Action: Review the commitments

[kexej28769@nongnue]

The reason I say this isn't strictly a GDPR thing is that it's related to changes that Google is making on its end to ensure it complies with its obligations as a data processor. It gives you tools that you may need but isn't strictly related to your GDPR compliance. There's no specific "right" answer to the question of how long you need/are allowed to store this data in GA under GDPR, but from my reading, given that it doesn't have to be PII (see below) it's not really a GDPR question for most organizations. In particular, there's no particular reason to think that Google's default is the correct/mandated/only setting that you can choose under GDPR.

made by your legal team and your new privacy policy belgium number data to understand the right timeline for your org. In the absence of clear commitments from your users, my understanding is that you can retain any of the data you were previously allowed to obtain until you receive a request to delete it. So while most orgs will have at least some changes to their privacy policies, most GA users can revert back to retaining this data indefinitely.

Conclusion 2: Google is deleting GA accounts for capturing PII.
Storing personally identifiable information (PII) in Google Analytics has long been against the Terms of Service. Recently, however, it appears that Google has become much more diligent in checking for the presence of PII and has become stronger in handling accounts that are found to contain any. In more simple terms, Google will delete your account if they find PII.