You may have heard that the EU’s new General Data Protection Regulation (GDPR) is rolling out this week, or noticed that Google Analytics is updating its data retention policy at the same time. But do you know what either rollout means for your website or your business?
If you are collecting data via Google Analytics, WordPress plugin, email campaign software or a similar digital marketing tool, it’s important to know how these new regulations might affect your business. Because they could, whether or not you actually do business in European Union countries.
Here at Campaignium, we feel it’s important to be compliant with the GDPR. Like other institutions and companies, we are still learning what this means for our business and our clients’ websites. This article is meant to act as a guide to the GDPR and Google’s new retention updates, based on our initial research and our understanding so far. We are not claiming to be experts on either topic.
In this article, we will cover:
2. How does it impact my business’s website?
3. What if I’m not collecting users’ personal data?
4. A case for anonymizing IP addresses in Google Analytics
5. Google Analytics data retention updates
6. What you need to know & action items
What Is the EU GDPR?
The GDPR protects all EU citizens’ personal data and reshapes the way organizations across the region approach data privacy. It comes into effect Friday, May 25, 2018 and replaces the current directive that has been in place since the 1990s. These new regulations are expected to change the way businesses in the EU and elsewhere collect, look at and store personal data going forward.
The GDPR considers personal data to be any information related to a person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
How Does It Impact My Business’s Website?
If you have a website and are collecting user data via a third-party tool (e.g. Google Analytics), the GDPR could affect your business. Even if you aren’t dealing with much European traffic, these regulations protect all EU citizens, wherever they happen to be in the world. This means your company’s personal data handling policy should be in line with the GDPR, even if you don’t do business in the EU.
These regulations require that websites offer an option for users to easily opt out of data collection. One way to be compliant with this part of the GDPR is by installing a website plugin that enables a cookie pop-up. Most cookie pop-ups ask if users want to be part of data collection, allowing them to easily opt in or opt out.
This may or may not be necessary, depending on what kind of personal data you’re collecting and from what program.
What if I’m not Collecting Users’ Personal Data?
If you aren’t collecting any personal data from your website users, great. You probably don’t need to take action.
But know this: if you use Google Analytics on your website, you are collecting personal data in the form of users’ computer IP addresses.
The way your business uses and stores this information matters. Currently, Google Analytics automatically collects full user IP addresses and then stores them for your set data retention period, but never shows them to us as account owners/users. However, those IP addresses do inform several of the reports we see, including Geo reports and service provider reports. Plus, you can filter specific users (say your own IP address) from these reports by entering their IP address.
This could be a problem when you’re trying to comply with GDPR.
A Case for Anonymizing IP Addresses in Google Analytics
We believe best practice is to anonymize the IP addresses that Google Analytics collects, so you’re not storing personally identifying information. Google Analytics is not inherently compliant with the GDPR, so you will need to take additional steps to comply with the new regulations and your company policy.
In order to anonymize IP addresses in Google Analytics, you’ll need to add a line to your tracking code that tells Google Analytics to anonymize the IP addresses of all users on your website. For more information on how to do this, visit the Google developer site.
Anonymizing your users’ IP addresses will help you become more GDPR-compliant, but watch out for third-party tools that may inadvertently collect personal data without your knowledge, like WordPress plugin tools.
Google Analytics Data Retention Updates
In response to the GDPR, Google Analytics is updating their default settings for data retention. In the past, Google Analytics automatically kept all historical data. Now, starting May 25, Google Analytics will start getting rid of your data that is over 26 months old.
Sounds scary! Especially if you work in digital marketing.
The good news is, you can avoid this by simply navigating to your Google Analytics account > Admin > Property > Tracking Info > Data Retention. On this page, where is says “User and event data retention: 26 months,” select “Do not automatically expire.” It literally takes a few seconds to set, but keep in mind that it takes 24 hours for the change to take effect.
This should prevent loss of your historical Google Analytics data. This setting should be updated based on your company policy. At Campaignium, we recommend our clients keep all historical data, because it is important to us from a marketing/SEO/advertising standpoint to understand how much we’ve improved since the website was launched. We need to be able to see our traffic, growth and user behavior over a length of time, which is why we’ve made it our policy to set Google Analytics’s data retention control to “Do not automatically expire,” at least for now.
This setting may not apply to every industry or company. We suggest you review your own company policies and update your Google Analytics data retention settings accordingly.
What You Need to Know
With all that said, you should understand the most important points about the effects of GDPR on how you collect and use Google Analytics data:
- The GDPR requires that any website, contact information form, email subscription form, remarketing campaign, etc. that is collecting personal data (including an IP address) on EU citizens must inform the user in plain language and provide an easy way to opt out of this data collection.
- If you’re using Google Analytics, the GDPR applies to you. You should consider anonymizing users’ IP addresses and/or providing a cookie consent opt-out option on your website.
- Update your data retention settings in Google Analytics to reflect your company policy on data retention before May 25th, 2018.
- Start looking at all the ways you might be collecting and storing personal information, through other means, like email campaigns, third-party tools and plugins, social media, contact forms, and more.
- Stay tuned. We’ll be adding new topics on these subjects in the coming months as we learn more.
Have more questions about the GDPR, Google Analytics, or how any of this affects your business or website? Contact us today.