GDPR – Are You In Compliance?

December 5, 2019

General Data Protection Regulation (GDPR) officially went into effect on May 25, 2018, and with the new California Consumer Privacy Act (CCPA) going into effect  January of 2020, data governance remains extremely important for marketers and advertisers that rely on data for marketing insights.  

As we have said before, it’s never a good idea to simply assume that your business is in compliance. In fact, we encourage you to evaluate your compliance on a continual basis because it can actually impact your annual revenue by 4%. Google, for example, takes specific steps to remain compliant with both GDPR and other new data privacy laws as they are created, (such as CCPA). In order to keep your business in line with privacy regulations, we highly suggest that you use the guidelines created by and followed by Google for your own organization. Use the tips below to form a reliable benchmark in data-governance for your business: 

Implement updates, such as data retention controls, and the deletion tool. Data retention controls allow you to manage how long your user and event data are held on Google servers. As of May 25, 2018, Google Analytics automatically deletes user and event data that is older than the retention period you select. Note that these settings do not affect reports based on aggregated data. 

Make sure you also utilize the user deletion tool and manage the deletion of all data associated with an individual user (e.g., site visitor) from your Google Analytics 360 properties. The automated tool runs based on the common identifiers sent to the Analytics Client ID (i.e., standard Google Analytics first-party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase).

Follow the Google Developers Site for additional updates. Make sure you can delete user data in your own systems.

 Understand contract changes and how they impact your data-governance:

Google updates contractual terms for their products, in order to reflect their status as a data processor or a data controller under the GDPR (see the full document of Google Ads Data Protection Terms here). GDPR terms should supplement your current Google contract.

NOTE: In both Google Analytics and Google Analytics 360, Google operates as a processor of personal data.

For all Google Analytics 360 customers and Google Analytics customers based outside the EEA, updated data processing terms are always available for review in your account (Admin ➝ Account Settings).

Google’s EU User Consent Policy reflects the legal requirements of GDPR. It outlines everything you need to disclose and also outlines how to obtain consent from end-users of your sites and apps in the EEA.

Always consult your legal department for confirmation whether your business is in compliance with GDPR while using Google Analytics and Google Analytics 360. Make sure to review any updated data processing terms and define your path for compliance with the EU User Consent Policy.

Need a quick overview of everything we covered in this post? Check out our reference guide below:

Staying ahead of the curb on new data privacy laws, and understanding how they affect your digital marketing efforts is an integral part of any digital marketing strategy. 

Learn more about how our award-winning team of data experts leverages Google Marketing Platform and Google Cloud Platform to develop smarter data-driven insights while maintaining best practices in the GDPR and CCPA era. 

Ready to take your ads, and your business, to the next level? Get in touch with the DELVE team today.