In principle, if the appropriate legal measures have been taken to protect users’ privacy, there should be nothing controversial about monitoring user activities on a website. However, around the world, legislation varies wildly. In the United States, for example, laws are decided at a state level, with many states being comparatively relaxed when it comes to data privacy. Meanwhile, in other parts of the world, data security is a far higher priority. In the European Union, the General Data Protection Regulation (GDPR) is a regulation in EU law that came into effect in May 2018. If you’re planning on expanding your business in the EU or have already done so, it makes sense to read up on the laws in the EU regarding data protection and what changes were enforced from May 2018 onwards.
Depending on where your online business is based, you may encounter some difficulties when using certain web analytics tools. This is because, in their standard configuration, most web analytics tools record IP addresses, which, in some countries, counts as sensitive data. Their legal usage would therefore only be possible with the explicit permission of the website visitor. When building an online business, it is essential to check if this is the case in any of the countries and states you operate in. This way, you can avoid unknowingly collecting sensitive data, which will also prevent you from incurring any fines.
“No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.”
The GDPR supersedes tThe 2011 EU Data Protection Directive, which applies in all European Union member countries (including the United Kingdom), prohibits the collection of sensitive information without users’ explicit consent. All web analytics tools are subject to the EU cookies law, which means that to use Google Analytics and similar tools, the website owner must have the user’s consent.
This change in regulations could prove tricky for website operators who want to evaluate user metrics using common industry solutions. This is because in the standard configuration, almost all common tracking tools not only record each user’s IP address, but also place cookies in order to record user behavior on the website. It’s imperative to get the website user’s permission for this.
The GDPR attaches a lot of importance to informing users. This means that website operators must make it clear what information they plan to take from the visitors and what they want to use it for. So, in the case that you need different data for different purposes, you have to ask the user for their consent on multiple occasions. It’s also not okay to presume consent has been given just because the user has ignored or forgotten to answer the question of whether their data can be recorded. If they don’t react to the question, GDPR deem this as a rejecting. The same applies to using cookies.