As mentioned here, Google has started implementing major product and contractual changes in preparation for the GDPR. The latest update comes with a clear message that action is required regardless of location. Google states, in no uncertain terms, that even non-EEA customers will have their service impacted by the updates.
This latest statement focuses on the particular changes to the Google Analytics and Analytics 360 products, and highlights which actions you need to take as a result.
The first major product changed mentioned is the new granular data retention controls which allows you to manage how long your end user data is kept on Google servers before being automatically deleted. The controls allow you to set retention periods on both a user and event level, with the settings taking effect on 25th May 2018, when the GDPR becomes enforceable. The retention period applies to data associated with cookies, user-identifiers (e.g., User-ID) and advertising identifiers and the settings will not affect reports based on aggregated data. You are required to take action in the form of reviewing and modifying your retention settings to prevent accidental data loss. You can read more about the new controls here.
The second product change mentioned is the new user deletion tool which seems to be aimed at meeting the requirements outlined within the user’s “Right to erasure” under the GDPR. The tool will allow you to manage the deletion of all data associated with any individual end-user from within your Google Analytics and/or Analytics 360 properties. The tool isn’t actually launched yet, but the company states that it will be made available before 25th May, with details to be released on the developer site here.
Google also mentions a number of Analytics and Analytics 360 data related tools/features made available to assist you in meeting your particular GDPR obligations while continuing to use Google products. They include features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization.
Google is including the new GDPR terms as a supplement to your contract with Google, where (regarding Analytics and Analytics 360 products) Google has defined itself as the “data processor”. If you’re based in the EEA, your contract has already been updated to include the updated terms; for Analytics and 360 clients based outside the EEA, the updated terms are available in your account (under Admin→ Account settings) for your review.
Updated EU User Consent Policy
As previously outlined here Google is making significant changes to their EU User Consent policy in order to meet GDPR requirements. The new changes set out your responsibilities for informing and obtaining valid consent from EEA users. As GDPR requirements can apply to you whether or not you’re based in the EEA, Google requires that you accept the updated terms if continuing to use Analytics and related products, and suggests that you review and define your path for compliance with the Regulation.
Here’s the full email text from Google:
Dear Google Analytics Administrator,
Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA).
Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
Action: Please review these data retention settings and modify as needed.
Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.
As always, we remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.
Contract And User Consent Related Updates
Google has been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.
In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service. For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ➝ Account Settings).
For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
If you don’t contract with Google for your use of our measurement products, you should seek advice from the parties with whom you contract.
Updated EU User Consent Policy
Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google’s EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.
Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.
Find Out More
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms.
We will continue to share further information on our plans in the coming weeks and will update relevant developer and help center documentation where necessary.
The Google Analytics Team
Looking for more in-depth information on the GDPR? You can access the recording from our last GDPR webinar here (it’s free).
If you’d like to attend one of our other free webinars, you can use this link to sign-up. We have webinars available in several languages and as always, they are free to attend.