Google Updates Ahead of GDPR (also known as GDP-Argh)

by George Collins on Friday 13 April 2018

At this point, it’s probably pretty obvious that most businesses need to make changes ahead of 25th May when the GDPR comes into force. Google has really emphasised this with the announcement of two new features to Google Analytics to aid marketers and businesses.


With GDPR, businesses will need to allow users to opt out of being recorded or marketed when they hand over personal details. The majority of the coverage of this topic so far centers on the submitting of data and how this is impacting email and advertising campaigns. Google Analytics (and other Web Analytics Platforms) will also need to be scrutinised in order to make sure there are no breaches of GDPR occuring.


Data Retention Controls

Currently, Google Analytics cookies persist for up to 2 years from the first date they are set (not taking into account if a user clears their cookies) but crucially, get reset each time a user visits a website. This data is kept indefinitely on the Google Analytics servers and is able to be accessed to analyse in reports.


In simple terms, if you visit a website once - Google Analytics keeps that data for the business forever. If you visit that website a second time, the 2 year expiration of that cookie (but not the data collected) resets. This means it will expire 2 years after the date of your most recent visit.


Now, businesses will be able to make decisions both cookie lifetime and data retention periods within Google Analytics.




Users can now select to not expire data (the current Analytics setting) or to choose periods of 14, 26, 38 or 50 months to hold onto this data. Whilst this gives businesses the option to expire that data, from a marketing perspective this could be detrimental. If this setting is changed to 14 months then businesses won’t be able to analyse data that happened more than 14 months in the past - historical analysis and forecasting will become much more difficult.


Businesses and Analytics users are also given the option to decide whether this retention period resets when users revisit the website. Remember, currently the period resets every time a user visits the site. If this option is switched off, data associated with the user identifier will be deleted automatically after the retention period.


User Deletion Tool


This tool is a bit easier to understand. The User Deletion tool will allow businesses to manage the removal of all data associated with an individual user from your Google Analytics account. This ties in more with the GDPR coverage that has concentrated on users being able to opt out of being recorded. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID, User ID or App IDs.


However, the difficulty will be identifying which users to remove from Google Analytics. Unless the business is already linking Personally Identifiable Information (PII) to identifiers available within Google Analytics (as mentioned above) then how do you go from someone opting out on an email list to associating that specific user on Google Analytics?!


If you already record user IDs alongside email addresses in your database then you can use this userID to find that person inside Google Analytics and delete them. If you can’t make that link, you won’t be able to delete the specific user very easily at all!


What to do next?

Don’t panic. GDPR doesn’t come into effect until May 25th and these settings in Google Analytics will not become applicable until then.

A few questions to ask about your business:

Are you currently breaking any guidelines around how you’re collecting data for Google Analytics?
Do you currently store PII inside Google Analytics?

If the answer to either of these is yes then you need to move quickly to stop this as these are already putting your business data at risk, even before GDPR.

Then ask yourself:

  • Can you link Google Analytics users to real-life people? (Using CRM data etc.)
  • Are you offering historic users the chance to opt out of new communications/marketing?
  • Do we want or need to change how long we hold this data? (Considering implications for looking at the historic data at some point in the future)

Once you’ve followed these questions, you should have a better idea of whether you want to leave the analytics settings to the old default of resets with each visit and data lasts indefinitely, or make a change with GDPR in mind.