Editor’s note: “Ask an SEO” is a weekly column by technical SEO expert Jenny Halasz. Come up with your hardest SEO question and fill out our form. You might see your answer in the next #AskanSEO post!
What is GDPR and why did I get an email from Google Analytics about it? What should I do with it?
–Everyone, USA
Recently, you may have received an email from your Google Analytics account notifying you that you need to adjust your data collection settings to comply with GDPR. If you haven’t heard of GDPR before now, you’re probably finding that email confusing.
What Is GDPR?
GDPR is the General Data Protection Regulation, which is coming from the EU and associated countries. Its purpose is to finally make good on a legal question from several years ago about how data is used and whether individuals own the data that they create by interacting with websites online.
The courts ruled that individuals are the owners of their data, not the corporations (or websites) that collect the data. Therefore, it must be deleted on a regular basis so that customers don’t have to constantly contact websites they may have visited and ask them to delete their data.
Who should delete that customer data? Good question.
The ruling was specific to EU customers, so while it impacts European businesses quite significantly, the majority of American businesses didn’t even know it was happening.
Google Analytics & GDPR: How Does It Affect Me?
Because Google is a global entity, it has been following this process as closely as the processes around what we now know as the “right to be forgotten.”
A few years ago, Google Analytics introduced the ability to collect demographic and affinity data. The only requirement to participate was for the analytics owner to affirm through an online process that their website policies notified customers that their data may be used in aggregate.
Now Google realizes that holding onto that data in perpetuity, especially for European sites and customers, puts them at tremendous risk of violating the GDPR.
This is where the average site owner and Google Analytics customer comes into play, and it explains why you received that email.
Google has decided to have all personal user data expire 26 months after the date it was collected. This includes that demographic and affinity data, but does not include things like sessions and goal completions.
Rather than force compliance on all customers equally, Google is giving each site owner the opportunity to change the default from 26 months to something else.
What You Need to Do
If you are a U.S.-based company or if you have no European customers, then you have the option to change it back to “do not automatically expire.” However, that’s a manual task that you must do yourself; that Google can record and identify. It essentially takes the onus off Google and puts it on you.
What should you do? You should not take this lightly.
If you have, or plan to have, any European visitors, you need to consult with your attorney. You should also take steps to ensure that this data is not recorded elsewhere other than Analytics.
And finally, you should prepare for this to become the law of the land here in the U.S., too. It will take a while, but user data control is going to get more restrictive, and you should make sure that none of your critical business decisions rely on that data.
But you need to act quickly. May 25 is the date at which Google will start expiring/removing data that is older than 26 months.
Have a question about SEO for Jenny? Fill out this form or use #AskAnSEO on social media.
Image Credits
Featured Image: Image by Paulo Bobita