“Review your data retention settings before they take effect on May 25, 2018”
People are receiving Google’s email with the above subject line, and some are asking our feedback. The post below is from notes we’ve shared with our clients on our “Hands-Off Pro” web hosting plans or in the web development process with us.
The email from Google Analytics is related to the GDPR, but taking care of those data-retention settings for your properties doesn’t address GDPR issues specific to your websites. The deadlines are the same, so if you haven’t communicated with your web developer recently about it, we suggest you do so soon.
Google Analytics and data retention
The Google Analytics email is related to data it collects about traffic to a website. That data is a valuable asset when it comes to marketing and evaluating a website’s performance. It provides very useful information not only how many people came to your site, but how they got there, what they did while there, what browser and computer or device they’re using, and more. It doesn’t collect their names, but lots of data can be used, in skillful hands, to identify individuals anyway.
That’s more than enough to cause GDPR concerns. So Google Analytics’ message is asking everyone to review the settings related to how long you want Google to keep the specific pieces of Analytics data that are sensitive. These settings do not affect the broad strokes, only some of the finer detail.
[As used here, “user-identifying info” means not necessarily down to real names and physical addresses, but may include users’ IP addresses, cookies, and more. —xd]
Specific recommendations for the data-retention settings of your online properties may vary, depending on the website and business, but these thoughts may help determine good settings for your circumstances:
- Privacy advocates and GDPR would like us to keep user-identifying data the least amount of time we’re likely to find it useful.
- Even if your business isn’t using Analytics much now, that could change in a heartbeat. We would think carefully before making the retention period fewer than the 26-month option. (Our own reports to clients often compare their website traffic year over year, but rarely much farther back — and when we do, Google still will display all the aggregate data we need. Aggregate data cannot be used to identify individual visitors.)
- We like the option to “reset on new activity.” For any individual visitor to the website, this means the scheduled data-removal date is extended each time they visit. For example, if the expiry period is 26 months, any data that could identify them (or their computers) is removed 26 months after their last visit. With this setting, the log of trackable activity for long-term users grows over time, regardless of the retention period — until 26 months passes without them visiting the site even once, that data remains available. This might not be popular among the most privacy-concerned but, considered only for useful analysis, it can be revealing about the habits of a site’s long-term users and what keeps them returning, purchasing, contributing, etc.
Please note: There potentially are significant penalties for running afoul of GDPR issues, regardless of where in the world your website or business is based. As mentioned above, we cannot dispense advice here that is right for every website and every business. Be mindfully cautious and, if in doubt, contact your developer or other authority.