Welcome to WebmasterWorld Guest from 54.227.127.109

Forum Moderators: DixonJones & mademetop

Featured Home Page Discussion

EU GDPR (General Data Protection Regulation) and Analytics cookies

How will this affect webmasters?

     
9:21 am on Nov 15, 2017 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 15025
votes: 136


The new General Data Protection Regulation or GDPR [en.wikipedia.org] is meant to protect the privacy, but it looks like it could be a nightmare for webmasters whose sites have dealings with citizens of the EU. Reading through some of these regulatory requirements and opinions is making my head spin.

Are there established guidelines of what a website would need to do to comply with this? For example, if my site uses Analytics it's serving a cookie (from Google). Does this mean I have to clutter my sites with those annoying "this site uses cookies" banners? They seem like a fairly useless addition, and I've read that they may not actually be sufficient for compliance with the new regulations.

What's a non-EU site to do? What about EU sites? Analytics arguably are not tracking personally identifiable data, but I'm sure we could find a lawyer who could argue otherwise. I am not seeing definitive information about this from Google.

We only have until May 2018 before the EU hammer comes down...
9:55 am on Nov 15, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24820
votes: 624


Yes, it's another overly complex regulation with simplistic ambitions, yet has far reaching ramifications.

In May 2018 the new E.U. regulations, GDPR (General Data Protection Regulation) comes into full force. It's actually in force now, but full compliance is May 2018. The GDPR is aimed at strengthening and unifying data protection for all individuals within the E.U., and the export of personal data outside of the E.U.

This is a key component for businesses outside of the E.U. that deal with individual within the E.U as it also affects organisations outside the E.U. that collect or process personal data of E.U. residents.

According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computerís IP address."
This means that analytics, such as the recoding of personally identifiable information, such as IP addresses, should be covered.

Here's a quick summary of the preparation to be undertaken (source UK's ICO PDF file [ico.org.uk...] ).
Preparation for GDPR.
1.Awareness: All decision makers and key people in the business should be aware that the law is changing to GDPR.
2.What information is Held: Document what personal data is held, where it came from, and who you share it with. This may require an information audit.
3.Privacy notices: These should be reviewed, and a plan put in place to for making any necessary changes before May 2018.
4.The rights of individuals: Check the procedures to ensure they cover all the rights individuals have, including how to delete personal data or provide data electronically and in a commonly used format.
5.Subject access requests: Procedures should be planned and updated how requests are handled, within the new time scales, and provide any additional information.
6.Lawful basis for processing personal data: Identify the lawful basis for the processing activity in the GDPR, document it and update the privacy policy to explain it.
7.Consent: Review how you seek, record and manage consent and whether you need to make any changes. Refreshing existing consents now if they donít meet the GDPR standard.
8.Children: Systems must be put in place to verify individualsí ages and to obtain parental or guardian consent for any data processing activity.
9.Data breaches: Ensure the correct procedures are in place to detect, report and investigate personal data breach.
10.Data protection by Design and Data Protection Impact Assessments: Familiarise with the ICOís code of practice on Privacy Impact Assessments as well as the latest guidance for Article 29 Working Party, and work out how and when to implement them in your organisation.
11.Data Protection Officers: Someone should be designated to take responsibility for data protection compliance within an organisationís structure and governance arrangements. Consider whether required to formally designate a Data Protection Officer.
12.International: If an organisation operates in more than one E.U. member state (Cross border processing of data), determine the lead data protection supervisory authority. Article 29 Working Part Guidelines help achieve this.

This will also affect data that clubs and societies hold, so if you run a club that is in the E.U., or has E.U. members it'll affect them.

Clearly, this is more red tape for many businesses, and especially challenging for a small business. Larger businesses would probably already have a data protection officer, or someone allocated to be responsible, so it's more about compliance for them. For the smaller business, or a club or society with few resources, it's a real frustration. To be positive, it is good practice to look after the data.

Some aspects are good, so if you're in the E.U., and it's your personal data being held, you will have better rights and protection. For businesses and clubs, etc., far greater care and attention is required, along with procedures to protect, and to declare should a breach occur.

I've spoken to many small businesses and it's just hitting home that this really is quite a challenge adding to already busy days.

HTH to start the conversation.
1:38 am on Nov 16, 2017 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 15025
votes: 136


Today I came across this in Wikipedia:
https://en.wikipedia.org/wiki/HTTP_cookie#EU_cookie_directive

In June 2012, European data protection authorities adopted an opinion which clarifies that some cookie users might be exempt from the requirement to gain consent:

  • Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user's input when filling online forms or as a shopping cart.
  • First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards.


I guess that means that Analytics cookies fall under a category where no special adjustments would be required? If that's the case then it's business as usual, but I won't base a policy on a Wikipedia snippet. We have lawyers for that, but they are just as confused as I am at this stage.
12:19 pm on Nov 16, 2017 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:241
votes: 19


According to the official Dutch data protection authority you can setup Google Analytics without asking for permission.

Note: translated with Google

If you use Google Analytics, you use the analytical cookies to process personal data of your website visitors. In principle, you must comply with both the Telecommunications Act (informing your visitors and asking for permission) and the Personal Data Protection Act (Wbp).

But do you ensure that the cookies have no or minor consequences for the privacy of your website visitors? Then you do not need to request permission for the cookies. To do so, you can use the Privacy-Friendly Manual to use Google Analytics of the Dutch Data Protection Authority (Dutch-language Authority for Personal Data) (AP). In 6 steps you will learn how to set up Google Analytics privacy-friendly.


Link to manual (in Dutch)
[autoriteitpersoonsgegevens.nl...]
1:02 pm on Nov 16, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1580
votes: 15


It is a serious EU regulation, that despite Brexit is being enacted in full in the UK. It will be interesting to see how companies interpret it - there are some guides for SMEs on the UK ICO (Information Commissioner Office) website which are worth a read, especially if you can't stretch to reading the full legislation.

That it will apply to IP addresses and cookies (as privately identifiable information) is probably true, but to what extent still debatable.
2:00 am on Nov 17, 2017 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 15025
votes: 136


I think bhukkel just pointed to the key for Analytics users.

According to Google's IP Anonymization in Analytics [support.google.com] it looks like you can set Anonymize IP [developers.google.com] in Google Analytics
ga('set', 'anonymizeIp', true)
and that would make sure you are not collecting any identifiable IPs.

So I am assuming that this means that we wouldn't need to ask user's permissions simply to run Analytics on our sites, and thus no need for those ridiculous "This site uses cookies" notifications pop-ups and modal dialogs. I hope that the EU will be satisfied if we notify about the use of cookies in a privacy policy area without the need to disrupt a visitor's experience on the site.

Am I understanding this correctly?
9:58 am on Nov 17, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24820
votes: 624


Am I understanding this correctly?

Yes, I believe you are.
If you're not collecting and storing the user data you don't need to be concerned.

BTW, the "cookie law" is being updated to relax the annoying and over burdensome aspect of a user having to click on a cookie acceptance on every single site (yawn), and from the website administrators from ensuring the message is delivered. In very simple terms, the shift is to place the permissions on the users' terminal as part of the general acceptance of cookies. Cookies, of course, form part of the GDPR regulations for user protection. Of course, the key aspect is that those really annoying cookie acceptance notices will soon be a thing of the past. See the section on Simpler Rules on Cookies [ec.europa.eu]

However, having switched the burden away from the website to the user, there will now be a requirement for the cookie acceptance reminder to be renewed every six months. Of course, this is a general user, browser-based acceptance on the users' computer.
10:13 am on Nov 17, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10224
votes: 580


Yet another reason to keep the analytics off-site and not burden your visitors with the question of privacy violation.
1:02 pm on Nov 17, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1535
votes: 194


I appreciate this was posted in the Analytics forum, but GDPR is a bigger topic than analytics. However, I will try and constrain myself.

I would be quite interested in the in-house analytics view. @iamlost had a thread recently on data-mined personalisation.

Under GDPR, what if someone requests you delete them from your server logs (under Right to be Forgotten)?

How do you go about revealing data held on a person, if they access your site from a shared IP such as a company?
1:24 pm on Nov 17, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1580
votes: 15


How do you go about revealing data held on a person, if they access your site from a shared IP such as a company?

Surely Shaddows, if you can't identify a person's file requests in your logs for that reason, then it ceases to be personal identifiable information and is no longer covered under GDPR.
4:12 pm on Nov 17, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1535
votes: 194


if you can't identify a person's file requests in your... then it ceases to be personal identifiable information and is no longer covered under GDPR.

Possibly. Hopefully, even.

Alternatively, it could be grounds for not complying with the law.

"I request all the data you have on me, per my rights"
"Actually, there is no data on you"
"Well, I visited your site, so you do have data, you are just not auditing it properly. Where's my lawyer?"

Worth noting is that my legal obligations trump your GDPR rights. So, my obligation to keep sales records for tax reasons trumps your ability to request I delete my record of selling to you.

However, I might (unclear until tested in court) need to pseudonymise your sales record and lock away my own access to it until legally required to unlock it.
4:25 pm on Nov 17, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24820
votes: 624


As you've proven in this discussion, this GDPR is still a work in progress.

If you don't store data, you're fine.
If you do store data, you have to adequately protect it.

Note, under the UK's Data Protection Act companies have had to reveal this data to the users in the past, and have been able to charge a flat, low, fee to present the data. Now, there's no charge to be levied. This is also storing up problems, imho.
5:13 pm on Nov 17, 2017 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4422
votes: 9


How one could be fairly aware of data collected by WP, not sure I know about all of them?
5:22 pm on Nov 17, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1912
votes: 57


@Shaddows, ditto there!

I roll my own Analytics script that I wrote more than a decade ago. I would never knowingly share any data with any outside company, ever, never did. Click-path data is stored in DB and is encrypted on DB level. Yes IP is recorded in DB, Yes IP is also present in IIS Logs(not that I have any use for them), Nothing that I could or would do to prevent it from being recorded. Yes, personal info is also recorded to be able to ship products to the correct Address.

And there is nothing I or all those Big Box stores will change unless off-course user's Browser could say with a distinct certainty: Hi, My Name is Bob, from the get go...

P.S. I also take mine and my family own privacy very seriously.
4:23 am on Nov 20, 2017 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 15025
votes: 136


If you're not collecting and storing the user data you don't need to be concerned.

If someone were using Google Analytics, in the default configuration where this IP anonymization is not toggled, would that change anything in terms of what and how the site user's from EU need to be notified? I am now wondering whether this needs to be toggled at all.
9:48 am on Nov 20, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1535
votes: 194


@bill

It's not specifically the collection and storage that is the issue, it's the auditing and handling. If GA keeps an IP, then that data is subject to GDPR.

Data subject to GDPR needs to be presented to the Data Subject on request, must be deleted on request, and must be amendable on petition. GA does not (currently) offer these features, so it best not to collect the data in the first place.
11:56 am on Nov 20, 2017 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Aug 5, 2004
posts:253
votes: 21


According to Google's IP Anonymization in Analytics [support.google.com] it looks like you can set Anonymize IP [developers.google.com] in Google Analytics

ga('set', 'anonymizeIp', true)

and that would make sure you are not collecting any identifiable IPs.

So I am assuming that this means that we wouldn't need to ask user's permissions simply to run Analytics on our sites, and thus no need for those ridiculous "This site uses cookies" notifications pop-ups and modal dialogs. I hope that the EU will be satisfied if we notify about the use of cookies in a privacy policy area without the need to disrupt a visitor's experience on the site.


according to the Uk's ICO site:

Do the rules still apply if the data is anonymous?
Yes.

[ico.org.uk...]

this is the current rules tho.

Also this is interesting...

under new rules...

"A site that sets cookies for different purposes will also need to obtain consent for each separate purpose"

"The data subject shall have the right to withdraw his or her consent at any time. Ö. It shall be as easy to withdraw as to give consent."

"under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data."
1:15 pm on Nov 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1580
votes: 15


I haven't started to look at website analytics and GDPR yet, so far I am learning the actions I have to do to get my CRM compliant and where needed "consented". There will be increasing levels of work as the deadline looms.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members