Granular data retention controls (Google Analytics)

Meisem Ramani 18-4-2018 08:52:07

In this post, I'll be addressing Googles new functionality: [granular] data retention controls. We'll look at what this means for you, in terms of what actions you should take in regards to the change, what data you're collecting and how you're using it and what this has to do with GDPR.

If you’re reading this, there’s a good chance you’ve received an email from Google, with the following subject: “[Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR)”. Maybe it made you jump a bit in you chair. And if it didn’t, then the contents of the email itself probably made you scratch your head:

Don’t fear, you’re not losing all your data. At least not the type of data that most of us analysts and marketers are actually using. But before get to that, let’s have a look at what's actually happening.

So, what is Google rolling out?

Google is introducing automatically deletion of user- and event-level data on a granular level (read: per user, not aggregated data) after a given time period that you set yourself. The time periods you can choose from are the following:

14 months
26 months
38 months
50 months
Do not automatically expire

Besides from the time period for automatic deletion, there’s one more setting: “Reset on new activity”. The setting has the following simplistic options:

When turned on, the setting resets the time period for deletion, whenever a user has a new event. Say you have set the data retention period to 26 months, then a users data will be deleted after those 26 months. Should this setting be turned on, it will mean that the users data retention period would be run from their last event, and be updated every time they have a new event. Given that a user has a new event every month, their data will in practice never be deleted.

When turned off, the users data will be deleted after the chosen time period, not affected by the users activity.

After checking over 20 different analytics accounts, the default settings seems to be set to 26 months (Time period), with the setting to set to On (Reset on new activity).

Okay, but what will actually be deleted after the given time period?

According to Google themselves, User IDs, cookies and advertising identifiers (cookies and IDs used for services like DoubleClick and Android advertisement) are all objects for deletion.

As pointed out earlier, the default time period seems to be 26 months. There’s a good chance that this default is a result of some strategic thinking over at Google HQ, as all standard cookies have an expiration time set to 24 months or lower. So unless you’re dependent on keeping granular data for users, events or have some cookies that are set to over 26 months, you can just relax, with no need to make adjustments. The only thing you will have to do, is send a signal towards Google, that you have acknowledged the changes, by going to Admin -> Property -> Tracking info -> Data Retention and hitting "Save".

When the deletion takes place, you’ll probably see no big difference. This is due to the fact that Google Analytics, as we know it, is mainly focused on aggregated data. The reports we’ve been using for years, be it the “Acquisition” report, the “Behavior” report or any other, are all mainly being used at an aggregated level. This means that we’re most likely not going to see any relevant or significant changes in the interface or the data we’re using.

What does this have to do with GDPR?

With GDPR coming up, we can no longer keep whatever data we please, on a “maybe we’ll need this some time down the road” basis. Siteowners now need to have information easily accessible about all data gathered, and for what purpose it’s being gathered (no more “maybe we’ll need this..”). There’s also a focus on the length of time one should choose to retain that data (no more “..some time down the road”).

Enter granular data retention controls. This change is in short a way for Google to make sure that they are up to code with these regulations (in regards of GDPR). Meaning, they’re shoving the responsibility over to you, as the user of their systems. And as with most things related to GDPR, as long as you are transparent with your users (telling them what you’re collecting, and why) and have reflected about the different choices you’ve made along the way (documenting why you’ve chosen to the time period for data retention that you have), you should be A-OK. All in all, you should sit back, relax and stop scratching your head.