Google has rolled out some major product updates to ensure GDPR compliance. The most important takeaways are that Google has introduced new granular data retention controls, updated their legal language to be compliant, and has not released a user deletion tool.
Open Data Science considers this an important GDPR update because of the ubiquity of Google Analytics, see BuiltWith.com data inset below, and because of Google’s vast resources. If they aren’t releasing a user data deletion tool before May 25th, we can be sure no one else will.
Google Analytics’ GDPR Scorecard
Data Control – Good
Google will only process data for user authorized purposes. User IPs and personally identifiable information is anonymized by default; advanced users are responsible for customized data capture.
Data Security – Good
Google has strong safeguards to keep data for additional processing and research.
Data Deletion – Bad
When data subjects revoke their consent, a partner organization requests data deletion, or a service or your agreement comes to an end you must delete data. This tool doesn’t exist yet but Google promises it will by May 25th.
Risk Mitigation & Due Diligence – Good
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them.
The U.S. Department of Health and Human Services GA Risk Assessment is the best we could find
Breach notification – Theoretically Good
Google is definitely capable of notifying authorities within 72 hours and describing the consequences of the breach to directly to all affected subjects. Google has responded quickly and completely to breaches in the past.