In recent years, web analytics has become an in­stru­ment of central im­port­ance in the world of online marketing. With an ever-in­creas­ing number of website operators relying on tracking tools such as Google Analytics and Piwik, it’s now easy to monitor and respond to user behaviour in real time. Using these tools, websites operators can make their webpages more user-friendly and their busi­nesses more stream­lined. It’s now almost im­possible for online merchants to imagine a world without web analysis tools, with data privacy activists having expressed concerns about the security of user’s sensitive in­form­a­tion. The biggest fear for these groups is that the type of user data extracted by website operators is often unclear or com­pletely un­dis­closed – and their purposes are often even more ambiguous. The potential for conflict primarily arises from how website operators handle the personal data provided by users when creating profiles. However, it is possible to use web analytics that are data pro­tec­tion compliant with es­tab­lished solutions. This means that certain re­quire­ments must be fulfilled, which sometimes can demand changes to the tracking tool’s pro­gram­ing code.

Free Cloud Server Trial
En­ter­prise-grade virtual private servers
  • KVM based dev servers for de­velopers
  • Scalable to en­ter­prise cloud level
  • Pay-as-you-go, per-minute billing

Legal framework for data security

In principle, if the ap­pro­pri­ate legal measures have been taken to protect users’ privacy, there should be nothing con­tro­ver­sial about mon­it­or­ing user activ­it­ies on a website. However, around the world, le­gis­la­tion varies wildly. In the United States, for example, laws are decided at a state level, with many states being com­par­at­ively relaxed when it comes to data privacy. Meanwhile, in other parts of the world, data security is a far higher priority. In the European Union, the General Data Pro­tec­tion Reg­u­la­tion (GDPR) is a reg­u­la­tion in EU law that came into effect in May 2018. As of right now, the UK is still part of the EU, therefore it makes sense to read up on the laws in the EU regarding data pro­tec­tion and what changes were enforced from May 2018 onwards.

Depending on where your online business is based, you may encounter some dif­fi­culties when using certain web analytics tools. This is because, in their standard con­fig­ur­a­tion, most web analytics tools record IP addresses, which, in some countries counts as sensitive data. Their legal usage would therefore only be possible with the explicit per­mis­sion of the website visitor. When building an online business, it is essential to check if this is the case in any of the countries you operate in. This way, you can avoid un­know­ingly col­lect­ing sensitive data, which will also prevent you from incurring any fines.

“No personal data may be processed unless it is done under a lawful basis specified by the reg­u­la­tion or unless the data con­trol­ler or processor has received an un­am­bigu­ous and in­di­vidu­al­ised af­firm­a­tion of consent from the data subject. The data subject has the right to revoke this consent at any time.”

The GDPR su­per­sedes the 2011 EU Data Pro­tec­tion Directive, which applies in all European Union member countries (including the United Kingdom), prohibits the col­lec­tion of sensitive in­form­a­tion without users’ explicit consent. All web analytics tools are subject to the EU cookies law, which means that to use Google Analytics and similar tools, the website owner must have the user’s consent. This change in reg­u­la­tions could prove tricky for website operators who want to evaluate user metrics using common industry solutions. This is because in the standard con­fig­ur­a­tion, almost all common tracking tools not only record each user’s IP address, but also place cookies in order to record user behaviour on the website. It’s im­per­at­ive to get the website user’s per­mis­sion for this.

The GDPR attaches a lot of im­port­ance to informing users. This means that website operators must make it clear what in­form­a­tion they plan to take from the visitors and what they want to use it for. So, in the case that you need different data for different purposes, you have to ask the user for their consent on multiple occasions. It’s also not okay to presume consent has been given just because the user has ignored or forgotten to answer the question of whether their data can be recorded. If they don’t react to the question, GDPR deem this as a rejecting. The same applies to using cookies.

Web analysis and privacy according to GDPR

There are two ways that website operators can collect and process user data and still comply with the GDPR:

  • Via an ex­pli­citly approved web analysis
  • Via anonymous web analysis

Website operators who obtain prior per­mis­sion from their visitors to create user profiles based on personal data can rest assured they’re on the safe side when it comes to data pro­tec­tion. The visitor, however, needs to be made aware of this as soon as they access the website. You can’t just include the de­clar­a­tion of consent as part of the general terms and con­di­tions. Instead, a pop-up should appear when the user visits a website for the first time. If consent is given, it’s the website operator’s task to log this and to keep it ac­cess­ible to the user at all times.

In addition, users must also be able to revoke their consent at any time and this should be as easy to do as the consent itself. As soon as the user changes their mind and lets the website operator know, data pro­cessing must be stopped right away. However, data that has already been collected and processed only has to be deleted if the user requests it to be.

Fact

The GDPR asks website operators to obtain consent every six months. Therefore, the consent should be timestamped. This is the only way for your web analysis system to record everything correctly and keep in com­pli­ance with the reg­u­la­tions.

The GDPR also state that users have a right to in­form­a­tion: they have the right to know what data has been stored so far. It is therefore important for you as a website operator to be able to access this data at any time since you have 30 days to process an inquiry. It is also im­per­at­ive that web analysis providers and other external service providers are not allowed to evaluate the data them­selves because the users usually haven’t given their consent. The consent is generally only granted to the website operator them­selves.

Website operators have to put in a lot more effort to obtain each in­di­vidu­al visitor’s consent. In addition, the risk of the bounce rate in­creas­ing is also something to worry about due to the extra hurdle between the visitor and website content. Consent is therefore rarely requested in practice. An al­tern­at­ive is anonymous web analysis. All in­form­a­tion collected during a visit to a website must be stored sep­ar­ately from personal data (such as the IP address, name, or account data). It’s also not possible to merge the separate data records later on without explicit per­mis­sion.

Note

If you’re not sure whether the data you’ve collected is anonymous or personal, you should presume it’s the latter to be on the safe side. Anonymous data is when the in­form­a­tion can’t be allocated to anyone, even after being collected.

To comply with GDPR, you can also use IP masking. With this type of web analysis, the last digits of an IP address are disguised when they are collected. Since the common analysis tools usually collect complete user IPs auto­mat­ic­ally and process them (e.g. for geo-loc­al­isa­tion), an an­onymised web analysis usually requires software to be ad­di­tion­ally con­figured. Detailed in­struc­tions for the Google Analytics and Matomo tracking tools are given at the end of this article.

You have to pay attention to the following points when using web analysis:

Opt-in

Consent for pro­cessing personal data must be given via the opt-in procedure. You can’t assume there’s silent consent nor can you use an opt-out procedure. As long as the visitors do not ex­pli­citly agree, you aren’t allowed to store any personal data. This also means that data like this may not be recorded directly when the user visits the website: this is only allowed after consent has been given.

Note

Since the GDPR has only recently been im­ple­men­ted and every detail of the reg­u­la­tions hasn’t been clearly for­mu­lated, there are still some am­bi­gu­ities. For example, there is currently no agreement as to whether the opt-in procedure is also necessary for just web analysis. Only future court pro­ceed­ings will probably clarify the GDPR in more detail.

The issue of trans­par­ency

When tracking tech­no­logy is used on a website that falls under EU law, website owners are legally obliged to notify visitors that their behaviour is being monitored in the form of user profiles, the extent to which their data is being collected, and the purpose of this data col­lec­tion. According to data pro­tec­tion au­thor­it­ies, it doesn’t matter whether the recording of user data is anonymous or based on personal data. A com­pre­hens­ive and trans­par­ent privacy statement should be ac­cess­ible for users at any time and from any page. It’s therefore re­com­men­ded to include a link to the privacy statement in the website’s nav­ig­a­tion bar or in the footer.

Right to object

For your web analytics usage to fall in line with EU cookie laws, website operators are required to give their users the right to refuse the terms and con­di­tions of the privacy policy. The technical im­ple­ment­a­tion of this right to object depends on the tracking tool being used.

Data pro­cessing

If a website operator within the EU is using web-tracking tools that save personal user data on external servers, a written contract for data pro­cessing is sometimes required. With this, the le­gis­lat­or un­der­stands the col­lec­tion, pro­cessing, and use of personal data by an external service provider. In such an agreement, both parties determine which services are involved and which rights and ob­lig­a­tions arise. In some cir­cum­stances, such as in the case of an anonymous survey, a data pro­cessing contract might be necessary, par­tic­u­larly if IP masking is taking place on the provider’s server.

Secure web analytics with Google Analytics and Matomo

Regarding the in­tro­duc­tion of GDPR, de­velopers of these es­tab­lished tracking tools have en­deav­oured to make their products as data pro­tec­tion compliant as possible. In principle, however, it is the re­spons­ib­il­ity of the website operator to ensure that the legal framework is adhered to regarding the web analysis con­di­tions.

Google Analytics and Matomo will be used as examples to explain how the cor­res­pond­ing con­fig­ur­a­tion of the web tracking software can look in practice.

Google Analytics

Even the large data collector, Google, has adapted its web analysis service to the new EU laws. However, you must make the following ad­just­ments to ensure that your web analysis complies with data pro­tec­tion re­quire­ments:

  1. Contract for data pro­cessing: According to data pro­tec­tion au­thor­it­ies, Google (as a provider of Google Analytics) takes the position of a con­tract­or. Website operators are therefore obliged to prepare a contract for data pro­cessing. In the meantime, you can also do this online. You can use your account settings to complete the addition for data pro­cessing.
     
  2. Data retention: In the settings, Google allows you to have the stored data auto­mat­ic­ally deleted after a certain time. Select the shortest time period, which is 14 months.
     
  3. An­onymisa­tion of IP addresses: An­onymising the user IP addresses can be im­ple­men­ted with Google Analytics by the specially provided code extension "an­onym­izeIp". Website operators must manually enter this into the program code of the tracking software. You can find a technical ex­plan­a­tion about an­onymisz­a­tion in Google’s support section. Currently there are two vari­ations of the tracking software in use. Depending on whether a website uses tra­di­tion­al analytics or universal analytics, the following code sections are added to the program code:

In tra­di­tion­al analytics, the following extension is added with the _an­onym­izelp function from the JavaS­cript library ga.js:

var _gaq = _gaq || [];
_gaq.push (['_setAccount', 'UA-XXXXXXX-YY']);
_gaq.push (['_gat._anonymizeIp']);
_gaq.push (['_trackPageview'])

Universal analytics, on the other hand use the ga('set', 'an­onym­izeIp', true) function from the JavaS­cript library, analytics.js: 

ga('create', 'UA-XXXXXXX-X', 'beispiel.de');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');

For both variants, the last octet of an IPv4 address is set to zero. For IPv6 addresses, IP masking includes the last 80 bits of memory.

  1. Privacy policy and right of refusal: according to Google Analytics’ terms of use, website operators are obligated to indicate the use of the software in a data pro­tec­tion statement and to disclose the scope of the data col­lec­tion. This de­clar­a­tion must also give website visitors the option to object to the terms. You can find a link to the Google Analytics browser add-on provided by Google.
     
  2. Delete old data: any personal user data collected that doesn’t adhere to GDPR must be deleted without exception, so it is re­com­men­ded to create a new Google Analytics account for the affected website.

Matomo (Piwik)

Like Google Analytics, Piwik’s (or Matomo’s) privacy settings must also be adjusted to be used legally anywhere in the world. Unlike Google Analytics, however, the open source software runs on its own server. This means that sensitive user data is never passed on to third parties; therefore, a contract for data pro­cessing (1.) no longer applies. However, since you most likely store personal data on a rented server, you will have to conclude a contract with the hosting provider.

  1. An­onymisa­tion of IP addresses: there is a special Matomo plugin, An­onym­izeIP, which can mask IP addresses. To make sure that the setting is correct, check the settings in the admin area. There you can also specify how many bytes (between one and three) should be an­onymised.  
     
  2. Data retention: Matomo makes it possible for you to regularly delete corrected data e.g. after six months. Using the cor­res­pond­ing menu item in the admin area, you can also delete any old data if it was not recorded in com­pli­ance with GDPR. More in­form­a­tion can be found in the official FAQs.
     
  3. Privacy statement and right to object: Matomo’s opt-out iFrame can be used to create an objection option as part of the ob­lig­at­ory privacy statement. The following snippet can be found on the service section on the official project website:
<iframe frameborder="no" width="600" height="200" src="http://beispiel.tld/index.php?module=CoreAdminHome&action=optOut&lang=de"></iframe>

In addition, Piwik respects the ‘Do not track’ request from Web browsers Firefox, Internet Explorer, Chrome, and Opera, unless this feature is disabled.

Please note the legal dis­claim­er relating to this article.

Go to Main Menu