Good question.
In a recent email to Google Analytics administrators, Google announced the arrival of Data Retention Controls, part of their efforts to ensure adherence to a new set of privacy regulations passed in Europe and going into effect May 25th (you can find more information at the EU GDPR website).
The GDPR is going to have a substantial impact on businesses of all sizes (even ones that don’t necessarily operate in Europe), and while our focus is not on the legal implications of the new regulations, we definitely recommend reading up on what’s changing (here’s a great primer from Wired UK).

Updated Google Analytics User Data Retention Controls.
The new Google Analytics settings introduced are relatively straightforward. Administrators are now given two options to control what happens with the user data collected by the platform. The first, user and event data retention, tells Google Analytics how long it should keep the data before automatically deleting it from the system. The second setting, reset on new activity, determines whether the data should be removed after the set length of time based on the user’s first interaction, or if that length of time should be reset each time the user has new activity.
While administrators might be tempted to simply keep the data around forever, that could be a legal gray area depending on the type of business you operate. Despite these new regulations going into effect in just a few weeks, there’s still much that isn’t clear. We’ll continue to learn as much as we can about the GDPR and its impact on Google Analytics (and other areas of business), and share what we find along the way.