Maximizing data collection
AdTech vendors collect large amounts of data and offer an attractive way for advertisers to target specific groups of people. Maximizing that data collection, without much regard for individual privacy, has made the most aggressive AdTech players into large profitable enterprises.
Some analytics platforms, such as Google Analytics, are part of that AdTech ecosystem and have trackers designed to maximize data collection, often at the expense of data privacy. This doesn’t mean they cannot be privacy-compliant, but they do put some serious hurdles along the way to privacy-friendly data collection.
We have written about such practices extensively on our blog:
First-party tracking and privacy-friendly analytics
Marketers and analysts increasingly are looking to a first-party approach, since the introduction of laws such as the GDPR and the blocking of third-party identifiers, such as with IDFA for iOS. So what is the first-party approach?
Keep in mind that various tracking methods have a way of identifying an individual or a group of individuals.
Article 5, paragraph 3 of the ePrivacy directive 2002/58/EC states:
[…] access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information […] about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
In other words, you often need the data subject’s consent for tracking and collecting behavioral data. This isn’t just part of the ePrivacy directive or GDPR. Many new privacy regulations require consent before any collection of personal data online. Besides consent, there are several other key parts of a first-party, and privacy-friendly, data collection approach:
- Have 100% control over your data, especially when it comes to personal data. You must be able to tell data subjects what the data is collected for and where it is being stored. In case of cloud solutions, avoid countries where local regulations don’t offer the same level of privacy protection as the GDPR. It is therefore important to pay attention to cloud solution providers and their server locations.
- Do not forward data to third parties or use it for any other purposes not mentioned during consent. This also applies to your data processor.
- Do not transfer the data outside the geographical borders of the jurisdiction where data was collected. If you need to do this, make sure you have consent and that the transfer destination has proper data protection safeguards (i.e. privacy laws – country- or even state-level).
- Make sure the data comes from a direct interaction between your website or product and the data subject.
- Do not restrict the data subject’s rights or freedoms – they should be able to consent to specific data collection purposes and be able to change their decision easily at any time.
Additionally, you need to keep track of consents and data subject requests. You can either implement a standalone consent manager that will connect to your analytics stack, or you use an analytics platform offering an integrated consent manager.
A peek at the vendors
Most platforms would require the addition of an external consent manager to fit into the above approach. This integration introduces added complications. There can be a lot involved in making sure the external consent manager passes the right messages to the analytics platform, which needs information about what data to track based on consent.
It’s most important to find an analytics stack and consent manager that fits your use case. If that leads to choosing an external consent manager, just make sure you have the resources and expertise to get it properly integrated.
Some analytics vendors offer a simple consent banner, implemented in a tag manager, as an interim solution. Remember that a consent banner isn’t enough to satisfy most data privacy regulations. To meet legal requirements, you need to offer a clear choice and make it easy to not consent (no reject options hidden deep in menus allowed).
||Google Analytics (3 & 4)
|Does not need an external consent manager to stay compliant
||specific country, region or data center (private cloud in 60+ regions, 5 locations of public cloud) and on-premises
||no specified data residency
||specific country (limited to Germany) or on-premises
||specific country, region or data centre (limited to 9 regions)
||specific country (limited to 10 countries) or on-premises
Piwik PRO offers an integrated consent manager. It collaborates seamlessly with the Analytics Suite’s Analytics, Tag Manager and Customer Data Platform modules. It automates much of the consent collection and management process, and provides an API to share your collected consent data with your whole analytics stack. Additionally, it can run in a zero-cookie-load mode that prevents tracking tags and pixels from firing before a consent is collected.
As a data processor, Piwik PRO doesn’t share the collected data. Your organization controls the data and what happens to it completely. Your organization gets its choice of server locations, cloud or private cloud, all over the world in addition to an option for on-premises self-hosting.
Both versions of Google Analytics presents some major disadvantages:
- You don’t have control over where the data is sent and stored.
- The data you collect is used in other Google products and services, which everyone has access to.
- Most collected data will end up on American servers, even if that data was collected in the EU or anywhere else outside the US. In Europe, the invalidation of Privacy Shield means that these kinds of transfers are riskier than ever.
Matomo on the other hand, doesn’t send data of European users overseas and lets you store the data on your own servers. Still, the consent banner implemented in Matomo’s tag manager isn’t enough if you are collecting any personal data. Either you disable cookies and take the risk of keeping only pseudonymous personal data (fingerprinting) in your database, or you implement a standalone consent manager that collects and manages consents. In some cases though, data subject requests need to be handled manually, which can be an arduous task on your own.
Let’s move on to discuss the tracking methods themselves.