Google Analytics data retention period

If you use Google Analytics then you probably received the message from Google that you have to choose which retention period you want to use for personal data. After this period, data will be automatically deleted.

Retention period rules

The measure has everything to do with the AVG regulations that have been enforced since May 25, 2018. Among other things, the retention period of personal data must be justified and communicated to the data provider. The Personal Data Authority has not set a concrete retention period.

You are the best judge of how long it is necessary to keep data. For example, it may be necessary to keep certain data for the tax authorities; you can archive these. Once the legal deadline has expired, you destroy or delete the data.

Google Analytics' retention periods.

Google uses different retention periods, namely: 14, 26, 38 or 50 months. Which retention period you choose depends on how long you reasonably need this data. If you choose one of these retention periods, you should communicate this in the privacy statement to your website visitors.

Is automatic deletion always necessary?

You can also choose the "do not delete automatically" option. This is because it is not always necessary to choose a retention period within Google Analytics. For example, for the 'Standard Analytics report'. But when should you do this?

  • If you store personal data at the user and event level.
  • When they can be traced back to a specific user and the action they took.
  • When you segment within Analytics, for example, if you filter by age or location.
  • When you place Analytics-linked cookies on your website.
  • If data is associated with user IDs or ad IDs.

Data anonymization

With the "Standard Analytics reporting," user data is basically anonymous. As a result, they are not traceable and therefore a retention period does not apply. However, there is also data that is 'pseudo-anonymous'. While this data is not traceable to a natural person, it is individualizable. For example, through user IDs. Want to make sure that the personal data you collect through cookies on your website is protected? Then take the following actions:

  • Anonymize IP addresses
    You can do this by putting additional code in your tracking code or through Google Tag Manager.
  • Enter into a processor agreement with Google
    As a third party with access to your visitor's personal data, Google has an accountability obligation. Record this properly in a processing agreement. The Personal Data Authority has developed a manual for this purpose.
  • Do not share data with Google
    You can do this by unchecking the checkboxes under 'account'. If you do not do this, you agree that Google may use this data and you must ask permission from your visitors on behalf of Google.
  • Advertising Features
    Turn off 'Collecting data for advertising features'. In both 'Remarketing' and 'Advertising reporting features'.
  • Use SSL
    This encrypts the data you send. See also our HTTPS address blog on this.

Inform your visitors

Communicate in your privacy statement that you place cookies on your website for Google Analytics and for what purpose. Mention the retention period for this data. Also show that you have taken one or more of the five actions above.