This blog post was originally published on April 27, 2017
You’ve probably heard of GDPR, the new EU data protection regulation. Its purpose is to strengthen and unify data collection from individuals within the European Union, and replace the obsolete Data Protection Directive 95/46/EC.
It’s also the strictest data privacy law that has ever been introduced. And even though the list of involved organizations may suggest otherwise, the territorial scope of the new regulation is really broad.
GDPR impacts not only EU-based entities, but virtually every business dealing with customers (a.k.a. data subjects) within the European Union – both data controllers (e.g. companies) and data processors (e.g. cloud-software vendors).
So, if you want to avoid heavy fines, in some cases as high as:
4% of your company’s yearly turnover or 20 mln euro, whichever is higher – ouch!
It’s high time you adjust your data processing policy to the demands of the new EU law.
We’re sure that our previous posts covering GDPR will give you a decent overview of the topic:
Now, let’s proceed to some more detailed aspects of GDPR. In the next section of this article, we’ll show you what how to adjust web analytics tracking to the demands of new law.
Firstly, let us introduce you to two concepts that are crucial to web tracking under GDPR – personal data and consent.
None of them are as obvious as they may seem at first glance.
What is personal data?
Let’s take a closer look at the recitals of the Regulation concerning personal data. We’ll examine the ones focused purely on the definition of the term, as it would be virtually impossible to investigate all the mentions of “personal data” when considering that the phrase occurs in the text nearly 600 times!
In Article 4.1 of the General Data Protection Regulation we can find the following characterization:
[…] Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It’s important to emphasize that the Regulation significantly expands the definition of personal data when compared to the definition provided by Directive 95/46/EC.
Also, there are two particularly interesting points in the case of web tracking:
- GDPR treats online identifiers and location data as personal data, and therefore demands they be protected in the same way as other identifiers, like information on the genetic, economic, or psychological identity of a data subject.
- Cookies are included in the scope of online identifiers as well!
GDPR states that all cookies – even pseudonymous ones – can be considered personal data if there is any potential to use them to single out or identify an individual. This is detailed in Recital 30 of the new law:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What does this mean for you? It means that in order to fully comply with the GDPR requirements, you must adjust your cookie policy!
Now, you may be wondering if the new legislation sheds any light on how to do it – after all, under existing rules, cookies don’t necessarily require consent.
Fortunately, it does.
A little.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
What is consent?
It won’t come as a surprise that the understanding of consent and the requirements associated with it have been reinforced and extended. Article 4.11 of the new legislation defines consent as:
[…] Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Important note: As we can see, the legislation characterizes consent as an affirmative action undertaken in unambiguous and informed manner. It therefore automatically eliminates an ‘implication of the agreement’ from the list of accepted forms of consent. We will return to this in a later section of the article.
In another paragraph of the new regulation we can also find a description of the process of obtaining consent. It is presented in Recital 32 and is worded as follows:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data […]. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct […]. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
The text of the regulation doesn’t give specific instructions for acquiring permission to process personal data. However, GDPR clarifies that “affirmative actions” signaling consent may include:
- choosing technical settings for information society services,
- ticking a box on a website, or
- another statement or conduct clarifying the indication of consent.
And among insufficient forms of agreement the GDPR lists:
- silence,
- pre-clicked boxes, or
- inactivity.
That’s still pretty ambiguous, isn’t it? Don’t worry, the generality of the guidelines provided by the new legislation shouldn’t make you too concerned.
After all, we have to remember that GDPR is a framework addressing at a high level the subject of processing personal data in all its forms. There is also more detailed legislation to come into effect along with GDPR (we mean the Privacy and Electronic Communications Regulation – known as ePrivacy Regulation).
Still, in GDPR itself, there’s a lot of pointers on what best practices regarding web analytics tracking should look like.
We’ll try to sum them up for you and present them as actionable steps you can follow in order to prepare your web analytics set up for the upcoming legislation:
Web tracking under GDPR: 5 actionable steps
Step 1: Get rid of cookie boxes
Yes, these annoying little pop-ups have to go. Under the new rules, just visiting your website for the first time won’t qualify as consent for processing the data, even if you provide them with information like “By using this site, you accept cookies”.
If there’s no freely taken action to give consent, it won’t count.
Instead, you’ll need to use a consent box and display it to every user visiting your website for the first time. Not sure what it should look like? Have a look at this sample consent request box designed with a little help of Piwik PRO GDPR Consent Manager:
This is GDPR-compliant because it’s:Freely given – you don’t make the consent a precondition of your services. You just politely ask your visitors if they’d like to share some of their data with you.
Specific – you allow your visitors to give a separate consent for each type of data processing.
Informed – you describe every purpose of collecting visitor data.
Unambiguous – your visitors have to tick a box in order to agree to your request and your consent request is clearly distinguishable from other matters.
Important note! It turns out that not every type of tracking will require consent from your users. The experts predict that ePrivacy (Regulation on Privacy and Electronic Communications) will make an exception for personal data used for web analytics purposes. So, if you take advantage of a web analytics tool that utilizes the collected data only to examine the performance of your website, you probably don’t need to worry about this part.
However, if you pass your analytics data to other AdTech and MarTech platforms (such as DSP or CDP), use remarketing pixels and tracking codes, or personalize your website content based on user behavior, you’ll certainly need to ask for consent for each of these activities.
If you want to learn more about the current state of ePrivacy Regulation, we advise you to read this blog posts:
Step 2: Browser settings will be treated as consent (probably)
In GDPR itself (for obvious reasons) we won’t find any mention of “browser settings”. But the latest draft of the ePrivacy Regulation suggests that in the case of cookies used for tracking, you most likely won’t have to inform your visitors about the use cookies if their web browser is set to signify consent or refusal. Users have to activate it manually, which indicates affirmative action as described in the text of GDPR.
It’s important to stress that you’ll have to respect your visitors’ choice to not be tracked, even in the case of previously issued consent!
Step 3: Justify and describe every purpose of usage of the personal data collected from your users
According to GDPR, sites using different types of cookies for different purposes need to obtain consent for each purpose. How to deal with this? We advise you to list them all in the Privacy Policy section on your website, so users can get acquainted with them when visiting your page.
As Recital 32 of the new law states:
When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Although right now it’s not quite clear what the description of each purpose should look like, there are a couple of examples of good practices you could follow.
For instance, this is how PayPal solved the problem.
Step 4: No more legal talking!
Mind the way you’re communicating with your users through the Privacy Policy published on your website. The new regulation forbids you to formulate message in a way that won’t be understandable for the internet’s “average Joe”.
After all, we can’t speak of true consent when visitors are not aware what they’re really signing up for. This statement is also backed by the principle of transparency described in Recital 58 of the GDPR:
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. […]This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.
Step 5: Your visitors should be able to opt-out at ANY time
Even after you’ve obtained valid consent, your visitors should be provided with an easy way to change their mind. It should be as easy to withdraw consent as it is to give it.
Article 7.3 of the new ruling characterizes it like this:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Not sure how to apply this rule?
In Piwik PRO we solved this problem by creating a Privacy Settings widget to install on your Privacy Policy Page. It’s one of the features of GDPR Consent Manager – a new addition to Piwik PRO Analytics Suite, helping our clients collect, manage and store GDPR consents and process data subject requests in a lawful manner.
If you want to learn more about the capabilities of Piwik PRO GDPR Consent Manager, we recommend you get familiar with this subpage and read this blog post.
Respect data subjects’ rights!
There is also one incredibly important aspect of GDPR you must thoroughly think through. GDPR introduces a list of data subjects’ rights that should be obeyed by both data processors and data collectors. The list includes:
- Right of access by the data subject (Section 2, Article 15).
- Right to rectification (Section 3, Art 16).
- Right to object to processing (Section 4, Art 21).
- Right to erasure, also known as ‘right to be forgotten’ (Section 3, Art 17).
- Right to restrict processing (Section 3, Art 18).
- Right to data portability (Section 3, Art 20).
As the topic of a data subject’s rights is really broad (and rather complicated as well), we promise to cover it in a separate blog post.
What you must know now is that the decision on how you want to apply those rules and respond to requests by your users is up to you. But it goes without saying that the right web analytics vendor should support you in fulfilling the obligations GDPR imposes on you.
How to find out if your business partner has an ear on the ground and is properly prepared for the upcoming legislation?
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
We advise you to contact your web analytics vendor and check how they’re going to address this problem. If they can’t answer your questions, that means it’s high time to consider finding a more privacy-friendly solution that provides you with a way to comply with the new law (like Piwik PRO Consent Manager).
It’s time to act now!
We hope that the tips presented above will help you adjust your web analytics tracking methods to the demands of the new law. Of course, we know that it’s impossible to answer all the questions you might have in a single blog post.
So if you’re still not sure how to optimize your analytics for privacy compliance, don’t throw your hands up in despair. Piwik PRO experts are here to help – feel free to contact us anytime!
Also, we encourage you to subscribe to our newsletter – we’ll keep you posted with any updates regarding GDPR, the ePrivacy Regulation (whose second draft is currently under review!), and other data protection regulations that may impact your business.