OMG – CCPA, GDPR, PII…
All these acronyms strike fear in a digital marketer’s heart. After all, most of us don’t have a law degree.
Privacy and data is a combination that has been a concern since the advent of digital marketing, and only continues to grow in discussion and regulation.
How do we as digital marketers navigate these constantly changing seas of data and legality to make sure we’re complying while still innovating and doing right by our customers? How do we answer our legal team’s questions?
We do what we do best.
- Ask our own questions
- Do some research! Read up on policies such as CCPA
- Be curious about the legal aspects and ask questions of your lawyers for mutual understanding
- Team up! Talk to other analysts and your company’s legal counsel
- Look at the data!
- Examine your data. Do you store Personally Identifiable Information (PII)? What countries and states are you doing business in that are affected by these policies? Which policies fall under your jurisdiction?
How to Answer Common Data Privacy Questions from Legal Teams
Your legal counsel / legal team are the experts on the law. You are the expert on Analytics and how it’s being used at your company. Put those heads together, share openly, and know that you’re working towards the same goal: an ethically data-driven company.
If you are an Analytics consultant or working with an Analytics consultant, the decision for a company on what to do is up to the client and the client’s legal counsel. Consultants can advise on what is possible, but as far as how companies interpret the laws and what to do is up to the companies themselves.
At a high level, the data that is stored is intended to measure and learn from web activity. It is used to understand customers and gather business insights to improve your customer experience.
Google Analytics data comes from three sources:
- HTTP Request of user
- This stands for HyperText Transfer Protocol (HTTP) and is an information request between a server and client. Browsers use HTTP to move information like images / text between a web server and your computer.
- Browser/system info
- First-party cookies
Out of the box, Google Analytics stores data points such as:
- Referrer (how a user came to a site)
- Time on site
- User Type (new vs. returning)
- Site speed
For a full list of all dimensions and metrics Google Analytics stores, see the Google Analytics Dimensions & Metrics Explorer.
What data is not stored in Google Analytics?
Google Analytics uses anonymized data of how users interact with the site. Personally Identifiable Information (PII) is against Google’s policy, and if found in your data, should be stopped at the source.
Google doesn’t take PII lightly, and points out that “Your Analytics account could be terminated and your data destroyed if you use any of this information.” in their documentation.
For example, for a lead generation site, a team can track users who have submitted lead generation forms, where they have dropped off on the form, and what the conversion rate of that form is. Finding users’ form information such as names and emails is an example of PII that should be taken care of immediately.
This is shown below:
Data itself is used so we can see how users are coming to the site, what users are doing on site, and what marketing tactics work. We use this intelligence to make smart business and marketing decisions, understand how to better serve current and potential customers, and also help find the right people.
That’s up to each team’s data policies! You can retain the data for as long or as little as you like. We recommend chatting with your legal team to find the settings that works best for your company. Data retention can be changed for data that’s associated with user identifiers, cookies, or advertising identifiers.
Google Analytics provides the following options:
- Do not automatically expire
- 50 months
- 38 months
- 26 months
- 14 months
Google Analytics also provides the option to toggle on “Reset on new activity”. When this setting is toggled on, it means that if a user comes to your site, the user identifier will reset the retention period.
For example, if your user retention is set to 50 months, and a user visited your site 10 months ago, they will have 40 months left until their data is no longer retained. However, if they come back to your site in that 10th month, their retention will be reset for another 50 months.
If requested to delete data from Google Analytics, there are ways to do that. You can review the Google documentation on how to find data deletion requests in GA Property Settings here or see the below instructions.
Depending on the need for deletion, there are a few options:
- Turn off data collection
- Stops all data from being stored / collected
- Use Google Analytics API to honor requests from users to delete data about them from Analytics servers using Client ID/User ID/App Instance ID
- Use the “Data Deletion Request” feature in Google Analytics
- Request a deletion between start and end dates
- Can delete all data for the property, or select certain fields (URL, Page Title, Event Category)
What’s Worked for Your Company?
Have you been doing this for years, or have you recently began heading up a data privacy task force? How does your team explore Data Privacy while using data to innovate at the same time?
Let us know what worked for you by commenting on your thoughts, or any other burning questions you have or have encountered.