Blackhat Analyics 4: May the 25th be with you!

BlackHat Analytics 4:
May the 25th be with you

#MeasureCamp @philpearce
Web Analytics
Exchange mentor
750 GA
questions answered
Tracking
protection group
(DNT)
Welcome
Phil Pearce
Analytics Expert & Master of the Dark Arts
Accelerate-Agency.com
@philpearce
linkedin.com/in/philpearce

Just a quick Leia Disclaimer...
#SPWK @philpearce
I`m not her!

Ask my brother
instead...
#SPWK @philpearce
Or consult your
Leia council

Blackhat Analytics
Summary
1. Inbalance: Reason behind GDPR
2. PERC vs GDPR: whats changed?
• Fines
• PI definitions
3. Jedi Training: Steps to be Compliant
• Vendor Settings
• Script Settings
• CMS plugins
• Privacy policy changes
• Supplier Contracts
4. Checklist
5. Take aways
#SPWK @philpearce

A long time ago...
…or about 6 light years ago to be precise!

Don’t panic…
...I have seen a vision of your future

2 Strikes… before fine
For any new law… there will be a grace period
to account for accidental non-compliance or to
give large enterprise time to adjust their systems

Expect lots of Craziness
before 25th May!

Before things return to normal

PERC vs GDPR
PERC GDPR
IP Address Not personal data Personal Data
UserID Not personal data Personal Data
TransactionID Not personal data Personal Data
Cookie Identifier Not personal data Personal Data
Device Signature Not personal data Personal Data
Standardisation Different in EU countries Harmonised Across EU
Charge for Subject
Access Request
£10 Free
Max fine £500,000 £17,500,000

£17,500,000
or
4% global revenue

GDPR in 2mins
bit.ly/gdpr-videos2

Ouch! The privacy police just got
handed a giant stick!

How to avoid being fined…
Principles…
1. Notify & provide reason for data collection
2. Allow users to View/Edit/Delete their data
3. Special Categories of Data require Consent
4. Consent must be Pro-active tickbox
5. Any financial decision based on user-data
must have consent, such as pricing
personalisation

GA settings
Never Delete GA Events and PageURLs
setting… aka don’t expire…

Add Address and Contact for the
DPO in your organisation

PII safeguards
…to prevent GA account deletion!

PII detection
Quick Test
1. Email
[a-zA-Z0-9_.-]+(@|%40) [da-zA-Z.-]+.[a-zA-Z.]{2,6}
2. IP_address
^([0-9]+.){3}[0-9]+$
Source: www.cardinalpath.com/what-you-need-to-know-about-google-analytics-personally-identifiable-
information/

PII prevention filters
PP01: TidyURL - Replace email with EMAIL-OBFUSCATED-BY-
FILTER@gmail.com
URL (.*?)(=|%3D)([a-zA-Z0-9_.+-]+(@|%40)[a-zA-Z0-9-
]+.[a-zA-Z0-9-.]+)($|&.+)
Output URL $A1=EMAIL-OBFUSCATED-BY-FILTER@gmail.com$A5
PP02: Tidy EventLabel - Replace email with EMAIL-OBFUSCATED-BY-
FILTER@gmail.com
EventLabel (.*?)(=|%3D)([a-zA-Z0-9_.+-]+(@|%40)[a-zA-Z0-
9-]+.[a-zA-Z0-9-.]+)($|&.+)
Output EventLabel $A1=EMAIL-OBFUSCATED-BY-
FILTER@gmail.com$A5

Generic PII exclude params
email, emailAddress, clientEmailAddress, Username, postCode, mac, oldPassword,
password, password_confirmation, regCode, username, username_confirm,
signin[username], signin[runas], signin, sign_in, conf, gpid, obem, inf_contact_key,
user_id, userId, username1, frmUsername, nickName, qz_user_name, url_mac,
Email, email, mail, MAIL, feedback_email, newEmailAddress, newemailaddress,
emailAddress, emailaddress, recipientName, recipientEmail, MMDB_ID, mmdb_id,
EMAIL_ID, email_id, email[body], email[subject], interaction[email], interaction[name],
CVC_M1RSUBNM, CVC_M1RADDR1, CVC_M1RADDR2, CVC_M1RCITY,
CVC_M1RSTATE, CVC_M1RCTRYC, CVC_M1RZIP, CVC_M1REMAIL,
CVC_M1RTACCT, MSRSUBNM, MSRADDR1, MSRADDR2, WESCITY,
WESSTATE, WESZIP, MSREMAIL, Name, selectedAddress, selectedAddres_0,
selectedAddres_1, selectedAddres_2, selectedAddres_3, selectedAddres_4,
selectedAddresSize, Address1, Address2, City, State, Zip, zipcode, qz_user_country,
state, oauth_token, oauth_verifier, rptregcta, rptregcampaign, nickName,
selectedAddress, username1, frmUsername, mac_address, username, password,
login, firstName, lastName, payerName, street, city, country, zipCode, payerEmail,
email, rfemail, rflogin, login, PayerID, user

GTM
Accept GDPR
AnnonIP
CD20 for consent
CD19 for consentTimeStamp
2year to 1.5yr cookie
Disabled Remarketing
non-loggined
new users
IP resolves to EU

GTM user access audit
See actual audit here.

Conditionally disabled Remarketing
via GTM…
bit.ly/2IxMKRt

Privacy Policy page updates
Opt-out links
Subject Access mailto or deletion request

Adwords
Remarketing cookie durations
CustomerMatch

Facebook
Remarketing cookie durations
CustomerMatch

Email
1. IP match to EU
2. .co.uk et al email extension matched to EU

Breach notification
http://en.wikipedia.org/wiki/Data_breach
http://www.symantec.com/content/de/de/about/downloads/press/2010_annual_study.pdf
PII`s data
sucked-out
from
exposed
servers!
Companies must
notify DPA within
reasonable amount
of time, but not
(currently) obligated
to notify public!

Contracts for Suppliers
bit.ly/gdpr-supplier-contract

Mistakes to avoid implementing
1. Mobile popups
2. Asking for consent on Newsletters
3. Triggering Adwords pop-up on
landing page cpc fine
4. Asking users in China or USA for
consent
5. Excessively confusing pop-ups

Automatically monitoring &
enforcement of the system.
aka Automatic “Health checks”

Imperial
Durnt, durnt, durnt… durnt, dan ner!
External Feedback mechanism

Google Adwords privacy cpc tax
SSL as ranking signal SERP ranking
organic bonus.
Google “trusted stores” program
Note: See “Privacy as a ranking factor slides” and TrustFactor video.

Light Score
1. Do you have a Privacy Policy? +1
2. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +1
3. HTML links on Privacy Policy:
• Do you mention you use cookies OR link to “How Google uses cookie data“
www.google.com/policies/privacy/partners/ +0.25
• Do you mention the word “Do Not Track” or DNT on privacy policy +0.25
• Link to GA opt-out plugin OR GA opt-out page +0.25
• Link to DoubleClick remarketing opt-out OR Adchoices link +0.25
4. Has your Privacy Policy has been updated within the last 12months +1
5. If your using session recording (e.g. ClickTale) have you set sensitive fields to either
type=password OR have relevant class: <input id="CreditCardPin" class="tracking-
sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1
6. Is AnonymiseIP enabled for EU Visitors +1
7. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +1
8. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +1
9. GA exclude traffic from robot setting is enabled +1
10.You have actioned atleast one GA heathcheck alert +1
Ref: www.google.com/analytics/terms/us.html
[n] / 10

Force Rankings:
Make a note of your Light score

Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
-

Dark Score
1. 3rd party cookies are being deployed on your website -1
2. Have not enable frequency capping on Display network -1
3. UserID tracking is enabled, but not declared to users on privacy page.
4. GA`s data append via CSV upload (dimension widening) for userID as a
customDimension using sensitive data (e.g. Financial grouping/status
based on users postcode/address) -1
5. Using Device Signature (Android App only) -1
6. Email address stored in GA url report -1
7. Storing passwords in GA URL report -1
8. Respawn of users sessionID cookie, after the user tries to clear cookie -1
9. Using any of the techniques mentioned on evercookie -1
10.Using opt-in ClickJacking to install a trojan virus -100
[n] / 10

Force Rankings:
Make a note of your Dark score

Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
- -

Now:
Light Score - Dark score =
Actual score

Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
Sum
of both
- - -

Malintent Accidental
Bad
Good
Overall Score?
-10
+10

If you got a dark score join these…
 “MOA code of conduct” or “DAA code of ethics” will eventually introduce
one
www.digitalanalyticsassociation.org/codeofethics
www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view

Thanks & Questions
#SPWK @philpearce

Links to resources
GDPR video playlist
https://www.youtube.com/watch?v=PMHO2T1p0g8&index=68&list=PL45AABD8BB96D3785&t=0s
CookieLaw video playlist
https://www.youtube.com/playlist?list=PL45AABD8BB96D3785
checklist
https://www.omnisend.com/blog/gdpr-for-ecommerce-definitive-guide-free-gdpr-checklist/
essentials blog post by webguild
https://www.thewebguild.org/news/gdpr-essentials-for-web-developers-and-site-owners
post on GooglePlus
https://plus.google.com/u/0/+StephaneHamel-immeria/posts/YcnrmoQQpT4
GDPR view by a marketer
https://www.portent.com/blog/internet-marketing/gdpr-29-things-marketers-must-know.htm
vendor - HotJar Webinar
https://www.hotjar.com/privacy/gdpr-compliance-with-hotjar-webinar
vendor - WooCommerce
https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/
GDPR supplier template
http://bit.ly/gdpr-supplier-contract

Watch this video
A link to the video is here.

Print backup codes
123
999
xxx

Thanks from Phil the
Analytics Adventurer

Blackhat Analyics 4: May the 25th be with you!

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Blackhat Analyics 4: May the 25th be with you!

Similar to Blackhat Analyics 4: May the 25th be with you! (20)

More from Phil Pearce

More from Phil Pearce (19)

Recently uploaded

Recently uploaded (20)

Blackhat Analyics 4: May the 25th be with you!