18 months after its' enforcement date (25 May 2018), the European General Data Protection Regulation is still making headlines. We've covered this before, even before the data protection law was being enforced, offering advice on steps to be GDPR ready to website owners. Yet, many entrepreneurs, website owners, and startup teams still ignore GDPR or do not know how to fully handle it. Disclaimer: if you are unsure whether your business is implementing GDPR correctly, please also consult an attorney specializing in such matters.
In the current context, this has become extremely dangerous, as we are beginning to see heavy fines for several companies, big and small, if they don't stick to standards for data privacy. Please note that any online business and website that is accessible to EU citizens, regardless of the country they are operating from, has to comply with the same standards. Therefore, companies outside of Europe must also be on alert.
What is GDPR and what does it mean for website operators?
GDPR consists of a set of regulations that act as law in all situations when the personal user data of EU citizens is being handled by companies or other organizations. According to this regulation, all individuals who, voluntarily or unknowingly, give personal information to a company, through any sort of contact, must give explicit informed consent for the gathering, storing and processing of that data.
The type of personal data whose processing requires user consent includes names, contact information, location, health status, interests, demographical data, etc. In the informed consent lies the obligation to inform individuals on the type of data being gathered, how and for how long it will be stored and to what purpose.
Moreover, you need to provide access to ones’ personal data, on request, as well as to make sure you have data security in place. The data must be protected from being stolen and misused. In case of data breaches, as a company, you should have procedures in place to notify all those concerned. This applies to all business conducted online, as well as offline.
But for those who work online, the situation is much more complicated than for businesses that primarily act offline. There are various parties interested and involved in the process of data collection online. It is not only the website operator itself that may be gathering information on visitors and customers, but other third parties too, mostly for advertising purposes.
Web tracking apps or web analytics tools fall into that category, starting with the most famous one of all, which is Google Analytics. Remember that the website operator needs to make sure that he has explicit, distinct ways to inform the user about all the different types of data being gathered, as well as who is gathering them.
These rules are not to be taken lightly. Some website owners have made use of simple pre-ticked boxes, to give some sort of informed consent to users entering their websites. Others have created just one GDPR box, grouping several provisions behind the same button, without specifying all the ways the data would be used. These two cases do not comply with the standards and will not save website owners from getting fined.
Instead, every third party has to have a clear separate “I agree” section right at the first contact the user has with the landing page, which the visitors may or may not tick. Pre-ticked boxes are not GDPR compliant.
What is the consequence of GDPR regulations for Google Analytics?
The consequences for the digital giant are potentially devastating. In recent weeks and months, website operators in Germany who are using Google Analytics have been under fire. According to Datenschutzbeauftragter, there are already an estimated 200,000 reports nationwide against web operators that are not properly disclosing the use of data by this particular third party.
This is a true headache for website operators that are trying to implement this disclosure. How will they handle the situations when users do not tick the box next to the Google Analytics data processing agreement? It could well be a technical and legal challenge. We cannot expect them all to be legal experts, nor can we expect that they all afford legal advice. Complying with GDPR may have been a nightmare for many. If GDPR was not enough, now there is the issue of using GDPR compliant analytics.
In this context, a climate of fear may be settling in. Rather than risk heavy fines for the activities of a third party, could it be that website operators will, at least temporarily, suspend their Google Analytics accounts? What alternatives do they have? If they take a closer look at current regulations, they may find some. Sometimes the devil is in the little details. Some authorities have stressed the fact that the situations being investigated are those when:
“third-party services integrated into websites also use the data collected for their own purposes”. (Ulrich Kelber, data protection official in Germany)
This may refer to Google Analytics, who, at least for the time being, use personal data not only in the interest of their customers, but also to cross and intersect data from one Google service to another. This, of course, has to do with their interests in terms of paid services, such as advertising. But, if we take this interpretation of the law to be true, then there are other ways for website owners to get GDPR analytics.
One way is to look for other analytics tools, which are simply not connected to advertising services and do not share the data with any other third party. If the sole purpose of the analytics tool is to generate aggregated, anonymized data for their customers, then no additional informed consent should be required. And there is no shortage of analytics tools out there, but how can we differentiate between those who are 100% GDPR compliant and those who are not?
Things to consider when choosing a GDPR compliant alternative to Google Analytics
If, as a website operator, you decide that Google Analytics is too much of a liability or a hassle to fit it in your GDPR provisions, you could start looking for an alternative. If or when you do this, consider the following (disclaimer: keep in mind that this is not official legal advice. If in doubt, consult an attorney):
Do some research to answer the question does this tool have its’ own tracking system or is it based on the Google Analytics code? Many tools just add their own graphics and user experience to the data provided to them by Google Analytics. While they may look different, the issues surrounding data privacy, data processing and GDPR requirements are the same
Make sure that the new tool has a Data Processing Agreement and take some time to read it
In the Data Processing Agreement, look for the provision that the analytics tool processes personal data only to the extent, and in such a manner, as is reasonably necessary for the purposes of the contract you have with them. This ensures that they cannot use the data for their own purposes, thus making them completely GDPR compliant, without the need for you to ask your users for separate consent. See an example below, from the Data Processing Agreement of Visitor Analytics
Contact the providers of the tool and sign the DPA (Data Processing Agreement) with them. This should be done for all third-party apps you are using, not just analytics.
Make sure the data used is pseudonymized and that there are options to opt-out of tracking
Check to see access provisions to the database. You need this to be able to provide the right to access to your users if they should request it. Keep in mind that if anyone in your lists/database wants to obtain from you the confirmation as to whether or not personal data concerning them are being processed, where and for what purpose, you have to respond and shall provide a copy of the personal data, free of charge, in an electronic format. By the way, you can also do this for all Google services, by visiting Google My Account. There is an option there to download the data Google has stored on your profile. It includes huge amounts of information from various tools.
Check to see if there is an option to delete data, as some of your users may request that. In all fairness, Google Analytics has also taken steps to comply with this measure and you are now able to delete views and visitors. Visitor Analytics also offers this option.
Also check data retention settings. For how long will the analytics tool provider (data processor) keep the data on individual users? Google Analytics now gives the option to control retention.
Is the analytics tool of your choice ISO 27001 certified? This is a certification of the fact that the organization keeps information assets secure.
Last but not least, check provisions about the ownership of the data. Try to find an analytics tool that gives you ownership of the data. See the "control over data" section in the Visitor Analytics GDPR compliance overview for a good practice example.
Why do we need GDPR in the first place?
Before this regulation was effective, the rules governing the collection and use of personal data were much more relaxed. As a consequence, there were cases when personal data such as name, address, phone number or other sensitive information would be mishandled, easily misappropriated or even sold from one company to another, without the knowledge and consent of the individual. This could have a very serious impact on any given individuals' private life. One thing that would often happen is you could more easily be targeted by marketers, including by the use of intrusive advertising. Other, more serious consequences, would deal with stolen identities. Health providers were (and sometimes still are) a predilect target for those who would want to misuse personal data. For example, a criminal might file a fraudulent tax return or apply for a credit card using the dates leaked from a hospital data breach. In this context, it was felt that data privacy and protection should be taken more seriously.
If you want to find out more about how we, at Visitor Analytics, comply with GDPR, here are some nice reads to consider on this topic:
Our GDPR Commitment — a page about GDPR and how do we comply and safeguard the personal data.
A Data Processing Agreement & Cookie Information — Since we, as an analytics solution, are the processors for the website owners, we also prepared this document for everyone having an account! You can find it (and sign it) in your Visitor Analytics Settings.
A short article about our updates & changes under GDPR
An article about the ISO27001certification