GDPR and analytics tools

You’re a metrics guy or gal, or an analyst, data scientist, growth hacker, performance marketer or other data-driven person like me. You rely on tools like Mixpanel, Google Analytics and Tag Manager, Amazon Redshift, Tableau and Snowplow, Hotjar, Intercom and probably many others to do your job. You need the data and insights they generate to optimize product or marketing.

And now all of the sudden GDPR is coming. The far reaching EU privacy regulation.

It’s not all bad. You will need to educate yourself. And you will need to make some changes. But there are upsides, too. By following GDPR you will give your users choice and control over their data, which they will appreciate. And you will not be the only one and at a potential disadvantage, as everybody will need to play by the same rules.

It helps that the EU is setting a standard and that you will not have to understand the privacy and security regulations of each tool you are using. Instead GDPR compliance will become a single check mark that all tools need to pass.

In the light of this much more positive spirit, to me three questions arose:

  1. What, in short and without having to get a law degree and study the actual regulation in full detail, is GDPR?
  2. To what extent do the tool vendors like Mixpanel, Google, Amazon, or Hotjar comply with it?
  3. Assuming the tool vendors do their GDPR homework, what’s left for me to do to be compliant?

GDPR Summary

GDPR replaces the current EU privacy regulation that was established in 1995. The main changes coming into effect on 25 May 2018 are the following.

EU privacy portal
  • Worldwide: GDPR protects the privacy of all EU residents irrespective of where the company collecting data and its servers and databases might be. The situation will be crystal clear. If you have users or visitors who reside in the EU, you need to comply.
  • With teeth: GDPR comes with stiff penalties. Violate at your own risk…
  • Identifiable data: GDPR defines personal data as anything that can be used to identify a user — an image, a photo, an email address or an IP.
  • Consent: Collecting data will require opt-in in a clear and easily accessible way. No more tricking the users to agree by hiding things in complex terms and conditions.
  • Control: Users will be guaranteed to retain control over the data you collected. They can request to see the data, to receive an export that can be transferred to another company, or for the data to be irrevocably deleted. You also need to inform them about any breaches within 72 hours.
  • Privacy by design: Compliance needs to be built into your systems at every step. If you build a new feature, you need to consider privacy. If you use a new tool, you need an agreement with the vendor about privacy.

GDPR Compliance by Analytics Vendors

So where do the analytics vendors stand? Not surprisingly, they are working hard to be ready well before May 28. They really don’t have much choice. The risk of non-compliance are substantial.

The key here is that analytics vendors will need to comply with GDPR and guarantee the compliance to you by signing a data protection agreement (DPA). You will be the “controller”, i.e. the one who wants the data, whereas the analytics vendor will be the “processor”, i.e. collecting, storing and reporting the data to you.

The DPA needs to assure that you will be able to comply with GDPR with respect to your users. For example, if one of your users demands deletion of all data, the analytics vendor will need to allow you to do this. Or if there is a data breach at the vendor, they need to tell you, so that you can tell them.

Hotjar GDPR compliance

I quite like Hotjar’s GDPR page. It states their commitment to GDPR, outlines the steps to compliance, and provides an updated status. The page also provides a link to the DPA that you can access, sign and ask for Hotjar to countersign.

https://www.hotjar.com/gdpr

Mixpanel GDPR compliance

Mixpanel published a blog post on GDPR compliance. It’s quite detailed on what features are being added and contains links to an additional GDPR FAQ as well as their extensive security white paper. Like Hotjar, Mixpanel provides a DPA that is easily accessible by you. They do not provide a way to sign and counter sign the agreement.

https://mixpanel.com/blog/2017/12/21/gdpr-mixpanel-readiness/

GAFA GDPR compliance

I found the compliance of Google, Apple, Facebook and Amazon harder to navigate. They all offer a whole range of products and services that each come with their own privacy terms and regulations. And the language they use is more complicated. They all claim to be “committed to GDPR”, but it’s much harder to understand and validate.

https://privacy.google.com/businesses/compliance
https://www.facebook.com/business/news/facebooks-commitment-to-data-protection-and-privacy-in-compliance-with-the-gdpr

This is a situation where you either need to trust them or involve your own legal team. These large corporations are clearly taking GDPR seriously and will be scrutinized by many other companies, governments and the media. So a case could be made to trust that they’ll be ready and compliant if you are working for a cash strapped startup. Larger companies making use of GAFA’s services will want to dive into the legal terms to make sure.

What’s left for you to do?

So it looks like the analytics vendors are doing their homework. Both the smaller specialized players as well as GAFA simply have too much to lose to not be prepared for GDPR. What’s left for you to do then?

Basically, you are the data controller and need to make sure that you:

  • Collect only the data you need.
  • Have a clear opt-in and consent process. Users should be made aware of what is collected and given a choice.
  • Provide a means to control the data. Users should be able to access and request deletion of the data, and be kept informed about any breaches.

Collect only the data you need

There’s a difference between anonymous and personally identifiable data. You should think about when it’s enough to collect anonymous usage data, whereas when you need e-mail address, IP-addresses or Facebook or Google IDs.

Opt-in and consent

You need to provide clarity and choice. Visitors and users need to be made aware of what is being collected and given a choice. Being open and clear should go a long way towards building trust, and my guess is that most users will be OK sharing data that is actually useful for services they use.

Means of control

This might be the biggest change. Under GDPR users will always and forever retain control over their data. They can request to access it, make corrections, and demand complete deletion. Most companies have always provided some information and acceptance of terms and conditions when signing up new users. There were, however, often no ways access, export or delete data. And that needs to change.

Summary

  • GDPR is a far reaching privacy regulation that provides residents of the EU full control of data collected about them.
  • Analytics vendors are getting ready to comply with GDPR and are guaranteeing compliance in updated terms & conditions.
  • Anybody working with data will need to make sure in a legally binding way that all tools used are compliant.
  • And collect only required data, be clear about what is collected, and provide opt-in at sign-up and full control during the entire user lifetime.

Please beware that I am an analytics guy who researched the question and not a legal experts. And do clap if you found this useful :)