GDPR Legislation impact on Digital Analytics
How is the discipline of Digital Analytics impacted by the GDPR legislation and the lack of a legal framework for data transfers between the EU and US?
Please reach out to the previous article of The Marketing Analyst to firstly understand the legal framework of the GDPR.
What does Digital Analytics mean?
Digital analytics encompasses the collection, measurement, analysis, visualisation and interpretation of digital data illustrating user behaviour on websites and mobile applications.
It enables organisations to understand how their sites and apps are being found and used. Using digital analytics data, companies can optimise the customer experience on their websites and mobile apps, and also optimise their marketing ROI, content offerings, and overall business performance.
There are many different digital analytics tools available. The largest market share is held by Google Analytics (85% of the market), which is why it is often considered the “default solution”. And that is also why it is being targeted in the recent court rulings. Google Analytics is not the only US based digital analytics solution, but it is definitely the one with the largest reach.
Consent needed?
There is a great deal of confusion as to whether the use of digital analytics solutions is subject to consent or not. It is clear that a digital analytics solution can be used to store personal data. However, it is less clear whether it is possible to really anonymise digital analytics data.
Most vendors claim that it is possible to anonymise the collected data by applying IP anonymisation features etc. The French DPA has compiled an overview of measurement solutions that can be used without consent, provided you stick to a certain configuration. The Dutch DPA published an advice on how to set up Google Analytics so it can be used without consent.
However, there are also examples that state the opposite: every solution that places cookies and is not strictly necessary for the proper functioning of an application, must ask for consent. This reasoning was followed by the Belgian DPA in the ruling against Jubel.be and also the Planet49 judgment in Germany.
So be aware that whether or not consent is required for the use of digital analytics solutions may vary from country to country. In any case, as a website owner, you are responsible for the correct configuration of the privacy settings for these kinds of tools.
Data transfers
In addition to the consent aspect, it is of course also important to consider the potential transfers of personal data outside the European Economic Area that may occur when using digital analytics solutions. The recent rulings in Austria, France, Italy and Liechtenstein specifically target Google Analytics and state that it should not be used due to the lack of a data transfer framework.
Google has responded to these rulings by stating that Google Analytics data:
- always remains under the control of the website owner;
- is not used for profiling across the internet and;
- they have never received a data access request from the US intelligence services.
In addition, they also refer to the many measures that Google takes in the field of privacy and data security.
Despite this reaction from Google, the DPAs in France and Austria seem to stand by their decision. This means that the use of a digital analytics solution from an American vendor can currently be considered a violation of the GDPR legislation. Of course, it is important to realise that this is not just about Google. Other widely used technology vendors such as Adobe, SAS, Microsoft or Salesforce face the same problem.
Our advice
Within the current context, we recommend that organisations think carefully about why they are using a digital analytics solution. What is the value of this data for the organisation? Only when you know the value, you can make an informed decision about whether to switch to an European alternative or look for ways to continue using the current solution.
After all, there are many technical measures that can be taken to anonymise data. You have the built-in features within your digital analytics solution. And another example are vendors like Jentis, which offer pseudo- anonymisation as a service. Each tracking call that goes to the servers of an American vendor is first sent via their own (European) servers and all possible personal data is hashed. In this way, the American vendor receives anonymous data and is no longer subject to the GDPR legislation. This is of course a very technical fact and in theory, the reasoning seems to be correct. However, it remains to be seen whether the legislator will follow this reasoning in court. The French DPA already has confirmed that anonymization is an option, but only if the keys are not managed by Google.
European alternatives
If you prefer to switch towards an European alternative, you might want to consider one of the following solutions. We have divided them into 4 categories, based on the needs they fulfil.
1. Simple KPI dashboards
These kinds of solutions can best be described as stripped-down web analytics tools: only the most essential KPIs are retained and are displayed in a dashboard that is fairly static. There are little or no filtering and segmentation possibilities. These solutions are aimed at website owners who only need high-level insights such as: how many visits in a certain period, how often pages are visited and how often certain interactions take place. In-depth analyses, custom variables and integrations with other platforms (e.g. advertising tools) are not required.
→ Plausible.io
→ Pirsch.io
→ Visitor-analytics.io
→ Simpleanalytics.com
2. Default web analytics solutions
These kinds of solutions are best described as alternatives to the free version of Google Analytics. These web services provide you with the platform you need to measure all your website performance and get the right insights from it. These tools allow you to not only collect basic site metrics such as sessions, time on site, pageviews, etc. They also allow you to set up custom things such as measuring events, creating segments, e-commerce measurements, setting up filters, cross-domain tracking, etc. The flexibility of these platforms offers countless extra possibilities for data collection and insights when compared to the solutions in the simple KPI dashboards category.
→ Piwik.pro
→ Matomo.org
3. Advanced web analytics solutions
These solutions can best be described as alternatives to the paid version of Google Analytics: GA360. They offer a lot of customisation possibilities (custom dimensions and metrics), access to raw data, an extensive range of integrations with other platforms and tools, extensive data governance functionalities, extensive user governance functionalities, the possibility to conclude SLAs, etc.
Typically, these types of solutions are aimed at enterprise-level organisations. Organisations where the digital analytics data is not only used for reporting. The collected data plays an essential role in the functioning of the (marketing)organisation. Think for example of personalisation, targeted advertising, customer services, etc.
→ Piano.io
→ Stormly.com
4. Tracker only
With this type of solution, you create a web analytics environment yourself. You use an event tracker to measure the interaction data on digital platforms. This data is stored in a data warehouse that is under your control, on which a data visualization or BI tool runs to provide insight. So for each functionality you look for a “best-of- breed” solution, instead of looking for an “all-in-one” solution. This type of solution is only suitable for organisations that have a clear architectural vision of their data landscape, have the technical resources in-house to maintain such a set-up and where the reporting users are able to query data tables.
→ Snowplowanalytics.com
→ Segment.io
Last word
Please realise that the context in which we work today will continue to evolve. It is therefore important that you approach this topic from a strategic point of view and do not see it as a one-off thought exercise.
It is time to take responsibility when collecting data. However banal it may sometimes seem. Make sure you have the right knowledge of the technologies you use and stay abreast of new developments both legally and technologically.
We hope this article has given you the tools to have an informed discussion within your organisation. Other impacted disciplines of the GDPR legislation were discussed in the following links:
Does all this seem very challenging to you? Then do not hesitate to call on specialised parties. For example, deJuristen in case of the legal framework and Stitchd for the technical possibilities. They support many organisations, both large and small, specifically in this area.
