25 Jan Managing User Data In Google Analytics
In the context of CCPA (California Consumer Privacy Act), which came into effect on January 1, 2020, many businesses faced the challenge of managing customer data in Google Analytics. Being GDPR (General Data Protection Regulation) and CCPA compliant has become a need that defines your business’s operation in the worldwide marketplace.
You may have taken care of this in the post-GDPR world to be sure that no user request or PII policy violation goes unnoticed. Still, to make the process more seamless, Google Analytics introduced new ways to handle user and data deletion requests. You no longer need to reach out to support for deleting PII data or any data that is considered personal under the GDPR definition. Moreover, the notion that “historical data cannot be deleted after being recorded in Google Analytics” is no longer valid.
There are a few ways to manage customer data in Google Analytics today. Most of them don’t require specific technical skills, just an ability to navigate within the Analytics UI.
Data retention control enables users to set when user-level and event-level data is deleted from Google Analytics’ servers. The setting will define how long Google Analytics stores a given user’s data before it is automatically deleted:
– 14 months
– 26 months
– 38 months
– 50 months
– Do not automatically expire
Most of the standard (aggregated) analytics reports won’t be affected, meaning the number of users, transaction count, and revenue amount will remain untouched. However, those users will completely disappear from the User Explorer report and will not be available for custom segmentation and custom reporting.
The feature works differently for App+Web properties. You may select one of two values for event-level data retention:
– 2 months
– 14 months
The two-month retention period is always applied to demographic data (age, gender, and interests) regardless of the settings. The 14-months setting applies to user-level data, including conversions, by default.
When user and event-level data reaches the end of a set retention period, it is automatically deleted monthly.
Any changes to the data retention control will depend on whether you are increasing or decreasing the period and will only take into account a lesser value. Increasing the amount of time will not affect the data you’ve already collected in Google Analytics. So, changing the setting from 14 to 26 months will not impact data collected 14 months ago, as it is removed in the next deletion process. The Do Not Automatically Expire option is handled similarly.
Inversely, reducing the period from 26 to 14 months will delete all data collected 14 months ago from Google Analytics’ servers.
Any change to the setting will take effect within 24 hours; you can also revert the change without impacting the data.
The Reset On New Activity option enables users to reset the retention period each time a user initiates a new session on the site, and thus, sends a new hit for the given user identifier (client ID or user ID).
Data retention control options help keep analytics data clean from detailed customer data automatically. This is especially useful for businesses that are concerned with data privacy and/or dealing with sensitive information.
According to the GDPR and CCPA laws, any user activity collected on a website can request to have their data deleted from the Analytics’ servers. Native User Deletion was added directly to the Analytics Reporting UI, so deleting user information has never been easier!
The first step would be to determine a client ID (or a user ID for user-ID-enabled views).
The client ID is stored in a cookie on the user’s browser, so a visitor needs to open the browser they’ve used to access your site (or open all of them if they were using a few). Then, ask the visitor to navigate to your website, open Developer’s Tools, and go to the Console tab.
In the Console bar insert the following code and click Enter
Clicking the Console tab will return the client ID value which the user should send to you:
Then, navigate to the User Explorer report under Audience and paste the user’s client ID into a filter search box. Once you find the one you need, click on it and you will see a detailed overview of the user’s activity:
Now you need to select the Delete User button in the bottom left corner of this page. Once you do that, you’ll see a message indicating this action will result in a permanent deletion and the data will be removed from the User Explorer report within 72 hours. All the user’s data will be deleted from Google Analytics’ servers within 63 days, during the next scheduled deletion process.
It’s important to note this action cannot be reversed.
User Deletion API is a method of programmatically processing user deletions which requires technical skills. You need to be able to create an application, enable the Analytics API, and authorize your app to send requests to Analytics API. You should then construct an API call which will operate based on a known user identifier (either client ID or user ID). User Deletion API can be applied to both web and app+web properties.
Data Deletion Requests will enable users to select specific data in Google Analytics and delete it within a specified time frame. You no longer need to delete all data for a set of users if you detected PII or personal data (per GDPR and CCPA) in your Analytics account.
Data deletion supports the following Google Analytics fields:
– All data for a specified time frame;
– Page URL;
– Page Title;
– Event Category;
– Event Action;
– Event Label;
– All custom dimensions for a specified time frame;
– User ID (for User-ID-enabled views).
There are currently a few drawbacks to the approach. You don’t have an option to delete a particular custom dimension, all of them will be deleted for a selected date range. If you need to clean up other Google Analytics dimensions, the only option would be to delete all data or to delete a set of users (see Native User Deletion) if the non-desired data was coming from certain visitors and you are confident identifying those.
The data deletion process includes three phases:
– making a request;
– grace period of 7 days;
– deletion completion.
The grace period is available for a request cancelation if someone from property administrators doesn’t want the data to be deleted. Deletion doesn’t start until the grace period is over.
You need to have the Edit permissions to the property you’re going to clean up. All other users with the Edit permission to this property will receive a notification that you’ve submitted a request. All of them can cancel the request during that 7-days grace period. All users will get an email when the data deletion process starts, cancels, and/or finishes.
Data deletion is irreversible once the process starts. No deleted data can be restored, similar to user deletion. Similarly, a request can’t be modified once it is submitted. The only way to modify the request is to cancel that one and to issue a new deletion.
Data is also deleted on a property basis; users don’t have the ability to select a view where the data is deleted, so selected fields will be removed from all views within the property.
In order to submit a DDR (Data Deletion Request), take the following steps:
1. Navigate to the property settings column in Google Analytics Admin and select Data Deletion Requests:
2. Click the Create Data Deletion Request button;
3. Property ID will be selected automatically in the form, so no actions are required here;
4. Select start and end date for deletion. Data collected during selected dates will be deleted. Keep in mind that the process works on UTC (Coordinated Universal Time), not in the timezone of your property, so you may want to account for this.
5. Select dimensions to be deleted (you can select several). Choosing All will uncheck other checkboxes;
6. Click Submit
Then, you’ll see a confirmation message as a final step of the process. Once a request is submitted, you’ll see the request ID in the list of data deletion requests and the Pending Deletion icon in the property settings column:
The Status column shows the state of the request:
– In grace period;
– Deletion in progress (after the grace period is over);
– Canceled (by someone from admins).
Opening the request allows anyone with the Edit permission to the property to cancel it. All property admins will receive a notification confirming a cancellation request.
The data deletion process is expected to take 24 hours after the grace period ends but precise timing may vary slightly.
This post contains a few ways of how you can manage GDPR and CCPA compliance. New privacy regulations require businesses to evolve in a way that enables users to access and control their data. The above list does not guarantee GDPR or CPPA compliance. If you would like to learn more, reach out to us and we’d love to discuss your analytics and data compliance strategy.