Web analytics: data privacy when creating a profile

In recent years, web analytics have become an instrument of central importance in the world of online marketing. With an ever-increasing number of website operators relying on tracking tools such as Google Analytics and Matomo (formerly Piwik), it’s now easy to monitor and respond to user behavior in real time. Using these tools, websites operators can make their websites more user-friendly and their businesses more streamlined.

It’s now almost impossible for online merchants to imagine a world without web analysis tools, despite data privacy activists having expressed concerns about the security of user’s’ sensitive information. The biggest fear for these groups is that the type of user data extracted by website operators is often unclear or completely undisclosed – and their purposes are often even more ambiguous. The potential for conflict primarily arises from how website operators handle the personal data provided by users when creating profiles. However, it is possible to use web analytics that are data protection compliant with established solutions. This means that certain requirements must be fulfilled, which sometimes can demand changes to the tracking tool’s programming code.

In principle, if the appropriate legal measures have been taken to protect users’ privacy, there should be nothing controversial about monitoring user activities on a website. However, around the world, legislation varies wildly. In the United States, for example, laws are decided at a state level, with many states being comparatively relaxed when it comes to data privacy. Meanwhile, in other parts of the world, data security is a far higher priority. In the European Union, the General Data Protection Regulation (GDPR) is a regulation in EU law that came into effect in May 2018. If you’re planning on expanding your business in the EU or have already done so, it makes sense to read up on the laws in the EU regarding data protection and what changes were enforced from May 2018 onwards.

Depending on where your online business is based, you may encounter some difficulties when using certain web analytics tools. This is because, in their standard configuration, most web analytics tools record IP addresses, which, in some countries, counts as sensitive data. Their legal usage would therefore only be possible with the explicit permission of the website visitor. When building an online business, it is essential to check if this is the case in any of the countries and states you operate in. This way, you can avoid unknowingly collecting sensitive data, which will also prevent you from incurring any fines.

“No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.”

The GDPR supersedes tThe 2011 EU Data Protection Directive, which applies in all European Union member countries (including the United Kingdom), prohibits the collection of sensitive information without users’ explicit consent. All web analytics tools are subject to the EU cookies law, which means that to use Google Analytics and similar tools, the website owner must have the user’s consent.

This change in regulations could prove tricky for website operators who want to evaluate user metrics using common industry solutions. This is because in the standard configuration, almost all common tracking tools not only record each user’s IP address, but also place cookies in order to record user behavior on the website. It’s imperative to get the website user’s permission for this.

The GDPR attaches a lot of importance to informing users. This means that website operators must make it clear what information they plan to take from the visitors and what they want to use it for. So, in the case that you need different data for different purposes, you have to ask the user for their consent on multiple occasions. It’s also not okay to presume consent has been given just because the user has ignored or forgotten to answer the question of whether their data can be recorded. If they don’t react to the question, GDPR deem this as a rejecting. The same applies to using cookies.

When tracking technology is used on a website that falls under EU law, website owners are legally obliged to notify visitors that their behavior is being monitored in the form of user profiles, the extent to which their data is being collected, and the purpose of this data collection. According to data protection authorities, it doesn’t matter whether the recording of user data is anonymous or based on personal data. A comprehensive and transparent privacy statement should be accessible for users at any time and from any page. It’s therefore recommended to include a link to the privacy statement in the website’s navigation bar or in the footer.

For your web analytics usage to fall in line with EU cookie laws and certain state laws, website operators are required to give their users the right to refuse the terms and conditions of the privacy policy. The technical implementation of this right to object depends on the tracking tool being used.

If a website operator within the EU is using web-tracking tools that save personal user data on external servers, an electronic data processing agreement complying with the GDPR is sometimes required. With this, the legislator understands the collection, processing, and use of personal data by an external service provider. In such an agreement, both parties determine which services are involved and which rights and obligations arise. In certain EU countries, an order data processing contract is also necessary in the case of an anonymous survey, since IP masking sometimes takes place on the provider’s server.

Regarding the introduction of GDPR, developers of these established tracking tools have endeavored to make their products as data protection compliant as possible. In principle, however, it is the responsibility of the website operator to ensure that the legal framework is adhered to regarding the web analysis conditions.

Google Analytics and Matomo will be used as examples to explain how the corresponding configuration of the web tracking software can look in practice.

Even the large data collector, Google, has adapted its web analysis service to the new EU laws. However, you must make the following adjustments to ensure that your web analysis complies with data protection requirements:

1. Contract for data processing: According to data protection authorities, Google (as a provider of Google Analytics) takes the position of a contractor. Website operators are therefore obliged to prepare a contract for data processing. In the meantime, you can also do this online. You can use your account settings to complete the addition for data processing.
    
2. Data retention: In the settings, Google allows you to have the stored data automatically deleted after a certain time. Select the shortest time period, which is 14 months.
    
3. Anonymization of IP addresses: anonymisation of Anonymizing the user IP addresses can be implemented with Google Analytics by the specially provided code extension "anonymizeIp". Website operators must manually enter this into the program code of the tracking software. You can find a technical explanation about anonymization  in Google’s support section. Currently there are two variations of the tracking software in use. Depending on whether a website uses traditional analytics or universal analytics, the following code sections are added to the program code:

In traditional analytics, the following extension is added with the _anonymizelp function from the JavaScript library ga.js:

Universal analytics, on the other hand use the ga('set', 'anonymizeIp', true) function from the JavaScript library, analytics.js:

For both variants, the last octet of an IPv4 address is set to zero. For IPv6 addresses, IP masking includes the last 80 bits of memory.

4. Privacy policy and right of refusal: according to Google Analytics’ terms of use, website operators are obligated to indicate the use of the software in a data protection statement and to disclose the scope of the data collection. This declaration must also give website visitors the option to object to the terms. You can find a link to the Google Analytics browser add-on provided by Google.
    
5. Delete old data: any personal user data collected that doesn’t adhere to GDPR must be deleted without exception, so it is recommended to create a new Google Analytics account for the affected website.

Like Google Analytics, Piwik’s (or Matomo’s) privacy settings must also be adjusted to be used legally anywhere in the world. Unlike Google Analytics, however, the open source software runs on its own server. This means that sensitive user data is never passed on to third parties; therefore, a contract for data processing (1.) no longer applies. However, since you most likely store personal data on a rented server, you will have to conclude a contract with the hosting provider.

1. Anonymization of IP addresses: there is a special Piwik Matomo plugin, AnonymizeIP, which can mask IP addresses. To make sure that the setting is correct, check the settings in the admin area. There you can also specify how many bytes (between one and three) should be anonymized.
    
2. Data retention: Matomo makes it possible for you to regularly delete corrected data e.g. after six months. Using the corresponding menu item in the admin area, you can also delete any old data if it was not recorded in compliance with GDPR. More information can be found in the official FAQs.
    
3. Privacy statement and right to object: Matomo’s opt-out iFrame can be used to create an objection option as part of the obligatory privacy statement. The following snippet can be found on the services section on the official project website.

In addition, Matomo respects the ‘Do not track’ request from web browsers Firefox, Internet Explorer, Chrome, and Opera, unless this feature is disabled.