This blog post was originally published on April 27, 2017.
You’ve probably heard of GDPR, the new EU data protection regulation. Its purpose is to strengthen and unify data collection from individuals within the European Union, and replace the obsolete Data Protection Directive 95/46/EC.
It’s also the strictest data privacy law that has ever been introduced. And even though the list of involved organizations may suggest otherwise, the territorial scope of the new regulation is really broad.
GDPR impacts not only EU-based entities, but virtually every business dealing with customers (a.k.a. data subjects) within the European Union – both data controllers (e.g. companies) and data processors (e.g. cloud-software vendors).
So, if you want to avoid heavy fines, in some cases as high as:
4% of your company’s yearly turnover or 20 mln euro,
whichever is higher – ouch!
It’s high time you adjust your data processing policy to the demands of the new EU law.
Now, let’s proceed to some more detailed aspects of GDPR. In the next section of this article, we’ll show you what how to adjust web analytics tracking to the demands of new law.
Firstly, let us introduce you to two concepts that are crucial to web tracking under GDPR – personal data and consent.
None of them are as obvious as they may seem at first glance.
Let’s take a closer look at the recitals of the Regulation concerning personal data. We’ll examine the ones focused purely on the definition of the term, as it would be virtually impossible to investigate all the mentions of “personal data” when considering that the phrase occurs in the text nearly 600 times!
In Article 4.1 of the General Data Protection Regulation we can find the following characterization:
[…] Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It’s important to emphasize that the Regulation significantly expands the definition of personal data when compared to the definition provided by Directive 95/46/EC.
Also, there are two particularly interesting points in the case of web tracking:
- GDPR treats online identifiers and location data as personal data, and therefore demands they be protected in the same way as other identifiers, like information on the genetic, economic, or psychological identity of a data subject.
- Cookies are included in the scope of online identifiers as well!
GDPR states that all cookies – even pseudonymous ones – can be considered personal data if there is any potential to use them to single out or identify an individual. This is detailed in Recital 30 of the new law:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Now, you may be wondering if the new legislation sheds any light on how to do it – after all, under existing rules, cookies don’t necessarily require consent.
Fortunately, it does.
Overview and scoring of how websites have adapted to data privacy regulationsDownload FREE Report
It won’t come as a surprise that the understanding of consent and the requirements associated with it have been reinforced and extended. Article 4.11 of the new legislation defines consent as:
[…] Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Important note: As we can see, the legislation characterizes consent as an affirmative action undertaken in unambiguous and informed manner. It therefore automatically eliminates an ‘implication of the agreement’ from the list of accepted forms of consent. We will return to this in a later section of the article.
In another paragraph of the new regulation we can also find a description of the process of obtaining consent. It is presented in Recital 32 and is worded as follows:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data […]. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct […]. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
The text of the regulation doesn’t give specific instructions for acquiring permission to process personal data. However, GDPR clarifies that “affirmative actions” signaling consent may include:
- choosing technical settings for information society services,
- ticking a box on a website, or
- another statement or conduct clarifying the indication of consent.
And among insufficient forms of agreement the GDPR lists:
- pre-clicked boxes, or
That’s still pretty ambiguous, isn’t it? Don’t worry, the generality of the guidelines provided by the new legislation shouldn’t make you too concerned.
After all, we have to remember that GDPR is a framework addressing at a high level the subject of processing personal data in all its forms. There is also more detailed legislation to come into effect along with GDPR (we mean the Privacy and Electronic Communications Regulation – known as ePrivacy Regulation).
Still, in GDPR itself, there’s a lot of pointers on what best practices regarding web analytics tracking should look like.
We’ll try to sum them up for you and present them as actionable steps you can follow in order to prepare your web analytics set up for the upcoming legislation:
Yes, these annoying little pop-ups have to go. Under the new rules, just visiting your website for the first time won’t qualify as consent for processing the data, even if you provide them with information like “By using this site, you accept cookies”.
If there’s no freely taken action to give consent, it won’t count.
Instead, you’ll need to use a consent box and display it to every user visiting your website for the first time. Not sure what it should look like? Have a look at this sample consent request box designed with a little help of Piwik PRO GDPR Consent Manager:
Freely given – you don’t make the consent a precondition of your services. You just politely ask your visitors if they’d like to share some of their data with you.
Specific – you allow your visitors to give a separate consent for each type of data processing.
Informed – you describe every purpose of collecting visitor data.
Unambiguous – your visitors have to tick a box in order to agree to your request and your consent request is clearly distinguishable from other matters.
However, if you pass your analytics data to other AdTech and MarTech platforms (such as DSP or CDP), use remarketing pixels and tracking codes, or personalize your website content based on user behavior, you’ll certainly need to ask for consent for each of these activities.
It’s important to stress that you’ll have to respect your visitors’ choice to not be tracked, even in the case of previously issued consent!
As Recital 32 of the new law states:
When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Although right now it’s not quite clear what the description of each purpose should look like, there are a couple of examples of good practices you could follow.
For instance, this is how PayPal solved the problem.
After all, we can’t speak of true consent when visitors are not aware what they’re really signing up for. This statement is also backed by the principle of transparency described in Recital 58 of the GDPR:
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. […]This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.
Even after you’ve obtained valid consent, your visitors should be provided with an easy way to change their mind. It should be as easy to withdraw consent as it is to give it.
Article 7.3 of the new ruling characterizes it like this:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Not sure how to apply this rule?
There is also one incredibly important aspect of GDPR you must thoroughly think through. GDPR introduces a list of data subjects’ rights that should be obeyed by both data processors and data collectors. The list includes:
- Right of access by the data subject (Section 2, Article 15).
- Right to rectification (Section 3, Art 16).
- Right to object to processing (Section 4, Art 21).
- Right to erasure, also known as ‘right to be forgotten’ (Section 3, Art 17).
- Right to restrict processing (Section 3, Art 18).
- Right to data portability (Section 3, Art 20).
As the topic of a data subject’s rights is really broad (and rather complicated as well), we promise to cover it in a separate blog post.
What you must know now is that the decision on how you want to apply those rules and respond to requests by your users is up to you. But it goes without saying that the right web analytics vendor should support you in fulfilling the obligations GDPR imposes on you.
How to find out if your business partner has an ear on the ground and is properly prepared for the upcoming legislation?
Overview and scoring of how websites have adapted to data privacy regulationsDownload FREE Report
We advise you to contact your web analytics vendor and check how they’re going to address this problem. If they can’t answer your questions, that means it’s high time to consider finding a more privacy-friendly solution that provides you with a way to comply with the new law (like Piwik PRO Consent Manager).
We hope that the tips presented above will help you adjust your web analytics tracking methods to the demands of the new law. Of course, we know that it’s impossible to answer all the questions you might have in a single blog post.
So if you’re still not sure how to optimize your analytics for privacy compliance, don’t throw your hands up in despair. Piwik PRO experts are here to help – feel free to contact us anytime!
Also, we encourage you to subscribe to our newsletter – we’ll keep you posted with any updates regarding GDPR, the ePrivacy Regulation (whose second draft is currently under review!), and other data protection regulations that may impact your business.