Following some European data protection Authorities’ decisions, you are likely to have received requests from several users to delete personal data processed through Google Analytics.
In this article, we will examine whether these requests are legitimate and how to deal with them.
This article is a part of our series on the status of Google Analytics in Europe. Read the other articles in this series here:
Article 17 of the GDPR allows users (data subjects) the right to request the deletion of personal data held by data controllers if one of the following applies:
In the presence of one of the cases listed in Article 17, requests such as these are to be considered legitimate. The data controller is obliged to honor them without undue delay, and in any case, within one month of receiving them, unless one of the conditions for which the right to erasure may be denied applies.
Each request must be evaluated on a case-by-case basis, considering the elements that indicate the user’s willingness to exercise their right to erasure their personal data.
To delete the user’s data who made the request, you must ensure that you have sufficient data for his correct identification.
The key data for user identification is the “Client ID.” This value is retrievable from the Google Analytics cookie called _ga (similar to GA1908667103.1592401814). Other data that can make the identification more accurate are the full IP address and the date/time of the most recent visit to the website.
If you do not have these elements, it will not be possible to identify the data subject’s data with certainty, so you will have to request them directly from the user to comply with their request.
Once you have collected the necessary data, you are ready to delete it.
First, log into your Google Analytics dashboard.
From the menu, select Audience and then User Explorer.
Filter by the Client ID code you were given (e.g., 1908667103.1592401814). You can also use other filters (IP, date/time for more accurate identification).
Click on the filtered client-id and click the Delete user button found at the bottom of the page.
Click OK in the message that is displayed to confirm the deletion.
In this way, you will have honored the user’s request, and you can send confirmation that you have deleted their data.
There is no definitive answer to this question, as the investigation into Google Analytics is still ongoing. However, some Data Protection Authorities, such as the Italian Garante, have said that to continue using Google Analytics 3, additional security measures are required.
However, it is not clear what these measures are in practice. Some alternatives to consider are:
