With the switch from Universal Analytics to Google Analytics 4, there is a lot of confusion on data retention. Here is what the data retention periods are and how you can adjust them to best suit your organization’s needs.
- What is data retention?
- What is data retention in Google Analytics 4?
- How do I change data retention in Google Analytics 4?
- What is data retention in Universal Analytics?
- How do I change data retention in Universal Analytics?
- How long should I store data?
- What does the GDPR say about data retention?
- Final Thoughts
What is data retention?
Data retention is, quite simply, the time for which you store data. The term is typically used when personal data are involved, as the retention of personal data for a long time can have privacy and legal implications.
What is data retention in Google Analytics 4?
User and event data can be retained for up to 26 months. These are the most important and privacy-sensitive data that Google Analytics collects.
Other types of data can be retained for longer periods- see Google’s documentation for an overview. No data can be retained forever, though.
How do I change data retention in Google Analytics 4?
Click Admin > Property > Data Settings > Data Retention > Event data retention. After you have selected the desired setting, make sure to disable the “reset user data on new activity” switch and click Save.
Please note that you need an editor role to change data retention settings.
What is data retention in Universal Analytics?
User and event data can be retained for anywhere in between 14 months and forever. Retaining data forever is very invasive and we strongly advise against it.
How do I change data retention in Universal Analytics?
Click Admin > Tracking Info > Data Retention > User and event data retention. After you are done, make sure you turn off the “Reset on new activity” option and click Save.
As with GA4, you need editor privileges to change the retention settings.
How long should I store data?
There is no clear-cut answer: every organization should tailor its data retention policies to its own needs, while also accounting for compliance obligations. At least you can take rains into your own hands, by exporting your historical data from Google. Here is how.
When deciding on data retention for web analytics data, you should look to involve at the very least your marketing department and your legal staff (or any external consultants you may rely upon for those roles). Your marketers know for how long the data remain valuable for analysis, and legal professionals can give you a clear picture of your compliance obligations.
Also note that not all categories data are the same. For instance, there may be no good reason to delete aggregate-only reports, as they may not fit the definition of personal data/personally identifiable data in your country.
What does the GDPR say about data retention?
Under the principle of storage limitation, you can store personal data for as long as necessary, but for no longer than that.
So, there is no clear-cut rule that requires you to delete the data after n weeks, months, or years. The GDPR assumes that organizations know their own needs and allows them to keep the data for as long as needed. A research institution may have perfectly valid reasons for storing decades-old medical information, but an entertainment website has no plausible reason to hold onto 10 year old personal data from its visitors.
While companies can decide their data retention policies on their own, this does not mean that they can do as they wish. They are under a legal obligation to only store data for a sensible time and can be fined if their data retention policies are blatantly unreasonable. This is why we strongly suggest that you set a time limit for Universal Analytics data, especially if you are subject to the GDPR.
Also note that anonymization is an acceptable alternative to erasure under the GDPR. So, it might be ok to keep an aggregated report from Google Analytics long after you erased the original, personal data on which it was calculated.
We said "might" because proper anonymization under the GDPR is really difficult. Never assume that personal data were anonymized just because they look anonymized. Only trust a legal professional to make this judgment!
Also note that the notion of anonymization differs from country to country and that US service providers like Google sometimes use the term somewhat loosely by European standards.
Final Thoughts
At the end of the day, the surefire way to comply with storage limitation is not storing anything. In many fields, this is not feasible. But it is for web analytics!
Simple Analytics is a privacy-first web analytics service that does not collect personal data. We take nothing and store nothing- as simple as that! Our services also features raw data export, data import from Google Analytics, plugins for many other softwares, and a handy AI assistant integrated in your UI.
If this sounds good to you, feel free to give us a try!