If you’re currently using a web analytics tool to collect data on your site’s users, there are a number of ramifications to be aware of.
Here are some of the most important:
Set an expiration date.
If your site uses Google Analytics data (even outside of the EU), you were asked to choose a data retention window prior to the GDPR going into effect. This selection determines how long Google will retain user-level data before permanently deleting it — options are 14, 26, 38, or 50 months, or “do not expire.” There is also a “reset on new activity” option, meaning each user’s data retention period starts from that user’s most recent visit to your site. There are no explicit requirements laid out in the GDPR for data retention — just be sure to only keep data for as long as needed, and lean toward shorter windows for sites with an EU presence. Note that aggregate data is not affected, just data that is stored at the individual user level.
Keep it anonymous.
You should review all web analytics data to ensure that no personally identifiable information (PII) is being recorded. This includes but is not limited to users’ names, email addresses and precise locations. Be sure to conduct a quick review of your reports to ensure that only anonymous user-level data is being captured. You can also take this a step further and turn on IP anonymization, a feature that, when enabled, retains most of the user’s IP address while never capturing or recording it in its entirety. This ensures you can continue to run geolocation reports while complying fully with GDPR requirements.
Watch your traffic.
Be aware that in the EU, web analytics tools can only capture data for users who have consented to cookies. The specific effects of cookie opt-ins on your site’s data can vary, but do not be surprised if you notice declines in traffic post-GDPR compliance, especially if you have a large EU presence.