Welcome to WebmasterWorld Guest from 3.92.92.168

Forum Moderators: DixonJones & mademetop

GDPR - Request consent before tracking?

     
2:32 am on Oct 18, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


I know that there was an earlier post about Analytics and GDPR back in May [webmasterworld.com...] but in October we had the CJEU ruling that seems to change things.

The Court of Justice of the European Union (CJEU) this morning ruled that storing cookies requires internet users’ active consent. It's not good enough, says the CJEU, to present users with a pre-checked box and require them to click it to opt out.

[webmasterworld.com...]

Do we need to inform visitors of the GA tracking cookies and have them actively choose to accept GA cookies even if we're using Google's suggested settings anonymize the data [support.google.com] collected?

Wouldn't this cripple Analytics? Who's going to actually opt-in when the default has to be set to opt-out?

[edited by: phranque at 6:45 am (utc) on Oct 18, 2019]
[edit reason] enable link to thread [/edit]

6:39 am on Oct 18, 2019 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator ianturner is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 19, 2001
posts: 3668
votes: 55


It is a bit of a mess at the moment. There are some GDPR compliance scripts available which separate cookies into different categories (e.g. Civic and OneTrust)

Having a look at those will help you to see how things are being implemented by some large EU based organisations.

If you are completely outside of the EU I think you can get away with blocking access to the site unless cookies are accepted. Though I think there was a case recently where a Dutch organisation inside the EU was prosecuted for this type of blocking.

On the analytics front yes it will potentially cripple cookie based analytics. Though I think server side analytics will still be fine and might make a comeback due to this law. Anyone fancy writing a Rest Api based analytics package?
6:57 am on Oct 18, 2019 (gmt 0)

Moderator This Forum from GB 

WebmasterWorld Administrator dixonjones is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 8, 2002
posts:2947
votes: 25


I make use of a thing in GA that anonymises the IP address by masking the last three digits. In doing so, the IP address is no longed “PII” (personally identifiable information). It works fine for me. If they sign up to something, or chat, then they opt in at that point, but I do not track them on arrival to the site, only the IP RANGE. This is NOT on by default in GA, but I recommend doing it.
8:40 am on Oct 18, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


I make use of a thing in GA that anonymises the IP address by masking the last three digits.

I do use that already.

Apparently that may not be entirely sufficient. I spoke to someone who attended a seminar this week about CCPA (California Consumer Protection Act) and various data protection laws in the world, including GDPR. I had them ask a lawyer in attendance about this. (This is 3rd hand lawyer advice given at a seminar so don't take this as gospel). What I heard was that the Google anonymization happens after the data is collected, so technically you are sending PII to Google even with this IP anonymization setting.

I had to take a look, and that does appear to be the case. [support.google.com...] Google collects the full IP, anonymizes it, and then processes it. Outside the EU this might be sufficient, but it may not be in the stricter countries, like Germany, where they take a much stronger stance on this.

If this super strict interpretation of the GDPR regulations is used, then you need a pop-up explaining that you're using cookies for GA, why your're using these cookies, how long the data will be stored, and then give the visitor the option to opt-in to your Analytics cookies (by default the opt-out option must be selected).

The lawyer pointed out this UK site as a good example of how Analytics tracking cookie permissions were being handled: [ico.org.uk...]
9:20 pm on Oct 19, 2019 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:257
votes: 24


The Dutch Data Protection Authority (government agency for GDPR) has published a Google analytics guide with 6 steps. If you follow these steps you don't have to ask permission. One of the steps is to anonymise the IP.

It is in Dutch language:

[autoriteitpersoonsgegevens.nl...]
11:23 pm on Oct 19, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15936
votes: 889


Let us cross our fingers and hope that nobody in a law-making position ever learns of the existence of server access logs.
2:50 am on Oct 20, 2019 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15181
votes: 180


Thanks bhukkel. I've been looking for documents like that, but my Dutch searching skills are pretty poor ;)
I'm going to ask some people in the EU to look at this and see if the CJEU decision changes this advice from the Dutch government.

> server access logs
My backup plan is to use server logs for stats and pull GA from all EU sites.