How will GDPR affect your web analytics
After going through several white papers, discussions and online articles I will try to cover the most important changes for online analytics which will come with EU’s new data protection rule (GDPR). This is an upgrade to EU’s ePrivacy data law (aka ICO cookie law) that will come into effect on May 25th 2018. Most of digital analytics vendors have already started presenting solutions that you could use to be compliant with this new regulation, but it’s sure that as we get closer to spring 2018 a lot of things will change on how websites operate.
What is GDPR?
GDPR stands for EU’s General Data Protection Regulation (Official website). It’s a law designed to regulate the use of personal data by businesses and other entities. It will have a massive effect for online services and explicitly brings changes to the way cookies and other similar technologies are used today. It includes very strict rules, asking data “controllers” (i.e. companies using the data) and data “processors” (i.e. cloud services storing the data) to get clear consent from visitors and also explain plainly (without legalese and indecipherable terms) to them regarding the use of their personal data.
Does this affect me?
Probably yes. Every entity, business, charity, hospital is probably using personal data and these rule apply to every company targeting EU citizens, regardless if it operates inside or outside the EU. This means that even UK companies, regardless of how the process for BRexit goes, will have to comply. Even if a UK company is operating exclusively in UK, just imagine how many EU residents live there and are potential customers.
Noncompliance could result in fines as high as €20 million or up to 4% of global turnover.
You might think that these changes are just fine print that nobody will read, but it looks like online visitors are eager for this change. According to a new survey from SAS a big percentage of online users are waiting for the new rule to come in effect to utilize their rights over their personal data, after May 2018. In a poll of over 2,000 UK adults, 33% said they plan to exercise their right to remove personal data from retailers, while 33% will also ask for their data to stop being used for marketing purposes. 17% of people said they will challenge automated decisions, and 24% will access the data that retailers hold on them.
What is considered personal data?
This is the most important part that needs to be clear, as this law has very strict rules when it comes to personal data. Of course, under personal data falls everything that can directly or indirectly identify a visitor, aka PII (Personally Identifiable Information) data like:
- Full name
- Location data
- Economic data (e.g. credit card number)
- Social security number
- Bio-metric data (e.g. fingerprints)
- Cultural or social data
- Email address
- Telephone number
- Poorly pseudonymised data (if it’s to attribute the pseudonym to a particular individual)
- IP address (when used to identify a specific individual)
(See this article to understand how to exclude these details, from getting accidentally captured by your web analytics deployment)
In some cases even the post code is considered as PII data. You’ll need to consult a legal team to make sure you are not missing something. A rule of thumb would be to exclude any type of data that would allow anyone to identify a specific person or a specific family.
What about external vendors?
While this EU-wide regulation relates to data owners/collector – an enterprise legally responsible for the data – laws relating to data management, processing and security will also impact on the enterprise if there are infringements by third party vendors, such as digital marketing agencies.
This means that enterprises must be certain that such third party vendors have the required legal knowledge and are competent in current EU Data Protection Directive 95/46/EC as well as upcoming GDPR. The most robust proof of this is ISO 9001 and ISO 27001 certification.
Where do I start?
In the next few months the major websites will start interpreting the regulation and will start setting the industry standards. Until this time comes it looks that these are the most important rules which someone should keep in mind when it comes to web analytics and tracking visitor interactions:
- Clear and concise information
Visitors should be informed in a clear way (no technical or legal terms) how the collected data will be used and what type of data is collected. You should also make sure that you inform visitors how you are going to use the data later. You must also be sure to identify yourself, and also name any third parties who will working with the collected traffic data.
- Allow the visitor to give consent
Consent means offering individuals genuine choice and control. When requesting consent you should be specific and granular. Vague or blanket consent is not enough. Also consent should not be compulsory when trying to use the website.
Taking these rules into account means that you’ll probably need to revise that vague cookie notification popup you are currently using on your website.
- Get explicit consent from the visitor
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. This seems to bring an end to the current industry standard of having a pre-ticked consent window and tracking visitors until they decide to opt-out. Visitors will need to opt-in by request before tracking them and collectors must also keep evidence of consent – who, when, how, and what you told people.
If you are working with web analytics you understand that this creates a very big issue when tracking data for new visitors, as you will not be able to track referring traffic sources on the first page unless you get a consent first!
- Allow visitors to be forgotten
You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time. When keeping personal data you should also allow visitors to have the option to delete all their data from your databases.
This means that you’ll probably need to have a link in the footer or a small overlay on all your pages, allowing visitors to withdraw their consent. Today it’s almost impossible to do this after you accept cookies from a certain website.
To GDPR or not?
The new rule is a great opportunity to show your clients that you value the protection of their personal data and a great way to review the internal processes that you are currently following when handling personal data. Changes brought by the GDPR will definitely add an overhead on the organization’s workload but will also improve the quality of the final outcome and give organizations a competitive advantage. It Compliance will also give you the option to start working with bigger clients, since they also need to prove their compliance for their internal processes and their partners.
At the end you also need to consider the following:
if you think compliance is expensive, try non-compliance
Do you own a website? Are you planning to make changes to make it compliant with GDPR? I would be interested to discuss your view in the comments!
Disclaimer: This article shouldn’t be considered official legal advice. It’s just a few thoughts after some research that I hope will get you up and running with the help of a legal adviser.
Practical steps for compliance?
Check my article on how to make your web analytics implementation compliant with GDPR.
- EU’s help portal
- Articles from cookielaw.org
- Working party 29 (Team of advisers consisting of members from 29 different Data Protection Authorities DPOs)
- A talk in Greek by Nadia Liapi explaining the law and its impact for organizations
- ICO’s guidance
- Piwik blog: How Will GDPR Affect Your Web Analytics Tracking?
- 10 blog posts by Aurelie Pols (an expert in private data)
- Guide to the General Data Protection Regulation (GDPR) from the ICO
- Marketers & the GDPR: Don’t panic, here’s how to get started