GDPR Article 5(1)(e) requires that personal data be kept "no longer than is necessary for the purposes for which the personal data are processed." For analytics, this means defining a retention period, documenting it, and actually deleting data when it expires.
What counts as "analytics personal data"?
- Cookie-free analytics (IP hashed): Arguable whether this is personal data at all. Most DPAs recommend 13 months maximum as a conservative approach.
- IP-storing analytics: Definitely personal data. CNIL (France) requires a maximum 13-month retention period.
- User-ID analytics: Personal data. GA4 maximum is 26 months.
Practical retention periods by use case
- Operational monitoring: 30–90 days
- Marketing optimisation: 6–12 months
- Year-on-year comparison: 13–24 months
- Long-term business intelligence: 24 months max (unless justified)
How to implement automated retention
In AI Infos Web Statistics, retention is enforced automatically by the cron job (cron.php monthly). Set your preferred retention period in website settings, and expired records are deleted on the first of each month.
Document it in your privacy policy
Example language: "Analytics data (anonymised page view records) is retained for a maximum of 12 months from collection. Records older than 12 months are automatically deleted on the first day of each month."