• Staff

Why am I getting this “[Action Required] Important updates" email from Google?

If you’re a US-only company, it’s entirely possible that you haven’t heard much, if anything, about the GDPR. Maybe the letters look vaguely familiar? If not, consider this a quick heads up on what it is and how it might affect you. At the very least, this should serve as a brief explanation of why Google Analytics users keep getting emails exhorting them to review their data retention settings.

GDPR stands for General Data Protection Regulation. If you’ve got a lot of free time, you can read all about it here. In a nutshell, GDPR represents a complete overhaul of consumer privacy regulation in the EU. This overhaul is very pro-consumer, including things like Right to Access, Right to be Forgotten and Privacy by Design. As consumers, we should probably be happy about these changes – they’re designed to protect, control and limit the heretofore willy-nilly collection and use of data about each of us. The regulation goes into effect on 5/25/2018.

Advertisers and marketers should be aware of a couple of things. The GDPR takes a very “consumer first” approach to data collection, retention and use. And their definition of “data” is broad, defined as “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” That includes cookies and IP addresses, among other things, which is a significant difference from prevailing practices in the US. Another thing to note is that this regulation has teeth. The maximum penalty is 4% of annual global revenue or 20 million Euros… whichever is greater.

You might be thinking “I don’t do any business in the EU, this doesn’t apply to me.” However, even if you don’t sell anything in the EU, the regulation relates to the collection, processing and use of data related to EU citizens. Theoretically, if someone from the EU visits your web site and signs up for your newsletter, that data is subject to the GDPR – so yes, this is relevant to you. It seems like erring on the side of caution and requiring explicit opt-in (not a box that is checked by default – that won’t cut it anymore) will be a step in the right direction.

GDPR is a complex regulation and much of the language in it is not especially clear in how it will affect day-to-day marketing and business practices. It’s probably not a bad idea to consult with your attorney on your web site privacy policy, terms of use, consumer data collection and retention policies, etc. If you’re running any kind of targeted marketing using PII (personally identifiable information), now would be a good time to review those programs and the data that you’re using. Oh, and don’t forget to log in to Google Analytics and select your data retention interval. You can read all about Google Analytics’ data policies here.

Disclaimer: A blog post is no substitute for legal counsel – the opinions expressed here are just that, opinions. Thanks!