By Webtrekk CEO Christian Sauer and Head of Pre-Sales Consulting Michael Diestelberg
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It regulates data protection within the European Economic Area.
Get the key message right here: Using Webtrekk Analytics for website tracking without an opt-in, meaning without the explicit consent of the visitor, continues to be possible. This means you continue to obtain a complete picture of your visitors with the best possible data quality. Since data protection has been part of the Webtrekk DNA for 14 years, you have no cause for concern as the GDPR comes into force.
What are the GDPR rules regarding the opt-in?
Various sections of the GDPR are relevant for conducting web analytics.
Article 6 regulates the “lawfulness of processing”, clarifying who is permitted to process data under what conditions. In concrete terms it says:
“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [...]”
Thus processing the data is permitted with consent (opt-in) or when the website operator pursues a legitimate interest. But what is covered by the legitimate interests of a company that operates a website and possibly transacts all its business that way?
Legitimate interest in data processing
The General Data Protection Regulation (GDPR) provides some examples of the legitimate interests of a company where data processing is permitted even without consent. For web analytics, the following points in particular have a relevant influence:
- There is a “relevant and appropriate relationship between the data subject and the controller [...], such as where the data subject is a client or in the service of the controller.” (Recital 47)
- “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (Recital 47)
- Data processing is performed for statistical purposes. (“Further processing for [...] statistical purposes should be considered to be compatible lawful processing operations.”) (Recital 50)
Using Webtrekk Analytics as a first-party tracking solution is therefore possible without the consent of the website visitor even after the GDPR comes into effect, since the website operator is pursuing a legitimate interest. Statistical purposes (web controlling) in particular are given in every company and can be used as argumentation.
When may an opt-in be required?
According to the GDPR, data collection must be carefully weighed. On the one hand, we have the basic rights and fundamental freedoms of the person concerned, and on the other hand the interests of the company. Companies have to observe the principles of data minimization, anonymization or pseudonymization, and security. Consent (opt-in) can therefore be required for the use of web analytics tools when one of the following applies:
- The collected data are passed on to third parties or used for higher-level profiling.
- The collected data are not adequately encrypted and/or not rendered unrecognisable through pseudonymisation.
- Highly sensitive personal data or data of children are collected.
Webtrekk will continue to advise you regarding the data protection compliant use of our analytics solution going forward. This will ensure that you always know what forms of data collection require the website user’s consent.
Why is an opt-in problematic for web analytics?
When the visitor’s prior consent is required to use the analytics tool, the benefits of web analytics are considerably reduced. Experts expect that a large proportion of visitors will not give their consent because it has no direct benefit for them. This means one has to expect a data loss of up to 80 percent.
Then there is the problem that the opt-in can only be obtained after the first page impression at the earliest. However, the first page impression is essential in web analytics: it contains information about the entry source from which the visitor came to the website. Typical campaign and customer journey analyses become less valuable since there is no information regarding which marketing channels were successful in gaining new visitors.
Google Analytics may only be used with an opt-in now
According to the GDPR requirements, Google Analytics may no longer be used to its full extent without the visitor’s prior consent (opt-in) starting on 25 May 2018. Meanwhile the corporation itself has confirmed this to its customers and partners. Its use exceeds the legitimate interest in data processing, among other things because of higher-level profiling.
Furthermore, the revised Google EU User Consent Policy contains the following: “If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.”
Note that Google does not store the visitor’s declaration of consent itself, but shifts this responsibility to its customers and partners. Companies have to implement technical and organisational measures to first ask their website users for an opt-in, then permanently store this opt-in, and in case of doubt also must be able to provide proof of the opt-in.
Data protection compliant use of Webtrekk Analytics without an opt-in
In order to use Webtrekk Analytics without an opt-in after the GDPR comes into force, observe the following:
- We recommend using a dedicated tracking domain, that is a sub-domain of your own website, to record the data. Not only does this mean you meet all requirements for first-party tracking, it also improves your data quality. Further information about your own tracking domain can be found here.
- Do not collect any personal data in plain text. Only track e-mail addresses and other personal data in pseudonymized form, e.g. by applying an irreversible hashing algorithm.
- Webtrekk meets its obligation to inform and will provide tools to make the stored data of the tracked visitors transparently available and deletable.
- Data are generally stored by Webtrekk within Germany so that the requirements of the GDPR are met in this regard as well.
- Webtrekk provides all customers with a contract data processing agreement that meets the requirements according to Article 28, Paragraph 3 EU-GDPR.
Complying with data protection regulations is not merely a legal requirement for Webtrekk, it has always been an important company principle. This is to your advantage, especially in view of the pending legal changes: you can continue using Webtrekk Analytics without obtaining an opt-in from your visitors, thereby ensuring the best possible data quality.
This blog post looks at some actual GDPR text to see exactly what is (and isn't) about to change. Read it now.