Karin Tierney: I`m going with do not expire as well - when they roll out the features for customers to be able to delete their data you`ll need to get those implemented ASAP to remain compliant.
Patty Mantaloons: The annoyingly ambiguous response is to give it an expiry time that matches how long the data needs to be retained. Easy for me to say, since I don`t really have much in the way of user or event data - just pageview
Randy Milanovic: If it’s old enough to collect dust, why would you keep it?
Jenny Halasz: I’m leaving it at default and I recommend everyone else do too unless your attorney says otherwise. https://jlh-marketing.com/faqs-about-gdpr/
Michael Stricker: If you haven’t been missing user and event data older than 26 months before now, why would you change? Jenny’s right, stay in the shadow of big “G†for now.
Ammon Johns: A lot of the fine print of GDPR is about giving people informed choices about their data, while setting some baseline `reasonable expectations`. e.g. just because I once sent an email to a company, 10 years ago, asking a simple question, does not allow that company to keep bombarding me with ads, or even keep me in their customer databases, years later. (and which of us haven`t encountered something much like that?).The most important part really, isn`t in complying with the `reasonable standards` but in giving the `informed choice` part. You can keep customers data for decades - if they agree, have been properly informed of what data is kept and for what purpose, and have a fair system for changing or terminating that contract somewhere down the line.That`s it in a nutshell.So try not to fall into the trap of autistic thinking about how to control the data as the main issue, where managing the expectations of the person the data is about is actually usually the way to go.
GA retention time recommendation re:GDPR? I`m thinking of "Do not automatically expire" instead of the default 26 months. You 
