GDPR – Should You Request Consent Before Tracking?
GDPR means that organisations need to keep records of all personal data, be able to prove that consent was given, show where data is going, what its being used for, and how it is being protected. And it applies to anyone processing data on EU citizens.
But what defines personal data…? And how is PII different…?
Obviously name, address, telephone details etc. constitute personal data. However, the GDPR makes it clear that Personally Identifiable Information (PII), can also be considered personal data. PII is data that may at first appear benign, such as a visitor’s gender, age, language, type of car owned, demographic group etc. These in isolation are harmless in that that do not identify an individual. However, string them together and attached them to a web visitor who may be searching for a very specific item in a geographic location, and pretty soon you can identify who that person is.
Data Triangulation Turns PII into PI
A classic case of this happening was the AOL data scandal of 2006. This initially involved the authorised release of a large volume of “anonymised” search query data – intended for research purposes. However, New York Times journalists (and others) were able to analyse this and subsequently identify individuals by data triangulation.
Put simply, I do not know of a single commercial website that does not collect PII at some level. If not, what would be the point of having a website? It is also expected by users/visitors as standard practice, so nothing wrong with collecting PII per se. However, as a website owner (or DPO) you must determine, and be able to verify, if consent from your website visitors is required in order to track them. Essentially, taking no action on this point is simply not an option.
Consent Flow Chart – the options
As you can see, assuming you trade with the largest single trading block in the world, my middle blue section is the key to determining if you should be asking for consent, or not:
IMPORTANT: Note that “Consent required” means explicit consent i.e. the visitor explicitly opts-in, not implied or assumed. And that means obtaining consent from EU visitors before you track them.
The examples of embedded scripts that send tracking pixels to 3rd-parties are only the common ones – there are potentially thousands more!
What About Google Analytics…?
From my last post (Google Analytics, GDPR and Consent), I recommend you request consent to track your web visitors by default. If you don’t do this, then the onus is on you to verify consent is not required by auditing ALL the tracking pixels on ALL your pages (and do this regularly to confirm compliance). That is doable, but a huge undertaking.
My reason for requesting consent by default is that the GDPR is applicable to your organisation and therefore its website(s) as a whole. The law is not specific to any tool or technology used for tracking. If, by auditing all potential pixels you are able to confirm that no other tracking collects PII on your website (or if there are, each one is compliant), the Google Analytics position is as follows:
European Union user consent policy
When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.
What are the Google Analytics Advertising features?
These include Demographics and Interest Reports, Remarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.
Summary of Google’s Advice:
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.
1. When it comes to website data, GDPR is clear in that the law is applicable not just to personal data i.e. the obvious types: name, email address etc., it also applies to personally identifiable information (PII). These are data points that at first glance appear benign, but when combined with other “benign” data i.e. triangulated, they can identify an individual.
2. Every commercial website collects PII at some level (possibly every website does), hence my interpretation of the GDPR is that website owners request explicit consent from all EU visitors, and before tracking begins.
3. GDPR is not specific to any tool or technology. Therefore, unless you can verify that ALL tracking scripts are compliant, or can verify that the only tracking pixel on your website is Google Analytics and its setup does not include Google’s advertising features, then you need to request tracking consent from your visitors.
4. Although the GDPR is specific to EU citizens wherever they may roam, in my opinion this is very likely to become a global data standard. After all, many have said that data is the new currency. Hence just like the financial markets, regulation is required and indeed desired by the vast majority of ordinary people – not jus from within the EU.
BTW, if you are interested in what I am building in this space – an automated GA data auditing tool – visit verified-data.com.