Thursday, many users of Google Analytics received a notice about changes Google has made to comply with GDPR, the new data protection law coming into force on May 25, 2018 in the European Union.
The US does not have a law similar to GDPR in place. However, companies or people who market goods or services in the European Union will still need to comply with this law.
The law establishes base-line standards such as:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
This law isn’t just for websites; it extends to social media, email marketing, apps and company databases.
A lot of what Google has done with its products allows for their users to easily comply with the anonymizing of data and removing of such data from Google’s servers. They have an extensive website detailing everything they are doing on their end to ensure compliance with the law and protect user privacy.
On May 25th, Google will activate a new feature called The Google Analytics Data Retention controls. The feature gives website owners the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers. What this means is that the website owner can choose how long Google Analytics retains data before automatically deleting it.
- 14 months
- 26 months
- 38 months
- 50 months
- Do not automatically expire
When data reaches the end of the retention period, it is deleted automatically on a monthly basis.
The email that Google Analytics sent out to its users was basically an email telling users to set their controls.
However, this is only one piece of GDPR. In order to comply with the law, websites, apps and marketers will need to do the following:
- When seeking consent, you must save user-consent and give users a way of revoking consent.
- If your website or app advertises online using Ad Networks like Google Adwords you must disclose this to the users in the cookies policy and how you use the data collected.
- If your website uses affiliate marketing or shares information with third-parties this must be disclosed as well as how the information is used.
- If you have an email newsletter or email marketing campaign everyone on your list must opt-in and be told how you plan to use their data.
So why should you care about GDPR?
- It is about privacy protection and data breach protection.
- Companies who do not comply will be subjected to serious fines (millions or billions of dollars).
- Asian Countries as well as other countries outside of the European Union are enacting similar legislation.
- Since the whole Cambridge Analytics and Facebook scandal has occurred many people are pushing to have similar legislation enacted in the US.
- Google, Facebook and other websites are starting to make changes to their policies in order to comply with GDPR.
This is so overwhelming what do I do next?
- If you are doing business within the European Union, it is important that you take an audit of your website to determine how your website is capturing user data.
- Remove any un-necessary data collection products.
- Have your IT person implement a cookies policy and way of capturing consent. Google has a website dedicated to cookies policy information https://www.cookiechoices.org
- Make sure your email list is double-opt-in.
- Make sure your readers can unsubscribe with ease (which you should be doing anyways to comply with spam laws).