Web analytics: data privacy when creating a profile

In recent years, web analytics have become an instrument of central importance in the world of online marketing. With an ever-increasing number of website operators relying on tracking tools such as Google Analytics and Matomo (formerly Piwik), it’s now easy to monitor and respond to user behavior in real time. Using these tools, websites operators can make their websites more user-friendly and their businesses more streamlined.

It’s now almost impossible for online merchants to imagine a world without web analysis tools, despite data privacy activists having expressed concerns about the security of user’s’ sensitive information. The biggest fear for these groups is that the type of user data extracted by website operators is often unclear or completely undisclosed – and their purposes are often even more ambiguous. The potential for conflict primarily arises from how website operators handle the personal data provided by users when creating profiles. However, it is possible to use web analytics that are data protection compliant with established solutions. This means that certain requirements must be fulfilled, which sometimes can demand changes to the tracking tool’s programming code.

Legal framework for data security

In principle, if the appropriate legal measures have been taken to protect users’ privacy, there should be nothing controversial about monitoring user activities on a website. However, around the world, legislation varies wildly. In the United States, for example, laws are decided at a state level, with many states being comparatively relaxed when it comes to data privacy. Meanwhile, in other parts of the world, data security is a far higher priority. In the European Union, the General Data Protection Regulation (GDPR) is a regulation in EU law that came into effect in May 2018. If you’re planning on expanding your business in the EU or have already done so, it makes sense to read up on the laws in the EU regarding data protection and what changes were enforced from May 2018 onwards.

Depending on where your online business is based, you may encounter some difficulties when using certain web analytics tools. This is because, in their standard configuration, most web analytics tools record IP addresses, which, in some countries, counts as sensitive data. Their legal usage would therefore only be possible with the explicit permission of the website visitor. When building an online business, it is essential to check if this is the case in any of the countries and states you operate in. This way, you can avoid unknowingly collecting sensitive data, which will also prevent you from incurring any fines.

“No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.”

The GDPR supersedes tThe 2011 EU Data Protection Directive, which applies in all European Union member countries (including the United Kingdom), prohibits the collection of sensitive information without users’ explicit consent. All web analytics tools are subject to the EU cookies law, which means that to use Google Analytics and similar tools, the website owner must have the user’s consent.

This change in regulations could prove tricky for website operators who want to evaluate user metrics using common industry solutions. This is because in the standard configuration, almost all common tracking tools not only record each user’s IP address, but also place cookies in order to record user behavior on the website. It’s imperative to get the website user’s permission for this.

The GDPR attaches a lot of importance to informing users. This means that website operators must make it clear what information they plan to take from the visitors and what they want to use it for. So, in the case that you need different data for different purposes, you have to ask the user for their consent on multiple occasions. It’s also not okay to presume consent has been given just because the user has ignored or forgotten to answer the question of whether their data can be recorded. If they don’t react to the question, GDPR deem this as a rejecting. The same applies to using cookies.

Webanalysis and privacy according to GDPR

There are two ways that website operators can collect and process user data and still comply with the GDPR:

  • Via an explicitly approved web analysis
  • Via anonymous web analysis

Website operators who obtain prior permission from their visitors to create user profiles based on personal data can rest assured they’re on the safe side when it comes to data protection. The visitor, however, needs to be made aware of this as soon as they access the website. You can’t just include the declaration of consent as part of the general terms and conditions. Instead, a pop-up should appear when the user visits a website for the first time. If consent is given, it’s the website operator’s task to log this and to keep it accessible to the user at all times.

In addition, users must also be able to revoke their consent at any time and this should be as easy to do as the consent itself. As soon as the user changes their mind and lets the website operator know, data processing must be stopped right away. However, data that has already been collected and processed only has to be deleted if the user requests it to be.

Fact

The GDPR asks website operators to obtain consent every six months. Therefore, the consent should be timestamped. This is the only way for your web analysis system to record everything correctly and keep in compliance with the regulations.

The GDPR also state that users have a right to information: they have the right to know what data has been stored so far. It is therefore important for you as a website operator to be able to access this data at any time since you have 30 days to process an inquiry. It is also imperative that web analysis providers and other external service providers are not allowed to evaluate the data themselves because the users usually haven’t given their consent. The consent is generally only granted to the website operator themselves.

Website operators have to put in a lot more effort to obtain each individual visitor’s consent. In addition, the risk of the bounce rate increasing is also something to worry about due to the extra hurdle between the visitor and website content. Consent is therefore rarely requested in practice. An alternative is anonymous web analysis. All information collected during a visit to a website must be stored separately from personal data (such as the IP address, name, or account data). It’s also not possible to merge the separate data records later on without explicit permission.

Note

If you’re not sure whether the data you’ve collected is anonymous or personal, you should presume it’s the latter to be on the safe side. Anonymous data is when the information can’t be allocated to anyone, even after being collected.

To comply with GDPR, you can also use IP masking. With this type of web analysis, the last digits of an IP address are disguised when they are collected. Since the common analysis tools usually collect complete user IPs automatically and process them (e.g. for geolocalization), an anonymized web analysis usually requires software to be additionally configured. Detailed instructions for the Google Analytics and Matomo tracking tools are given at the end of this article.

You have to pay attention to the following points when using web analysis:

Opt-in

Consent for processing personal data must be given via the opt-in procedure. You can’t assume there’s silent consent nor can you use an opt-out procedure. As long as the visitors do not explicitly agree, you aren’t allowed to store any personal data. This also means that data like this may not be recorded directly when the user visits the website: this is only allowed after consent has been given.

Note

Since the GDPR has only recently been implemented and every detail of the regulations hasn’t been clearly formulated, there are still some ambiguities. For example, there is currently no agreement as to whether the opt-in procedure is also necessary for just web analysis. Only future court proceedings will probably clarify the GDPR in more detail.

The issue of transparency

When tracking technology is used on a website that falls under EU law, website owners are legally obliged to notify visitors that their behavior is being monitored in the form of user profiles, the extent to which their data is being collected, and the purpose of this data collection. According to data protection authorities, it doesn’t matter whether the recording of user data is anonymous or based on personal data. A comprehensive and transparent privacy statement should be accessible for users at any time and from any page. It’s therefore recommended to include a link to the privacy statement in the website’s navigation bar or in the footer.

Right to object

For your web analytics usage to fall in line with EU cookie laws and certain state laws, website operators are required to give their users the right to refuse the terms and conditions of the privacy policy. The technical implementation of this right to object depends on the tracking tool being used.

Order data processing

If a website operator within the EU is using web-tracking tools that save personal user data on external servers, an electronic data processing agreement complying with the GDPR is sometimes required. With this, the legislator understands the collection, processing, and use of personal data by an external service provider. In such an agreement, both parties determine which services are involved and which rights and obligations arise. In certain EU countries, an order data processing contract is also necessary in the case of an anonymous survey, since IP masking sometimes takes place on the provider’s server.

Secure web analytics with Google Analytics and Matomo

Regarding the introduction of GDPR, developers of these established tracking tools have endeavored to make their products as data protection compliant as possible. In principle, however, it is the responsibility of the website operator to ensure that the legal framework is adhered to regarding the web analysis conditions.

Google Analytics and Matomo will be used as examples to explain how the corresponding configuration of the web tracking software can look in practice.

Google Analytics

Even the large data collector, Google, has adapted its web analysis service to the new EU laws. However, you must make the following adjustments to ensure that your web analysis complies with data protection requirements:

  1. Contract for data processing: According to data protection authorities, Google (as a provider of Google Analytics) takes the position of a contractor. Website operators are therefore obliged to prepare a contract for data processing. In the meantime, you can also do this online. You can use your account settings to complete the addition for data processing.
     
  2. Data retention: In the settings, Google allows you to have the stored data automatically deleted after a certain time. Select the shortest time period, which is 14 months.
     
  3. Anonymization of IP addresses: anonymisation of Anonymizing the user IP addresses can be implemented with Google Analytics by the specially provided code extension "anonymizeIp". Website operators must manually enter this into the program code of the tracking software. You can find a technical explanation about anonymization  in Google’s support section. Currently there are two variations of the tracking software in use. Depending on whether a website uses traditional analytics or universal analytics, the following code sections are added to the program code:

In traditional analytics, the following extension is added with the _anonymizelp function from the JavaScript library ga.js:

var _gaq = _gaq || [];
_gaq.push (['_setAccount', 'UA-XXXXXXX-YY']);
_gaq.push (['_gat._anonymizeIp']);
_gaq.push (['_trackPageview'])

Universal analytics, on the other hand use the ga('set', 'anonymizeIp', true) function from the JavaScript library, analytics.js:

ga('create', 'UA-XXXXXXX-X', 'beispiel.de');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');

For both variants, the last octet of an IPv4 address is set to zero. For IPv6 addresses, IP masking includes the last 80 bits of memory.

  1. Privacy policy and right of refusal: according to Google Analytics’ terms of use, website operators are obligated to indicate the use of the software in a data protection statement and to disclose the scope of the data collection. This declaration must also give website visitors the option to object to the terms. You can find a link to the Google Analytics browser add-on provided by Google.
     
  2. Delete old data: any personal user data collected that doesn’t adhere to GDPR must be deleted without exception, so it is recommended to create a new Google Analytics account for the affected website.

Matomo (Piwik)

Like Google Analytics, Piwik’s (or Matomo’s) privacy settings must also be adjusted to be used legally anywhere in the world. Unlike Google Analytics, however, the open source software runs on its own server. This means that sensitive user data is never passed on to third parties; therefore, a contract for data processing (1.) no longer applies. However, since you most likely store personal data on a rented server, you will have to conclude a contract with the hosting provider.

  1. Anonymization of IP addresses: there is a special Piwik Matomo plugin, AnonymizeIP, which can mask IP addresses. To make sure that the setting is correct, check the settings in the admin area. There you can also specify how many bytes (between one and three) should be anonymized.
     
  2. Data retention: Matomo makes it possible for you to regularly delete corrected data e.g. after six months. Using the corresponding menu item in the admin area, you can also delete any old data if it was not recorded in compliance with GDPR. More information can be found in the official FAQs.
     
  3. Privacy statement and right to object: Matomo’s opt-out iFrame can be used to create an objection option as part of the obligatory privacy statement. The following snippet can be found on the services section on the official project website.
<iframe frameborder="no" width="600" height="200" src="http://beispiel.tld/index.php?module=CoreAdminHome&action=optOut&lang=de"></iframe>

In addition, Matomo respects the ‘Do not track’ request from web browsers Firefox, Internet Explorer, Chrome, and Opera, unless this feature is disabled.

Click here for important legal disclaimers.