But, have you considered how GDPR affects your analytics tracking?
The internet is riddled with articles and resources pulling you in different directions about compliance regulations. This post will cover some common questions that have been asked by our clients, hopefully clearing up some of your own inconsistencies.
NOTE: The information below is not legal advice. You must consult your legal team for detailed information on how you should proceed with compliance.
- Why is GDPR relevant to me if I’m in Canada or the United States?
- What is a data controller?
- I am not in the EU. What is the penalty?
- What data does GDPR impact?
- Can I still collect personal data?
- Do I need to tell users what I am collecting?
- What are the rights of my end users regarding their personal data?
- Where can we get more information on GDPR?
General Data Protection Regulation (GDPR) applies to organizations that meet any of the below criteria:
- Offer goods and/or services online to customers located in the European Union (EU)
- Track and/or monitor the behaviour of individuals in the EU
- Store personal data of individuals in the EU
If you are involved in any of these activities, you are considered a “data controller” under GDPR.
A data controller is any person or organization that determines the purpose and use of data collection. Therefore, if your organization has implemented either Google Analytics, Adobe Analytics or any type of tool that collects data, you are a data controller, and must be compliant with GDPR.
Though you may think that the fines do not apply to you, they do. All companies that are not compliant with GDPR are subject to fines up to 4% of annual global revenue, or 20 million Euros – whichever is greater.
GDPR is specific to the collection and use of personal data. Personal data is defined as any information related to an individual that can be used to directly or indirectly identify a person. This not only includes name, photo, email address and bank details, but also unique identifiers such as IP address, hashed/anonymized userID, cookieID, and transaction/order numbers. It is important to mention that Google Analytics does not consider IP addresses, hashed/anonymized userID, cookieID or other pseudonymous identifiers as Personally Identifiable Information (PII).
Under GDPR, companies can only collect personal data of an individual in the EU if they have explicitly approved consent (i.e. opted-in) to track their behaviour on your website. If they do not approve consent, you cannot track them.
Yes — users now have the right to know the purpose of tracking and data collection, as well the right to know what is being done with their data. The purpose of the data collection and processing must be outlined in an easily accessible format that any person can clearly understand.
End users now have the right to:
- Access all data collected on them (including offline data)
- Have all data that is collected on them modified or erased
- Approve/withdraw consent from data collection
- Limit the data that is collected on them (e.g. allow regular website cookies but not allow data collection for marketing purposes)
The GDPR website can be used to find additional information and resources on the matter.
What’s next? How do we become compliant?
As GDPR legislation comes into effect, ensuring you are compliant is critical. In order to prepare, we advise that you contact the department or individual within your organization responsible for privacy regulations to obtain further legal guidance on this matter.
If you’re in the Greater Toronto Area, the Digital Analytics Association (DAA) is hosting an event on May 31st, 2018 on the topic of Why You Need to Pay Attention to Europe’s GDPR Legislation.