In a previous newsletter, blog post, GRBJ article and an episode of The Redirect Podcast, we’ve discussed the upcoming date of compliance for the EU’s General Data Protection Regulation (GDPR). Well, folks, it’s here.

We know: This is a long read. But stay with us! GDPR goes into effect on May 25th (Friday), and we want you to be informed on GDPR’s implications for your business. 

Disclaimer: We are not lawyers. This is not legal advice.

Also, this is probably not the only area of your business affected by GDPR. The “newness” of the legislation has certainly created some ambiguity about who should do what. We recommend you discuss compliance with your legal counsel. Creating or updating your website’s privacy policy in light of GDPR may be a good first step to take.

What is GDPR?

In short, the EUGDPR protects anyone who does business within the borders of the EU or does business with EU data subjects—and that is pretty much everyone in a digital world. It has to do with the collection of personal information online, and yes; it does affect you. [Read more in our article at GRBJ.]

GDPR Impacts Collection of User Information

GDPR goes into effect on May 25th (Friday), and it is our recommendation that if you use outside or third-party tools such as Google Analytics, that you investigate all of the data that they collect on users and ask some questions like:

• Is any of the data you’re collecting personally identifiable information (PII)?
• If so, do you have a plan in place to handle it, should someone ask to have all of their information removed from your database(s)?

If you’re curious what companies like Google consider to be PII, we suggest reading their guide to PII.

Determine if you’re using PII within any of the following:

• User ID override
• All custom dimensions (this impacts your reporting)
• Campaign dimensions: Source, Medium, Keyword, Campaign, Content
  • Be sure to not include PII in custom campaign parameters utm_source, utm_medium, utm_term, utm_campaign, and utm_content.
• Site search dimensions: Site Search Term and Site Search Category
• Event dimensions: Event Category, Event Action, Event Label

IP Addresses are PII

Jeff Sauer of Jeffalytics has done great job of breaking down people’s questions on GDPR with thorough explanations. In a recent video and article, he elaborated on how IP addresses are considered personally identifiable information—meaning the default settings in Google Analytics are not compliant with GDPR. Check out his video to learn more, including how to anonymize IP addresses for GDPR compliance, and how that will affect your Google Analytics reports:

“…although you can’t see user IPs in Google Analytics, your account still collects this data … [which] fuels your Geo reports, service provider reports, and also allows you to filter specific users from reports by entering their IP address.”

Read the full article at Jeffalytics.

GDPR Impacts Your Google Analytics Data Retention

“How are my Google Analytics settings established for data retention, and does this matter to my company?”

• There are currently multiple options for the length of time you can retain data in Google Analytics: 14 months, 26 months, 38 months, 50 months, and “do not expire.” Google is completely placing responsibility for this data retention in your hands and walking away. It is up to you and your company to comply with the GDPR.
• The data retention does NOT affect your aggregate reporting—meaning you will still be able to view inbound traffic sources, gauge your growth from search engines, direct and referral sources, campaigns, etc. Data retention does, however, impact those who are using custom event and segmentation features inside Google Analytics.

“Keep in mind that standard aggregated Google Analytics reporting is not affected. The user and event data managed by this setting is needed only when you use certain advanced features like applying custom segments to reports or creating unusual custom reports” (Google, 2018).

Translation: If you have custom events triggering based on user interactions (regardless of the information collected), this will be impacted, and those data sets will “fall off” after whatever you set your data retention length to.

This is a rolling data set that exchanges every month; so, “when data reaches the end of the retention period, it is deleted automatically on a monthly basis. If you change the retention period, then any affected data is deleted during the next monthly process. For example, if you change from 26 months to 14 months, then any data older than 14 months is deleted during the next monthly process” (Google, 2018).

Translation: Every month, you’re going to have “user data” that “trails off” your analytics reporting. Users will come on and fall off, come on and fall off. Depending on what you have your core analytics settings on, a new user could be the same individual, just refreshing every month.

How Should I Choose My Data Retention Settings?

What data retention timeline you choose should be dependent upon your own business-level data needs.

It’s different for everyone, and that’s why you should spend some time today thinking and acting, since Google is going to default your analytics account to the 26 months option, which effectively deletes that data in the rolling calendar at 27 months and further back—and this is data you cannot regain.

So chop, chop. This is a decision you probably cannot, quite literally, afford to sit on—fines will be steep for anyone found to be non-compliant with GDPR.