Privacy compliant tracking is gaining in importance, due to the ever ongoing digitalization and current laws. One question we frequently hear is “How can I track without violating privacy laws?” Let’s look at some important and useful information regarding privacy-compliant tracking.
What is data protection and what does data protection-compliant tracking entail?
Data protection entails the protection of the right of personality against improper data processing of personal data and the protection of the right to informational self-determination. It is thus intended to protect the rights of an individual with regard to his or her data during processing.
Due to digitalisation, data protection is becoming increasingly important. Article 5 of the GDPR shows why it is so important. This paragraph contains the principles for processing personal data. With data protection measures, personal rights are protected and privacy is preserved.
Accordingly, with privacy-compliant tracking, it is important to comply with the provisions of data protection. To protect a user’s data during processing, you can do some of the following things:
- Data economy - Process only the amount of data that is really required
- Storage limitation - Only store data for the period that you will use it
- Purpose limitation - Data may only be collected for a defined and unambiguous purpose
- Accuracy - The data you process must be correct
- Create anonymised or pseudonymised user profiles
Web tracking often collects personal data. For this reason, you ought to create either anonymised or pseudonymised user profiles. If you work with anonymised user profiles, you many only collect data that is not personal or personally identifiable. This includes, for example, information such as the date, the time or the file accessed. The IP address may only be stored in abbreviated form. Personal data is collected in the case of pseudonymized user profiles. However, this data is not assigned to a person, but to a pseudonym, which usually consists of a sequence of numbers.
Matomo
(formerly PIWIK)
PIWIK PRO
eTracker
mapp
(formerly Webtrekk)
Econda
Matomo
(formerly PIWIK)
Matomo ( formerly Piwik) – Matomo processes its data decentralized. This means that Matomo is independent and not bound to any company. The company stores the data on its own servers and only the website operator can access the data that has been collected. The IP addresses are anonymized in the default settings.
Piwik Pro
Piwik Pro makes data protection its biggest focus. The company adheres to the data laws of the EU, China, the US and Russia, as well as the GDPR.
eTracker
eTracker can be used in accordance with GDPR. It anonymises the data that has been collected and doesn’t forward it to third parties. The company doesn’t use the data that has been collected for their own advantage. If you’d like to learn more about eTracker, please click the following button.
Mapp (formerly Webtrekk)
Mapp (formerly Webtrekk) takes the GDPR very serious. Mapp is ISO 27018 and ISO 27001 certified and treats alle privacy laws with the utmost respect.
Econda
Econda takes data protection very serious. Given that the company’s server are located in Germany, the company does adhere to all important GDPR aspects. Econda is regulary audited to ensure that the company adheres to the given rules. In addition, it has also been TÜV-certified.
Tracking errors - This is why Google Analytics is likely to be banned
Google Analytics has major gaps in terms of data protection. In some EU countries, the tool is already banned because it is not compatible with the General Data Protection Regulation (GDPR). Google Analytics violates the general principles of data transfer according to Article 44 GDPR. The use of the web analytics service is illegal due to the data transfer of personal data to a third country, in this case the US. When you use Google Analytics, personal user information is transferred to Google headquarters.
The comprehensive user analysis stores vast amounts of data. Unique user profiles can be created by combining the IP address of a user as well as the language and the browser. Users can therefore be identified with parameters other than the IP address, which is why anonymising the IP address is an inadequate solution. In its privacy policy, Google provides insufficient information about what data is actually stored and transmitted by users. Google Analytics offers too many possibilities to identify the users. It is also problematic that users can be clearly identified by Google if they are logged in with their Google account.
Another privacy problem of Google is US law. Given That Google is an American company, it is subject to surveillance by US intelligence agencies. Google has agreed to implement various technical measures to protect the data of European users from access by the US authorities in the standard contractual clause. But this contractual clause does not provide an adequate level of protection to reliably prevent access by U.S. authorities through U.S. law. All the measures that Google has taken are not sufficient, because the U.S. authorities have the right and the technical means to access even encrypted data. The transfer of the collected data is not sufficiently regulated.
This fact was also confirmed with the ruling of the EU Court of Justice, dated July 16, 2020, in the Schrems II case. Which was challenged with the argument that US law cannot adequately ensure the protection of personal data from the EU.
Cookies & Tracking Cookies
A cookie is a small data package that is stored on a user’s computer. User data is stored locally and on the server side, which allows various services in order to be more user-friendly. The stored data is queried each time a page is called up again. The cookie is evaluated by a program on the server and can thus personalize the page content for the user.
Through a cookie, a website recognises who is currently visiting it. The user can be clearly identified and his behaviour tracked. It can thus adapt to the user’s needs to a certain extent. Through the data storage of the cookies, one notices an effect when visiting a website.
Tracking cookies are set automatically when visiting a website using this method. They are not used to personalize page content like ordinary cookies, but to collect information about the user and his behaviour. The collected data makes it possible to obtain information about areas of interest. The information is used for targeted marketing activities such as showing display ads that closely match the user’s interests.
Tracking cookies are often used over many websites. This means that it is possible to cooperate with other site operators. This cooperation can take place via direct synchronization of the cookies. According to the General Data Protection Regulation (GDPR), tracking cookies may only collect, process and transmit data with the user’s consent.
Tracking Cookie Issues
The collection of information through cookies cannot be labeled as privacy compliant tracking. Probably the biggest problem with tracking through cookies is data theft and misuse. If cookies are insufficiently protected, the stored data can be easily viewed.
Another problem is profiling. Personal profiles are created through the use of cookies. As a rule, only the creation of anonymous profiles should be possible. However, a detailed profile can be created due to cross-site tracking cookies.
The collection of private information can interfere with the user’s privacy. This does not comply with legal principles and can be prosecuted as an abuse of privacy.
In addition, the functionality of cookies is viewed critically, as they are usually placed on users’ computers without their knowledge.
What qualifies as personal data?
According to Article 4 No. 1 of the General Data Protection Regulation, personal data is any information relating to an identified or identifiable natural person. Similarly, various pieces of information by which a specific person can be identified constitute personal data.
If the collected data is anonymized, pseudonymized or encrypted and the user can no longer be identified, the data is no longer considered personal data. If a user can be identified again after the data has been anonymized, the data remains personal data. Individual data about legal entities is not personal data.
A user is identifiable if particular characteristics of the data allow direct or indirect conclusions to be drawn about the identity of a natural person.
Personal data might be:
- First & Last Name
- Age
- Gender
- Birthday and place
- Private address
- E-mail address
- Phone number
- Bank account information
- ID number
- Income
- Net worth
- IP address
Important Information for web tracking in accordance with privacy laws
- Tracking software needs to comply with GDPR guidelines
- Tracking through cookies may only take place with the consent of the user
- Anonymisation or pseudonymisation of the collected usage data may not be reversed
- Complete IP addresses should not be stored
- The privacy policy must be adapted
- Site visitors must be informed about the creation of profiles
- An opt-in must be available. Users must consent to the collection of their data voluntarily, in full knowledge and consciously
- This consent must be logged, must be accessible at any time, and the purpose of the collection should be clear to the user
- The possibility of an opt-out must exist. Users can use this to prohibit data processing
- If the tracking is carried out by another company, a contract for commissioned data processing must be concluded
IT-WINGS - Your partner for data privacy compliant tracking
Our team at IT-WINGS has many years of experience in digital analytics and business intelligence. As a certified etracker and soon to be Piwik Pro partner, we are your competent partner for data privacy compliant tracking.
Benefit from our numerous years of experience working with data and take your business to a new level. We achieve short-, medium- and long-term business goals with you. Together, we develop concepts that are perfectly tailored to your needs and assist you with any concerns you may have.
IT-WINGS - THE RIGHT CHOICE
Interdisciplinary Team
B2B- & B2C-Expertise
Innovative Web Analysis
Proactive
Holistic Approach