Noise or Music?

GDPR – Should You Request Consent Before Tracking?

Categories: GDPR & Privacy / Comments: 7

Share Button

GDPR means that organisations need to keep records of all personal data, be able to prove that consent was given, show where data is going, what its being used for, and how it is being protected. And it applies to anyone processing data on EU citizens.

But what defines personal data…? And how is PII different…?

Data triangulation turns PII into PI

Obviously name, address, telephone details etc. constitute personal data. However, the GDPR makes it clear that Personally Identifiable Information (PII), can also be considered personal data. PII is data that may at first appear benign, such as a visitor’s gender, age, language, type of car owned, demographic group etc. These in isolation are harmless in that that do not identify an individual. However, string them together and attached them to a web visitor who may be searching for a very specific item in a geographic location, and pretty soon you can identify who that person is.

Data Triangulation Turns PII into PI

A classic case of this happening was the AOL data scandal of 2006. This initially involved the authorised release of a large volume of “anonymised” search query data – intended for research purposes. However, New York Times  journalists (and others) were able to analyse this and subsequently identify individuals by data triangulation.

Put simply, I do not know of a single commercial website that does not collect PII at some level. If not, what would be the point of having a website? It is also expected by users/visitors as standard practice, so nothing wrong with collecting PII per se. However, as a website owner (or DPO) you must determine, and be able to verify, if consent from your website visitors is required in order to track them. Essentially, taking no action on this point is simply not an option.

Consent Flow Chart – the options

As you can see, assuming you trade with the largest single trading block in the world, my middle blue section is the key to determining if you should be asking for consent, or not:

GDPR consent flow chart

IMPORTANT: Note that “Consent required” means explicit consent i.e. the visitor explicitly opts-in, not implied or assumed. And that means obtaining consent from EU visitors before you track them.

The examples of embedded scripts that send tracking pixels to 3rd-parties are only the common ones – there are potentially thousands more!

What About Google Analytics…?

From my last post (Google Analytics, GDPR and Consent), I recommend you request consent to track your web visitors by default. If you don’t do this, then the onus is on you to verify consent is not required by auditing ALL the tracking pixels on ALL your pages (and do this regularly to confirm compliance). That is doable, but a huge undertaking.

My reason for requesting consent by default is that the GDPR is applicable to your organisation and therefore its website(s) as a whole. The law is not specific to any tool or technology used for tracking. If, by auditing all potential pixels you are able to confirm that no other tracking collects PII on your website (or if there are, each one is compliant), the Google Analytics position is as follows:

European Union user consent policy

When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.

Taken from: Policy requirements for Google Analytics Advertising Feature

What are the Google Analytics Advertising features?
These include Demographics and Interest ReportsRemarketing with GA and DCM Integration. The reasoning is that these features require the use of 3rd-party cookies i.e. the sharing of data with organisations other than the website being visited itself. Hence the privacy implications.

Summary of Google’s Advice:
If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t.

Conclusions

1. When it comes to website data, GDPR is clear in that the law is applicable not just to personal data i.e. the obvious types: name, email address etc., it also applies to personally identifiable information (PII). These are data points that at first glance appear benign, but when combined with other “benign” data i.e. triangulated, they can identify an individual.

2. Every commercial website collects PII at some level (possibly every website does), hence my interpretation of the GDPR is that website owners request explicit consent from all EU visitors, and before tracking begins.

3. GDPR is not specific to any tool or technology. Therefore, unless you can verify that ALL tracking scripts are compliant, or can verify that the only tracking pixel on your website is Google Analytics and its setup does not include Google’s advertising features, then you need to request tracking consent from your visitors.

4. Although the GDPR is specific to EU citizens wherever they may roam, in my opinion this is very likely to become a global data standard. After all, many have said that data is the new currency. Hence just like the financial markets, regulation is required and indeed desired by the vast majority of ordinary people – not jus from within the EU.

BTW, if you are interested in what I am building in this space – an automated GA data auditing tool – visit verified-data.com.

Share Button

Comments (most recent first)

  1. Martin says:

    “Are your visitors connecting from the EU?” Is not really the correct question because (as you say in conclusion 4) its EU citizenship not location that is important to GDPR. So a German businessman in Singapore needs a banner and a US businesswoman visiting Spain does not.

    In practice this probably means everyone needs a banner regardless of IP as there is no way to know citizenship otherwise.

  2. Jacob says:

    I’m not sure I 100% agree with your Google Analytics recommendation. Would’nt you be home safe with ip anonymization, because nothing else sent to GA are PII, and cannot be stringed together without the specific ip?

    • Hello Jacob – Bear in mind GDPR is not tool specific…

      Assuming GA is the only tracking pixel on a site, then I am simply reflecting Google’s own advice (see link). That is, if you enable their ad features you are sharing data with 3rd-parties, and that requires consent.

      AnonymiseIP is a good thing to have by default (and I will be publishing a study soon on the impact of it), though it is Google’s tracking cookie (clientID) that is user/device specific. Hence why you can see individual users in the User Explorer report regardless of whether anonymiseIP is used.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-spam question (required):

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Brian Clifton 2018
Best practice privacy statement