Posted by IN / 0 responses

General Data Protection Policy (GDPR): Keep Your Google Analytics Safe

16 May 2018
Google Analytics

Share on Google+Pin on PinterestShare on LinkedInShare on FacebookEmail this to someone

The countdown to the General Data Protection Policy (GDPR) is entering its final stretch (May 25, 2018 is just around the corner!). These updates affect your Google Analytics and will need your immediate attention, even if you are not in the European Economic Area (EEA).

This article focuses on how the new retention period affects only Google Analytics. Please remember to do your own research for this and other Google products as related to the GDPR.

In short, the answer requires a much more in depth explanation.

Where Did this New Retention Period Originate?

When Google changed its privacy terms in early 2012, the fine print was also reviewed by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently.

The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed a letter to Mr. Page.

In so many words, the Article 29 said the search engine company had not done enough to follow the DPD rules on consumer privacy. Hence, the “new and improved” retention policy is going into effect May 25th, 2018.

The countdown to the General Data Protection Policy (GDPR) is entering its last stretch (May 25, 2018 is just around the corner!). These updates affect your Google Analytics and will need your attention and action, even if you are not in the European Economic Area (EEA).

This article focuses only on how the new retention period affects Google Analytics. Please remember to do your own research for this and other Google products as related to the GDPR.

Where Did this New Retention Period Originate?

When Google changed its privacy terms in early 2012, the fine print was also reviewed by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently.

The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed a letter to Mr. Page.

In so many words, the Article 29 said the search engine company had not done enough to follow the DPD rules on consumer privacy. Hence, the “new and improved” retention policy is going into effect May 25th, 2018.

How Does the New Retention Periods Affect You?

This new control type will determine how long Google will retain analytics user and event data before automatically deleting it. The available retention periods are:

  • 14 months
  • 26 months (default)
  • 38 months
  • 50 months
  • Do not automatically expire

Google’s default is set at 26 months but Aqaba will change the default to retain as much information for our clients as possible (unless the majority of your traffic is EU). This will stay in effect until the policy is defined more clearly, or our client notifies Aqaba.

You will want to consult with your legal counsel to find out if your company needs to be more refined with a different retention period. Please notify Aqaba Technologies via email if you would like a different setting.

Aqaba will change the setting to “Do not automatically expire.”

A subset of the retention controls is the Reset On New Activity option. When enabled, it will “reset the clock” for that user’s data retention period. Specifically, the following explains the two options in greater detail:

Turn this option ON:  to reset the retention period of the user identifier with each new event from that user (thus setting the expiration date to current time plus retention period).

Turn this option OFF: If you do not want the retention period for a user identifier reset based on that user’s activity. Data associated with the user identifier will be deleted automatically after the retention period which you can set to Do Not Automatically Expire if you are GDPR compliant.

Example using option = ON:

User visits once = after 15 months the data is purged.

User visits. One month later the user visits a second time = second visit resets the counter, effectively user data is retained for 16 months in total.

Since we will be setting the overarching data retention setting to “Do Not Automatically Expire,” we will also make this setting to OFF.

Aqaba will leave the Reset on New Activity default to OFF

What Does this Mean?

The bottom line, is Google is now on the hook for a more granular privacy policy and they are passing it down to the consumer (us).

To summarize the Google Retention settings, will be set to:

Again, you will want to consult with your legal counsel. If either of these two settings does not meet your criteria, please notify us via email and we will change the setting on your behalf to the desired setting.

 

DISCLAIMER:

This is not legal advice. Do not rely on it as such. We recommend companies and individuals should assess their data capture and storage policies and even seek legal advice from their own attorney to make sure that they’re complaint with the new GDPR regulation.

Summary

Leave a Reply