This blog post was originally published on April 27, 2017.
Are you wondering if the upcoming GDPR legislation will have any impact on the way you collect your web analytics data? We must warn you – it certainly will. Read our new blog post to see, what exactly is going to change and how to prepare for it.
You’ve probably heard of GDPR, the new EU data protection regulation. Its purpose is to strengthen and unify data collection from individuals within the European Union, and replace the obsolete Data Protection Directive 95/46/EC.
It’s also the strictest data privacy law that has ever been introduced. And even though the list of involved organizations may suggest otherwise, the territorial scope of the new regulation is really broad.
GDPR will impact not only EU-based entities, but virtually every business dealing with customers (a.k.a. data subjects) within the European Union – both data controllers (e.g. companies) and data processors (e.g. cloud-software vendors).
On top of that, it’s scheduled to take effect on 25 May 2018.
So, if you want to avoid heavy fines (in some cases as high as 4% of your company’s yearly turnover or 20 mln euro, whichever is higher – ouch!), it’s high time you adjust your data processing policy to the demands of the new EU law.
We’re sure that our previous posts covering GDPR will give you a decent overview of the topic:
- What You Should Know About the GDPR. An Interview With Aurelie Pols. (Part 1),
- What You Should Know About the GDPR. An Interview With Aurelie Pols. (Part 2),
- General Data Protection Regulation (GDPR): Actionable Facts and Steps to Follow.
Now, let’s proceed to some more detailed aspects of GDPR. In the next section of this article, we’ll show you what exactly should change in your web analytics tracking when the new legislation comes into effect.
Firstly, let us introduce you to two concepts that are crucial to web tracking under GDPR – personal data and consent.
None of them are as obvious as they may seem at first glance.
What is personal data?
Let’s take a closer look at the recitals of the Regulation concerning personal data. We’ll examine the ones focused purely on the definition of the term, as it would be virtually impossible to investigate all the mentions of “personal data” when considering that the phrase occurs in the text nearly 600 times!
In Article 4.1 of the General Data Protection Regulation we can find the following characterization:
[…] Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It’s important to emphasize that the Regulation significantly expands the definition of personal data when compared to the definition provided by Directive 95/46/EC.
Also, there are two particularly interesting points in the case of web tracking:
- GDPR treats online identifiers and location data as personal data, and therefore demands they be protected in the same way as other identifiers, like information on the genetic, economic, or psychological identity of a data subject.
- Cookies are included in the scope of online identifiers as well!
GDPR states that all cookies – even pseudonymous ones – can be considered personal data if there is any potential to use them to single out or identify an individual. This is detailed in Recital 30 of the new law:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Now, you may be wondering if the upcoming legislation sheds any light on how to do it – after all, under existing rules, cookies don’t necessarily require consent.
Fortunately, it does. A little.
Free Webinar Recording: Web Analytics vs. GDPR
Will New Privacy Regulations Impact Digital Marketers?Download the Webinar Recording
What is consent?
It won’t come as a surprise that the understanding of consent and the requirements associated with it have been reinforced and extended. Article 4.11 of the new legislation defines consent as:
[…] Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Important note: As we can see, the legislation characterizes consent as an affirmative action undertaken in unambiguous and informed manner. It therefore automatically eliminates an ‘implication of the agreement’ from the list of accepted forms of consent. We will return to this in a later section of the article.
In another paragraph of the new regulation we can also find a description of the process of obtaining consent. It is presented in Recital 32 and is worded as follows:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data […]. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct […]. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
The text of the regulation doesn’t give specific instructions for acquiring permission to process personal data. However, GDPR clarifies that “affirmative actions” signaling consent may include:
- choosing technical settings for information society services,
- ticking a box on a website, or
- another statement or conduct clarifying the indication of consent.
And among insufficient forms of agreement the GDPR lists:
- pre-clicked boxes, or
That’s still pretty ambiguous, isn’t it? Don’t worry, the generality of the guidelines provided by the new legislation shouldn’t make you too concerned. After all, we have to remember that GDPR is a framework addressing at a high level the subject of processing personal data in all its forms. There is also more detailed legislation to come into effect along with GDPR (we mean the Privacy and Electronic Communications Regulation – known as ePrivacy Regulation).
Still, in GDPR itself, there’s a lot of pointers on what best practices regarding web analytics tracking should look like.
We’ll try to sum them up for you and present them as actionable steps you can follow in order to prepare your web analytics set up for the upcoming legislation:
Web tracking under GDPR – actionable steps
1) Get rid of cookie boxes
Yes, these annoying little pop-ups will most probably have to go. Under the new rules, just visiting your website for the first time won’t qualify as consent for processing the data, even if you provide them with information like “By using this site, you accept cookies”.
As we’ve already mentioned, if there’s no truly free choice and affirmative action, it won’t count as a consent.
Instead, you’ll probably need to use a consent box and display it to every user visiting your website for the first time. Not sure what it should look like? Have a look at this sample consent box created by PageFair:
What makes it GDPR-compliant is that it:
- contains the list of purposes for which personal data will be used,
- calls for an active consent on the user’s end,
Important note! It turns out that not every type of tracking will require consent from your users. The current form of ePrivacy (Regulation on Privacy and Electronic Communications) makes an exception for personal data used for web analytics purposes. So, if you take advantage of a web analytics tool that utilizes the collected data only to examine the performance of your website, you probably don’t need to worry about this part.
However, if you pass your analytics data to other AdTech and MarTech platforms (such as DSP or CDP), use remarketing pixels and tracking codes, or personalize your website content based on user behavior, you’ll certainly need to ask for consent for each of these activities.
If you want to learn more about the current state of ePrivacy Regulation, we advise you to read this blog posts:
– Current state of the ePrivacy Regulation as it enters the home stretch
– How ePrivacy Impacts Marketing Automation, Re-marketing, Personalization and Web Analytics
2) Browser settings will be treated as consent (probably)
It’s important to stress that you’ll have to respect your visitors’ choice to not be tracked, even in the case of previously issued consent!
3) Justify and describe every purpose of usage of the personal data collected from your users
As Recital 32 of the new law states:
When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Although right now it’s not quite clear what the description of each purpose should look like, there are a couple of examples of good practices you could follow.
For instance, this is how PayPal solved the problem.
4) No more legal talking!
After all, we can’t speak of true consent when visitors are not aware what they’re really signing up for. This statement is also backed by the principle of transparency described in Recital 58 of the GDPR:
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. […]This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.
5) Your visitors should be able to opt-out at ANY time
Even after you’ve obtained valid consent, your visitors should be provided with an easy way to change their mind. It should be as easy to withdraw consent as it is to give it.
Article 8.2 of the new ruling characterizes it like this:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Not sure how to apply this rule? In Piwik PRO we solved this problem by creating a dedicated subpage of the website where our visitors can freely withdraw their consent. It’s called “Opt-Out”, and is located in the bottom section of our main page.
Respect data subjects’ rights!
There is also one incredibly important aspect of GDPR you must thoroughly think through. GDPR introduces a list of data subjects’ rights that should be obeyed by both data processors and data collectors. The list includes:
- Right of accesses by the data subject (Section 2, Article 15).
- Right to rectification (Section 3, Art 16).
- Right to erasure (also known as right to be forgotten) – (Section 3, Art 17).
- Right to restrict processing (Section 3, Art 18).
- Right to data portability (Section 3, Art 20).
As the topic of a data subject’s rights is really broad (and rather complicated as well), we promise to cover it in a separate blog post.
What you must know now is that the decision on how you want to apply those rules and respond to requests by your users is up to you. But it goes without saying that the right web analytics vendor should support you in fulfilling the obligations GDPR imposes on you.
How to find out if your business partner has an ear on the ground and is properly prepared for the upcoming legislation?
We advise you to contact your web analytics vendor and check how they’re going to address this problem. If they can’t answer your questions, that means it’s high time for you to consider finding a more privacy-friendly solution (like Piwik PRO).
It’s time to act now!
We hope that the tips presented above will help you adjust your web analytics tracking methods to the demands of the new law. Of course, we know that it’s impossible to answer all the questions you might have in a single blog post.
So if you’re still not sure how to optimize your analytics for privacy compliance, don’t throw your hands up in despair. Piwik PRO experts are here to help – feel free to contact us anytime!
Also, we encourage you to subscribe to our newsletter – we’ll keep you posted with any updates regarding GDPR, the ePrivacy Regulation (whose second draft is currently under review!), and other data protection regulations that may impact your business.
Free Webinar Recording: Web Analytics vs. GDPR
Will New Privacy Regulations Impact Digital Marketers?Download the Webinar Recording