I know what you’re thinking – oh great, yet another article on GDPR. Believe me, I get it.
But, when clients began to ask about GDPR and what needed to be done, I had no idea how to respond. I wanted to give them some sort of helpful answer, but I just never found the window of time to even digest what was going on for myself, and when I did I couldn’t comprehend anything.
So that leads me here. If I’m going to carve out a window of time to learn about this, I’m going to write it down in plain English for the busiest builders out there.
TL;DR
In short, with GDPR laws coming into effect you stand to lose your Google Analytics historical data (but it can be saved!), and depending on the type of data you collect, you should also update the Privacy Policy that you display on your site. We also take a look at IP Anonymization, and Unique Identifiers – two other key areas that you will want to address.
If you want to jump straight down to the solution to save your Google Analytics data, simply click here, but I do suggest that you read through this article to understand exactly what is going on. I used GIFs to make it less horrible.
First, what is GDPR?
Well, it stands for General Data Protection Regulation. Could that name be any more generic? Here’s what Wikipedia had to say about it:
- The GDPR is a regulation in EU law on data protection and privacy, aiming to give control to citizens and residents over their personal data.
But I’m not in Europe! No worries, right? Wrong.
- GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents.
So in short, it affects pretty much everyone.
OK, great, so I still don’t know what to do about it…
So you may have seen this notification floating around the top of your Google Analytics accounts:
| We’ve recently launched new Data Retention controls that may affect your data starting May 25, 2018. To dismiss this message, please visit your property’s Data Retention settings under Admin > Property > Tracking Info and click ‘Save’. Learn more |
Well, you see, that notification is letting you know that Google Analytics will automatically delete user and event data based on the retention period. At this time the default setting is for 26 months (March 2016).
So if you choose to simply ignore this notification, on May 25th, 2018, you stand to lose the capability to run the following reports for your historical data (collected before March 2016):
- Custom Reports
- Multi-Channel Funnel Reports
- Attribution Reports
- Flow-Visualization Reports
…and, if you modify any of the standard default reports provided by Google Analytics (the ones that fall under Audience, Acquisition, Behavior, Conversions), the ability to apply:
- Segments
- Table Filters
- Secondary Dimensions
That all goes away too.
Fortunately, the Google Analytics Data Retention controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers. Better yet, you can set that timeframe to never, and it’s surprisingly easy to do!
Save All Your Historical Google Analytics Data in 5 Steps
- Go into the Admin area of your Google Analytics Account.
- Under Property Settings, select Tracking Info.
- Then click Data Retention.
- In your data retention controls select “Do not automatically expire” from the drop-down menu.
- Click Save.
That’s it!
One last IMPORTANT thing that’s easy to miss
This setting is applied at the Property level. So you will need to repeat this process for each Property listed in your Account. Now you’ll be able to continue on using Google Analytics with all of your historical data.
Phew.
Now let’s talk Privacy Policy
Even Regina George deserves privacy if she asks for it, and that’s the entire point of this new law. We all want our privacy to be respected and, if like me, you use the Internet, then you too have been bombarded with a seemingly endless sea of emails from every company under the sun updating their terms and privacy policies to comply.
Before we move on, let’s get familiar with some verbiage that is plastered throughout articles all about GDPR:
- Data Controller – An individual or the legal person who controls and is responsible for the keeping and use of personal information on a computer or in structured manual files.
- Data Processor – A person who processes data on behalf of a data controller. A data controller decides the purpose and manner be followed to process the data. While data processors hold and process data, they do not have any responsibility for or control over that data.
- Data Subject – Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.
The new GDPR laws are here to protect the privacy of EU users, and implement a “right to be forgotten.” These pro-consumer laws are an effort to give an individual’s “internet identity” some additional rights that are already afforded for your “physical identity.” In short, if you’re holding (Data Controller) or accessing (Data Processor) private data of citizens (e.g. DOB, address) then you need to take steps to ensure it’s secure and that you have the consent to do so.
Anonymized Data
If you’re thinking that you don’t collect data that personal, don’t close your browser just yet. The GDPR doesn’t only cover personal data, it also covers anonymized data that can be used to connect the dots to identify someone.
Under the GDPR, an IP address is considered personally identifiable information (PII). Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data.
To be safe, we recommend updating your Google Analytics tracking to include the IP Anonymization feature. If you’re hardcoded, below is an example of what you will need to add to your current snippet:
gtag('config', 'GA_TRACKING_ID', { 'anonymize_ip': true });
If you use Google Tag Manager, update your Google Analytics tag by clicking into More Settings -> Fields to Set and then add a new field named ‘anonymizeIp’ with a value of ‘true’.
Once active, Google will anonymize the IP address by removing the last numerical set. In other words, your IP becomes 123.123.123.0 — where the last few numbers are replaced with a ‘0’). This all happens before the processing and storage of your data begins, and so the full IP address is never written to the disk. Of course, the caveat with this alteration is the reduction in geographic reporting accuracy. But hey, at least you’re compliant!
A GDPR Privacy Policy Checklist
The privacy notice should be concise, transparent and written in clear, plain language. Or as Snapchat says it, “blissfully free of the legalese that often clouds these documents.” To give you a better idea of what that means, here are the questions you should be answering:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
I recommend checking out the updated GDPR-compliant privacy policies from the following companies to give you an example of what that all looks like:
Ultimately this all means: Respect your users. A novel idea, right? Tell them what you are going to do with their personal data, and simply don’t use that data for anything else. If you want to use their data for something else that isn’t necessary or outlined for what the user initially agreed to, you will have to ask permission for each other thing you want to do with it. Furthermore, upon request of the data subject you are required to remove any personal data from your database in its entirety, including all of their historical data.
The User Deletion Tool
Before May 25th, Google also has plans to introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first-party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase).
Unique Identifiers
Unique identifiers, like the User ID feature (which tracks individual users across devices and sessions), is considered personal data, and is in the firing line under GDPR ruling. Client ID is an optional tracking feature in Google Analytics, and if you’re using it you will want to turn that off. Similar to IP addresses, the Client ID anonymously tracks “browser instances” to count recurring vs new site visitors.
You see, GDPR applies to all of the data that you currently have, not just all the data you collect after May 25th. So if you used to, or currently are collecting User IDs you could be at fault for non-compliance.
Now don’t worry, you don’t have to wipe your GA slate clean – since there isn’t a way to be selective with deleting user data in GA right now, this is where the User Deletion tool will be invaluable.
I’m sure that all users will be notified when it’s released, but in the meantime you can take a look at Google’s User Deletion API page to get some further insight.
Accepting the Data Processing Terms
It is likely that if you’re reading this article, you are someone that is associated with using more tools than just Google Analytics. So it’s important to review and accept the updated data processing terms in each account for each product you manage.
Step 1: Navigate as outlined below for each product applicable to you in order begin the process of accepting the updated terms:
- Google Analytics / Analytics 360:
- Admin > Account > Account Settings (scroll to bottom of page)
- Google Optimize / Optimize 360:
- Edit Account Details > (scroll to bottom of page)
- Google Tag Manager / Tag Manager 360:
- Account Settings > (scroll to bottom of page)
- Google Attribution / Attribution 360:
- Admin > Account Settings > (scroll to bottom of page)
- Google Data Studio:
- User Settings > Account and Privacy (acceptance managed on a user basis)
- Google Adwords:
- Tools, Billing, and Settings > Preferences > Data Protection Contacts
Step 2: Once you’re there you’ll find that in process of accepting the Data Processing Terms, you must also provide the following information:
- Legal Entity: A legal entity is a registered name for your organization for purposes of addressing financial and legal matters. Your organization may have more than one.
- Primary Contact (a.k.a. “Notification Email Address”): The contact to whom notices under the Google Ads Data Processing Terms will be sent.
- EU Representative: An EU representative is the person designated, where applicable, to represent customers not established in the EU with regard to their obligations under the GDPR.
- Data Protection Officer (DPO): The person designated, where applicable, to facilitate compliance with the provisions of the GDPR.
I know what you’re thinking, “I sure am glad I have a Data Protection Officer on staff already! Hold on, wait, what? I’m pretty sure I don’t have a Data Protection Officer on my team, are you telling me that I need to hire someone?
The answer to that is…well, maybe.
Does my company need a Data Protection Officer (DPO)?
Lucky for you, there are two questions that can help you answer this question. The Data Protection Officer question, not the spaghetti policy one (but what is ours, Mike?).
| Question 1: Do your core activities consist of processing which requires regular and systematic monitoring of individuals on a large scale? |
No: DPO not required.
| Question 2: Do your core activities consist of processing which is about special categories of data (processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) on a large scale or about criminal convictions and offences? |
No: DPO not required.
If you answered yes, then the good news is you can assign a current employee as a DPO. However, you must ensure that other professional duties of this employee are compatible with their new duties as DPO and do not result in a conflict of interests.
Basically, this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.
If you have any further questions about this, here’s a handy little FAQ that will likely help you answer your most immediate questions.
There, that wasn’t so bad, just breathe.
As time goes on I’m sure over the course of the next few months – and even years – the confusing, ambiguous nature of this whole situation will become clear and we’ll have a stronger grasp on best practices. But in terms of immediacy, just in case it hasn’t been drilled into the fiber of your being yet:
The deadline for saving your historical data is May 25th, 2018.
So do yourself a favor and jump on that right now if you haven’t already.
I should disclaim that this entire GIF-fueled article should be used as a flashlight to help you navigate the pitch black confusion of this entire GDPR situation. As time passes, we will surely see many legislative changes, nuanced details, and new case law that will help provide more floodlights on the law as a whole. Hopefully, this overview does help to answer some immediate questions, save your data, and help you navigate the waters over the next few weeks.
