Google Analytics and GDPR

In April of 2016, members of the EU adopted the General Data Protection Regulation (GDPR), aimed at strengthening data protection and privacy for all individuals within the EU. The regulation allowed for a two-year transition period, and becomes enforceable in May of this year, 2018.

There’s a lot to the GDPR (more than can be addressed in a single post at least) but one of the key provisions is that individuals have the right to request erasure of their data from a service provider. This means that many online and cloud service providers will need to have the ability to comply with these requests, even if they’re not based in the EU.

In what will likely be the first of many announcements in the coming weeks from online service providers, Google Analytics notified their customers this week about changes to their service which will allow them to comply with GDPR.

Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.

The announcement also indicates that Google Analytics will introduce tools before the May GDPR deadline which allows customers to delete data associated with individual users, thus giving their customers the ability to comply with GDPR’s “right to erasure”.

This announcement was sent via email to existing Google Analytics users and doesn’t appear to be posted on their site, but the full email and additional information can be found in this article.