Many businesses believed that by adding (cookie) consent banners and opt-in forms to their email newsletter subscriptions, they would have met the GDPR requirements.
Hower, this isn’t the case. Rulings by the Datenschutzbehörde in Austria, CNIL in France and a court in Munich illustrate the true nature of GDPR. Besides getting the consent of users, it is important to know where the data actually is stored and what kind of data is stored.
Analytics that conform to GDPR
If you use analytics on your webpage or app, you have to be careful. Many businesses view these tools as black boxes that are integrated into their website or apps. These tools have terms and conditions and users agree to these terms and conditions when they give their consent. This is crucial because tools such as Google Analytics and Google Fonts can violate the GDPR if they are not properly configured. It doesn’t matter whether the majority of users consented to it; all that matters is that one user files a complaint.
These tools require careful handling. After all, as a webpage owner you are responsible for the data of your customers. It doesn’t suffice to claim that your business doesn’t know how Google Analytics handles data and refer to Google’s terms & conditions. As a business, you are responsible for the user data. Period. Generally speaking, you are at risk of violating GDPR if you use tools from companies like Google that are located in the US because your customer data will automatically be sent to the US. Period.
You can set these tools up so that US companies only have access to non-critical data. However, if you make an error in configuration and data is shared with US companies, you are still responsible.
What about Facebook Pixel?
Although the current rulings only apply to Google, it seems reasonable that other tracking and analytics tools will be subject to the same principles. Facebook Pixel is one example where user data is transferred into the US. The principles of GDPR apply even though there is not an explicit ruling against Facebook Pixel. However, it’s only a matter of time before there is a ruling.
What about App tracking?
App-based tracking is not exempted from GDPR. Apple has established a precedent with the now infamous do not track popup. However, app providers do not always comply and risk being banned from the App store. For the time being, data protection agencies are not investigating how Apps handle user data. This might be the case, because it is more difficult (technically) to determine whether an App transfers data to a third party without their consent and where that data actually goes to.
What should you do?
For analytics, we recommend alternative tools such as Matomo. A self-hosted solution can be installed with full access to all customer data. You need technical knowledge to be able to install Matomo on a server of your own and to manage it yourself (backups, OS updates, Security patches, Matomo updates, User management, firewalls. etc.) A Docker container is also available. You are safe and have access to all data.
Server-side tracking
You can opt for server-side tracking instead of client side tracking. Server side tracking offers many benefits, especially when it comes to data quality. But it does require more technical knowledge, as you will need to intercept requests from clients, such as web browsers, on your server. To do this, you will need to program. It all depends on how complex your backend is: if you have custom APIs that “talk to” your website or apps, it will require more work and thus will cost you more..
The Takeaway
GDPR is in effect since May 2018. As is it often the case with new laws, it takes a while to fully understand the consequences and the rulings. For your business it is time to make the GDPR compliant changes – before you get into trouble.
