The eye catching headline form the following article is actually very misleading (I used Google translate). In fact, this is a classic example of poor/misleading journalism on this subject…
As I wrote in my last article on this subject: Google Analytics and the new EU privacy law #3, if you use Google Analytics to collect personal identifiable information (PII) without the explicit consent of each visitor, then yes you are breaking the privacy laws in each of the 27 EU member countries. That is the same with any tracking tool/methodology. It also breaks the Terms of Service of GA.
A gray area is whether an IP address can be considered PII is open to interpretation. I personally consider it to be, but in criminal law an IP address by itself is not sufficient to identify an individual. I am not aware of any EU country where that is contrary. Of course, if in doubt, use the Google Analytics _anonymizeIP() function. This removes the last octet from the IP address prior to sending to Google’s data collection servers.
BTW, has anyone compared the before/after impact on the reports of turning _anonymizeIP on? My suspicion is that outside of large geographical, single cultural markets (e.g. outside US/Canada/Australia), using _anonymizeIP has little impact, so anonymizeIP() should be used on your website by default… [ Update: see my large study of anonymizeIP: Using Google Analytics Anonymize IP – An Impact Study ]
So the fear for web users and data protection regulators is really not what website owners can do with Google Analytics reports to identify an individual visitor – assuming you only wish to do business with professional, ethical organisations (anyone can abuse tracking tools to break privacy laws). Rather, the concern is how Google may triangulate originally anonymous data points to identify individuals within the Google network – which as we know, effectively IS the web.
That is very much a legitimate concern, but one that is not being addressed by articles written with a superficial knowledge of the issues involved. It is also not going to be solved by declaring a single tool, out of a plethora of tools, illegal to use. That said, may be it is Bjørn Erik Thon (see screenshot) who has not understood the issues fully…
Thanks to Eivind Savio of Halogen.no for bringing this to my attention.
I would be interested in any feedback form people that have had contact with the Norwegian Data Protection Authority.
Thanks for sharing the link. Apparently, Google’s ability to integrate data across their many services is not merely theoretical! If this is not regulated, the implications for privacy would become massive.
Nevertheless, I would like to stress once again that the new EU cookie law is not directly concerned with how data are processed, how data are integrated or whether or not personal data are involved. Although all of this is important too, the new cookie law is “designed to protect the privacy of internet users –even where the information being collected about them is not directly personally identifiable” (see UK cookie guide, p.2).
To protect the privacy of the users in this context means to define and protect their private sphere: “Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms” (Directive 2002 58 EC, p. 39).
This means that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing” (Directive 2009 136 EC, p.30).
Notice here that providing “clear and comprehensive information, in accordance with Directive 95/46/EC” means that if the data are transferred to a third party such as Google, then there must be a legal contract between the website owner and Google: “The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller” (Directive 95 46 EC Personal Data, Section VIII).
The fact that there exist no such legally binding contract when a website owner uses GA is the real concern of the Norwegian Data Authority and is the reason why Mr. Thon has declared GA illegal.
@Chris – This all comes down to interpretation. It is why it has been so difficult to define and hence the controversy over the past few years around it. The ICO (UK privacy agency) gave everyone a 12 month grace period when this law was introduced precisely because the wording can never be perfect to cover all situations.
To reiterate, the intent of the law is to protect the end user from behavioural tracking and PII – as it is this that directly impacts users. Benign first party cookies that are anonymous and aggregate are simply not the focus, even though if you follow the wording of the law to the letter it will include these by implication. My experience over the years is that the UK government, ICO and the EU is quite pragmatic about this i.e. wishing to form sensible laws that make a real difference to users. I wish the Norwegian authorities had taken a similar well thought through approach…
And by coincidence, this is exactly what I mean by data triangulation:
@Chris – this is a great debate so thanks for you time, though I do not agree with your 2+2=5 hypothesis 😉
My analogy gets kind tricky when you drill-down into detailed specifics, but lets continue as I would like to refine it…
Myself, the ICO and other people who have discussed this issue in detail do not consider placing a benign, 1st party cookie that collects only anonymous and aggregate information as ‘opening the car door’ from the analogy.
The key phrase here is aggregate. That means GA is not reporting on individuals. If it was tracking at the individual level, then I agree it becomes invasive – even if anonymous. As I say in my previous reply, the triangulation of anonymous and aggregate data by digital companies (and that includes your ISP) is the real concern here, not the Google Analytics tool.
Who monitors the monitors? Privacy, Web Analytics, Google and Ketchup
For the record, Im not representing or affiliated with any Data Protection Authority, any media organization (including Digi.no), EU or any other organization dealing with privacy. If it makes any difference, Im not even Norwegian.
I agree with you that the article in Digi.no and even the Norwegian Data Authority’s own website present things in a somewhat confusing manner. Part of the problem is that they mention not only the new cookie law, but also the question of whether IP addresses can be seen as Personal Identifyable Information. Although the EU is dealing with all of these things, the new cookie law, seen in isolation, has nothing to doo with IP addresses or PII.
In a way, it is much more simple: it only seeks to define the private sphere for individuals browsing the internet, and it states very clearly that it is the visitor’s computer which defines this sphere.
So, basically, a website owner can do whatever he wants on his own servers, but he cannot access the visitor’s computer or store anything on it without obtaining permission and explaining why.
The computer is here comparable to the car in your analogy. The car is the property of the driver and therefore normally considered his private sphere, which nobody is allowed to enter without permission. Therefore, the school, which you compare to the website owner’s website, is not allowed to place anything inside it, or even to open the door and look inside, unless the driver agrees.
In fact I am using the analogy in much the same way you are. If you think, as you clearly do, that it should not be allowed to place a tracking device inside a private car without asking for permission, then, logically, you should also agree with the new cookie law. Even more to the point, if you think the school should explain to the driver why they want to place something in his car before they actually do it,
and if you think the school should be held accountable for the accuracy of this information, then you should also agree that the free version of Google Analytics should be considered illegal.
The same kind of analogy could be made for an offline shop. Imagine that this shop monitors its visitors with a video camera. They count their visitors, how many buys anything, how many women, how many men, etc. All of this is OK, but imagine that the shop starts opening the hand bags of the visitors, looking inside it and placing something in them. Most people would find that very intrusive to say the least, especially if this was done without their prior consent.
If you look at it in this way, you can also see that the question of PII is irrelevant here. Even if the shop cannot identify the visitors by placing something in their bags, the bag and its content is none of their business!
@Chris – quick sanity check, are you speaking on behalf of of Digi.no or Norwegian Data Protection Authority? I ask because your reasoned discussion is much more detailed and considered then what I have read from these other two…!
My view is that the articles I mention are ill-informed and poorly written at best. Stating that GA is illegal simply because no one can “guarantee” what happens to anonymous and aggregate data is superficial and has a naivety of how internet communications take place. The ability of large internet companies (Yahoo, Apple, Microsoft, Firefox, Google etc.) to triangulate anonymous and aggregate information, so that the data becomes personal, is the real debate.
See my recent interview: Who monitors the monitors? Privacy, Web Analytics, Google and Ketchup
What is the purpose of the EU cookie law?
From my discussions with various parties involved in implementing this law in the UK, it is quite clear that this law is aimed at behavioural targeting and the abuse of private information by website owners and tracking companies. Benign, anonymous, aggregate reports – such as that provided by Google Analytics – is not the target of this law.
Privacy Analogy – monitoring cars driving down a street
I am not advocating placing tracking devices in people’s cars – that would make it very personal and very identifiable. In my analogy, the car is the the visitor, the road is the web route/path, and the school is an organisation’s website. To be more exact, I should say that the monitoring is for all cars that pass through the school premises i.e. visit the website. So for my analogy, the monitoring takes place at the school gate – that is, when a car enters the school premises- and is conducted by a third-party person, named Google.
Hi Brian, Chris,
Yeap, I agree with Chris on that one and as we stated on our blog post about the subject “Google’s right to provide web analytics services is not being questioned. What is missing are the guarantees offered to the website users about the use of their personal data…”
The website owner, the controller, can not guarantee the use of data by the processor, in this case Google. For the free version of GA, this should clearly be further clarified.
More on: http://www.mindyourprivacy.com/uk/analisis-de-los-problemas-de-google-analytics-en-noruega/
We welcome your thoughts and send you both kind regards from sunny Madrid,
And, by the way, if we continue the analogy you yourself use elsewhere, a person interested in safety and traffic is certainly allowed to count cars, types of cars, their speed etc.
But such a person would not be allowed to place a tracking device inside the car (without informed consent) which would not only allow him or her to recognize the car when it came back to the street, but potentially also to map its behavior around on other streets in different cities or even countries.
The EU cookie law clearly states that you are not allowed to open the door of a car and place something inside it without the informed consent of the driver/owner.
Allow me to clarify the point. GA is not illegal because website owners must obtain consent or because it collects Personal Identifyable Information (PII). Mr Thon is saying that GA is illegal because it is the website owner’s responsibility to INFORM visitors about how the cookies are going to be used if the visitor allows them to be set. The website owner must inform about this, but at the same time they cannot give the visitors any guarantees about how the cookies are going to be used because they actually dont know what Google does with them.
For example, a website with Google Analytics cannot legally say that it places GA cookies on the visitor’s computer only in order to improve the website’s usabiliy. This would be misleading to the visitor because in fact Google might use them for entirely other purposes (e.g. targeted advertising). The point is not that Google WILL do this, but that the website owner cannot give any guarantee.
Note also that Google can IN THEORY use data as they see fit party because they do not have a legal responsibility directly to the website owner’s visitors, and partly because they have no legal contract with the website owner. In fact, the terms that website owners must accept in a check box when downloading the GA script clearly give Google the right to use the data for a variety of purposes. This is not the case for the paid version, GA Premium, where the website owner is given an SLA and clear ownership of data.
Also, I would like to point out that the new EU law DOES NOT revolve around personal identifyable information (PII) which you seem to suggest a number of places. Instead it revolves around INFORMED consent in connection with gaining access to the visitors computer which is seen as his/her private sphere. The law aims in particular at giving the visitor control over what is STORED on his/her computer and by whom. You must ensure informed consent WHENEVER you try to access the visitor computer – this holds for GA, GA Premium, thirds party cookies, first party cookies etc. and regardles of whether all of this can be considered PII or not. (There are a few exceptions to the rule, but annonymous web analytics is not one of them).
@Chris – thanks for your thoughts on this.
Have a read about my post on the Google Analytics and the the new EU privacy law. As you will see, I reason that consent is not required just because a website uses GA. This comes form the detailed and very well thought through UK guidelines published by the ICO – the UK’ data protection agency.
However, whether Bjorn or anyone else agrees with this reasoning is not my point. My point is that it is not Google Analytics that is illegal – or any other tracking tool used for that matter. It is the website owner’s responsibility for end-user privacy. Otherwise there is the ridiculous situation of a website owner simply adding a request for tracking from his/her visitors and then GA suddenly becomes legal again.
BTW to clarify – whether you use the free version of GA or Premium, the data collected is owned by you, as the account holder. See my friend Stephane Hamel’s comments on this at http://online-behavior.com/googleanalytics/myths
I actually dont think Bjørn Erik Thon has misunderstood anything, but I agree the article mixes up some things.
As I understand it, Mr Thon is basing his opinion on the new EU cookie law which makes requirements for information and consent from the user in case of, eg, using cookies for tracking purposes. This requirements are made regardless of whether cookies or ip addresses are considered personal identifiable information.
Thus, a company using GA must ask the user for permission before placing cookies on her hard drive and must also tell the user why the cookies are placed in case she accepts. This is to ensure that the user is aware of the consequences of her choice.
Mr Thon’s point is that since Google owns the data collected by GA, the company cannot inform the user about the consequences, because it cannot know if or how Google will use the data. Because of this tracking is only legal if the company owns and thereby controls the collected data (GA Premium would be legal, but the free GA would not).
Thank you for sharing your thoughts.
As I was reading the comments, I wanted to mention that indeed Norway is not an EU Member but as a consequence of its membership in the EEA (European Economic Area), Norway is under an obligation to adopt EU Directives.
@Bob – good point. I should have clarified that. It may explain my surprise that Bjørn Erik Thon has not seen/read what other data protection agencies have done on this in Europe…
FYI Norway is not in the EU, but of course culturally they are part of Europe
Thanks Brian, hopefully this will help calm some people down. 😉 Helps clarify some things for me, and gives me another angle to think/talk about this issue for EU clients as well.
Quick follow-up… Article written by the Norwegian Data Protection Authority has now been published:
The understanding of Datatilsynet is quite disappointingly poor. I expect people making these type of statements to have a good understanding of how the Internet works – specifically the DNS system. In a nutshell, ALL web servers log visitor IP address by default and even if you do not log these, IP address must be transmitted in communications – otherwise the data does not know were to go!
The following statement from them is incorrect and misleading:
“An IP address is defined as personal data because it can be traced back to a specific hardware and thus to an individual.”
Why so? Take a common example of a shared office building housing 12 different business – approx 100 people in total. The hardware with the public IP address is the main router and this is shared amongst *all* 100 Internet users. Each user does not have there own public IP address.
Of course, you can take the view that in some circumstances there can be a 1:1 matching of a user to an IP address and that would enable you to identify the user – assuming you know the owner of the hardware and can prove that only that individual was using it at the specified time. It is difficult legally speaking to do this, but I have no problem with that interpretation.
But please Bjørn Erik Thon (Commissioner, Data Protection Agency Norway) , at least understand and describe the situation correctly. The solution to the issue for the two websites you report on is to use an already well documented function called _anonymizeIP() within their Google Analytics setup. That is a more professional approach to protecting citizens privacy that issuing sensationalist headlines…
/end of rant
As you can see I am not a fan of organisations (or tools for that matter) puking poor quality information/data to users 😉