MOUNTAIN VIEW, Calif. – In an email sent to Google Analytics administrators on Wednesday, the company announced “important product changes” which could impact administrators’ analytics data and other updates to the service in preparation for the implementation of Europe’s General Data Protection Regulation (GDPR) a new data protection law which becomes effective on May 25.
“Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers,” Google stated in the email notice. “Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.”
According to the notice, the settings in question “will not affect reports based on aggregated data.” The notice also calls on administrators to “review these data retention settings and modify as needed.”
Sometime prior to May 25, Google will add a new “user deletion tool” which enables administrators to “manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties.”
“This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase),” the notice stated, adding that additional details will be available soon on the Google Analytics developers site.
“As always, we remain committed to providing ways to safeguard your data,” Google said in its notice. “Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.”
The email also noted that Google “has been rolling out updates” to the contractual terms for a variety of its products since last August, “reflecting Google’s status as either data processor or data controller under the new law.”
Under the GDPR, a data controller is “the entity that determines the purposes, conditions and means of the processing of personal data,” while a data processor is “an entity which processes personal data on behalf of the controller.”
In the notice, Google states that with respect to both Google Analytics and Analytics 360, “Google operates as a processor of personal data that is handled in the service.”
The updated “GDPR terms” will supplement the current contract between Google and Google Analytics administrators, effective on May 25, the same day the GDPR comes into force.
The notice also announced an updated “EU user consent policy” crafted to comply with the terms of the GDPR.
“Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy,” the notice stated. “Google’s EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.”
Under the GDPR, the “conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent,” according to EUGDPR.org, a portal set up to provide the public with information about the “main elements” of the GDPR. “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
As referenced in the Google’s notice concerning the changes to Google Analytics, the GDPR applies to companies which collect or process data on users residing in the EU, regardless of the company’s location.
“Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment,’” notes EUGDPR.org. “This topic has arisen in a number of high profile court cases. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU.”
The GDPR provides for significant penalties for companies which violate the law, with fines which range “up to 4% of annual global turnover… or €20 Million,” which is “the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.”