR, as the site likely has visitors from the E.U.
Data Retention
Google Analytics recently enabled data retention controls for cookies and user identifiers, at Admin > Tracking Info > Data Retention.
Questions on how merchants should apply these retention settings are best answered by an attorney. (We’ve published an interview with an attorney, at “Internet Attorney on GDPR Compliance for Ecommerce.”)
I suggest 14 months for retention length. This is the shortest option. (The choices are “14 months,” “26 months,” “38 months,” “50 months,” and “Do not automatically expire.”) Fourteen months would need to elapse between sessions for a user to not be identified by their cookies. Select “Off” for “Reset on new activity” if you want to be extra careful about storing user data. This means a user’s data will be deleted 14 months (if you selected 14 months) after their initial session.
These settings do not impact how long Google Analytics stores your aggregate session data, only individual data. Google will store your aggregate session, page, and other data for up to 25 months for Standard users and 37 months for Premium — although I have yet to see any data deleted, even on accounts over 10 years old.
See Google’s “Data retention” page for explanations and suggestions.
Data Processing
Google Analytics has a GDPR-specific data processing agreement. All website owners that use Google Analytics should agree to it.
To review and accept the terms, go to Admin > Account Settings then scroll to the bottom of the page to find the amendment. Accept the terms (click on “Review Amendment”) and provide contact details for your organization (click on “Manage DPA Details”).
For more, see Google’s “Data Processing Terms” page.
Taking Responsibility
Merchants should take responsibility for their data collection methods, whether the data is stored by the merchants or on their behalf. The Wild West days of capturing anything and everything about an audience is over. Reviewing and accepting relevant settings on Google Analytics is a good place to start.