We have outlined how there are many aspects of website management that may potentially require your attention during the process of becoming fully GDPR-compliant, and this may include updating your implementation of various third-party services. If your website uses Google Analytics, it is recommended that you review how your website provides data to Google and whether or not you need to ask your visitors for consent to track their activity.
Collecting personally identifiable information via Google Analytics has always been against their Terms of Service so the chances are you were not doing so. However, with the introduction of GDPR it is important to be sure of this so that you can inform your website's visitors appropriately:
ga('create', 'UA-XXXX-XX', 'auto'); ga('set', 'anonymizeIp', 'true'); ga('send', 'pageview');
Please note that using this feature will reduce the accuracy of geographic reporting, although only slightly since only the last octet of the IP address is anonymized.
You will find your data retention settings under "Tracking Info" for the website property in question:
You will then also have the option of whether or not to reset the data retention period on each visit by a specific user. This means that if someone visits on 1st January 2019 and you want Google Analytics to retain data for 12 months, but they visit again on 1st June 2019, none of their data will be deleted until 1st June 2020:
If you have found that your website is providing Google Analytics with any pseudonymous data identifiers, you must seek explicit consent from your website visitors before Google Analytics is used, and must also provide them with a way of easily opting-out of this tracking in future. There are conflicting opinions on whether or not explicit opt-in is required when no personally identifiable information or pseudonymous data identifiers are being sent to Google. However, should it be decided that explicit opt-in is required for all Google Analytics implementations, a lot of user data will become unreliable and incomplete, rendering the service less useful. We expect there to be an ongoing debate regarding this until the regulation is clarified.