Phil Pearce provides a summary of key points about the General Data Protection Regulation (GDPR) and steps for compliance. Some of the major changes under GDPR include higher fines for non-compliance, expanded definitions of personal information, and requirements for consent. Phil outlines settings to make in Google Analytics and Google Tag Manager to comply with GDPR, including disabling remarketing and IP anonymization. He also discusses privacy policy updates, supplier contracts, and automated health checks to monitor compliance.

1. BlackHat Analytics 4:
May the 25th be with you

2. #MeasureCamp @philpearce
Web Analytics
Exchange mentor
750 GA
questions answered
Tracking
protection group
(DNT)
Welcome
Phil Pearce
Analytics Expert & Master of the Dark Arts
Accelerate-Agency.com
@philpearce
linkedin.com/in/philpearce

3. Just a quick Leia Disclaimer...
#SPWK @philpearce
I`m not her!

4. Ask my brother
instead...
#SPWK @philpearce
Or consult your
Leia council

5. Blackhat Analytics
Summary
1. Inbalance: Reason behind GDPR
2. PERC vs GDPR: whats changed?
• Fines
• PI definitions
3. Jedi Training: Steps to be Compliant
• Vendor Settings
• Script Settings
• CMS plugins
• Privacy policy changes
• Supplier Contracts
4. Checklist
5. Take aways
#SPWK @philpearce

6. A long time ago...
…or about 6 light years ago to be precise!

7. Cookie Law
in 2012...

9. now...
GDPR

11. Don’t panic…
...I have seen a vision of your future

12. Generalisation…

13. 2 Strikes… before fine
For any new law… there will be a grace period
to account for accidental non-compliance or to
give large enterprise time to adjust their systems

14. Expect lots of Craziness
before 25th May!

15. Before things return to normal

16. Before things return to normal

17. Begin craziness…

18. PERC vs GDPR
PERC GDPR
IP Address Not personal data Personal Data
UserID Not personal data Personal Data
TransactionID Not personal data Personal Data
Cookie Identifier Not personal data Personal Data
Device Signature Not personal data Personal Data
Standardisation Different in EU countries Harmonised Across EU
Charge for Subject
Access Request
£10 Free
Max fine £500,000 £17,500,000

19. £17,500,000
or
4% global revenue

20. GDPR in 2mins
bit.ly/gdpr-videos2

21. Ouch! The privacy police just got
handed a giant stick!

22. How to avoid being fined…
Principles…
1. Notify & provide reason for data collection
2. Allow users to View/Edit/Delete their data
3. Special Categories of Data require Consent
4. Consent must be Pro-active tickbox
5. Any financial decision based on user-data
must have consent, such as pricing
personalisation

23. GA settings
Never Delete GA Events and PageURLs
setting… aka don’t expire…

24. GA settings

25. Add Address and Contact for the
DPO in your organisation

26. PII safeguards
…to prevent GA account deletion!

27. PII detection
Quick Test
1. Email
[a-zA-Z0-9_.-]+(@|%40) [da-zA-Z.-]+.[a-zA-Z.]{2,6}
2. IP_address
^([0-9]+.){3}[0-9]+$
Source: www.cardinalpath.com/what-you-need-to-know-about-google-analytics-personally-identifiable-
information/

28. PII prevention filters
PP01: TidyURL - Replace email with EMAIL-OBFUSCATED-BY-
FILTER@gmail.com
URL (.*?)(=|%3D)([a-zA-Z0-9_.+-]+(@|%40)[a-zA-Z0-9-
]+.[a-zA-Z0-9-.]+)($|&.+)
Output URL $A1=EMAIL-OBFUSCATED-BY-FILTER@gmail.com$A5
PP02: Tidy EventLabel - Replace email with EMAIL-OBFUSCATED-BY-
FILTER@gmail.com
EventLabel (.*?)(=|%3D)([a-zA-Z0-9_.+-]+(@|%40)[a-zA-Z0-
9-]+.[a-zA-Z0-9-.]+)($|&.+)
Output EventLabel $A1=EMAIL-OBFUSCATED-BY-
FILTER@gmail.com$A5

29. Generic PII exclude params
email, emailAddress, clientEmailAddress, Username, postCode, mac, oldPassword,
password, password_confirmation, regCode, username, username_confirm,
signin[username], signin[runas], signin, sign_in, conf, gpid, obem, inf_contact_key,
user_id, userId, username1, frmUsername, nickName, qz_user_name, url_mac,
Email, email, mail, MAIL, feedback_email, newEmailAddress, newemailaddress,
emailAddress, emailaddress, recipientName, recipientEmail, MMDB_ID, mmdb_id,
EMAIL_ID, email_id, email[body], email[subject], interaction[email], interaction[name],
CVC_M1RSUBNM, CVC_M1RADDR1, CVC_M1RADDR2, CVC_M1RCITY,
CVC_M1RSTATE, CVC_M1RCTRYC, CVC_M1RZIP, CVC_M1REMAIL,
CVC_M1RTACCT, MSRSUBNM, MSRADDR1, MSRADDR2, WESCITY,
WESSTATE, WESZIP, MSREMAIL, Name, selectedAddress, selectedAddres_0,
selectedAddres_1, selectedAddres_2, selectedAddres_3, selectedAddres_4,
selectedAddresSize, Address1, Address2, City, State, Zip, zipcode, qz_user_country,
state, oauth_token, oauth_verifier, rptregcta, rptregcampaign, nickName,
selectedAddress, username1, frmUsername, mac_address, username, password,
login, firstName, lastName, payerName, street, city, country, zipCode, payerEmail,
email, rfemail, rflogin, login, PayerID, user

30. GTM
Accept GDPR
AnnonIP
CD20 for consent
CD19 for consentTimeStamp
2year to 1.5yr cookie
Disabled Remarketing
non-loggined
new users
IP resolves to EU

31. Tick this box
Secure logins

32. GTM user access audit
See actual audit here.

33. Conditionally disabled Remarketing
via GTM…
bit.ly/2IxMKRt

34. Right to Be forgotten

35. Right to Be forgotten

36. Privacy Policy page updates
Opt-out links
Subject Access mailto or deletion request

37. Adwords
Remarketing cookie durations
CustomerMatch

38. Facebook
Remarketing cookie durations
CustomerMatch

39. Email
1. IP match to EU
2. .co.uk et al email extension matched to EU

40. Breach notification
http://en.wikipedia.org/wiki/Data_breach
http://www.symantec.com/content/de/de/about/downloads/press/2010_annual_study.pdf
PII`s data
sucked-out
from
exposed
servers!
Companies must
notify DPA within
reasonable amount
of time, but not
(currently) obligated
to notify public!

41. Contracts for Suppliers
bit.ly/gdpr-supplier-contract

42. Mistakes to avoid implementing
1. Mobile popups
2. Asking for consent on Newsletters
3. Triggering Adwords pop-up on
landing page cpc fine
4. Asking users in China or USA for
consent
5. Excessively confusing pop-ups

43. Automatically monitoring &
enforcement of the system.
aka Automatic “Health checks”

44. Example…

45. Imperial
Durnt, durnt, durnt… durnt, dan ner!
External Feedback mechanism

46. Google Adwords privacy cpc tax
SSL as ranking signal SERP ranking
organic bonus.
Google “trusted stores” program
Note: See “Privacy as a ranking factor slides” and TrustFactor video.

47. Training and Checklist

48. Light Score
1. Do you have a Privacy Policy? +1
2. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +1
3. HTML links on Privacy Policy:
• Do you mention you use cookies OR link to “How Google uses cookie data“
www.google.com/policies/privacy/partners/ +0.25
• Do you mention the word “Do Not Track” or DNT on privacy policy +0.25
• Link to GA opt-out plugin OR GA opt-out page +0.25
• Link to DoubleClick remarketing opt-out OR Adchoices link +0.25
4. Has your Privacy Policy has been updated within the last 12months +1
5. If your using session recording (e.g. ClickTale) have you set sensitive fields to either
type=password OR have relevant class: <input id="CreditCardPin" class="tracking-
sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1
6. Is AnonymiseIP enabled for EU Visitors +1
7. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +1
8. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +1
9. GA exclude traffic from robot setting is enabled +1
10.You have actioned atleast one GA heathcheck alert +1
Ref: www.google.com/analytics/terms/us.html
[n] / 10

49. Force Rankings:
Make a note of your Light score

50. Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
-

51. Dark Score
1. 3rd party cookies are being deployed on your website -1
2. Have not enable frequency capping on Display network -1
3. UserID tracking is enabled, but not declared to users on privacy page.
4. GA`s data append via CSV upload (dimension widening) for userID as a
customDimension using sensitive data (e.g. Financial grouping/status
based on users postcode/address) -1
5. Using Device Signature (Android App only) -1
6. Email address stored in GA url report -1
7. Storing passwords in GA URL report -1
8. Respawn of users sessionID cookie, after the user tries to clear cookie -1
9. Using any of the techniques mentioned on evercookie -1
10.Using opt-in ClickJacking to install a trojan virus -100
[n] / 10

52. Force Rankings:
Make a note of your Dark score

53. Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
- -

54. Now:
Light Score - Dark score =
Actual score

55. Darkness and the
Light - scorings
10 Yoda
6-8 Luke
3-5 Leia
0-2 Chewbacca
0 Neutral Zone
- 0-2 Darth Maul
- 3-5 Count Dooku
- 6-8 Darth Vader
- 10 Darth Sideous
Light
score
Dark
Score
Sum
of both
- - -

56. Malintent Accidental
Bad
Good
Overall Score?
-10
+10

57. If you got a dark score join these…
 “MOA code of conduct” or “DAA code of ethics” will eventually introduce
one
www.digitalanalyticsassociation.org/codeofethics
www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view

58. Thanks & Questions
#SPWK @philpearce

59. Links to resources
GDPR video playlist
https://www.youtube.com/watch?v=PMHO2T1p0g8&index=68&list=PL45AABD8BB96D3785&t=0s
CookieLaw video playlist
https://www.youtube.com/playlist?list=PL45AABD8BB96D3785
checklist
https://www.omnisend.com/blog/gdpr-for-ecommerce-definitive-guide-free-gdpr-checklist/
essentials blog post by webguild
https://www.thewebguild.org/news/gdpr-essentials-for-web-developers-and-site-owners
post on GooglePlus
https://plus.google.com/u/0/+StephaneHamel-immeria/posts/YcnrmoQQpT4
GDPR view by a marketer
https://www.portent.com/blog/internet-marketing/gdpr-29-things-marketers-must-know.htm
vendor - HotJar Webinar
https://www.hotjar.com/privacy/gdpr-compliance-with-hotjar-webinar
vendor - WooCommerce
https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/
GDPR supplier template
http://bit.ly/gdpr-supplier-contract

60. Login security

61. Watch this video
A link to the video is here.

62. Install this App

63. Verify App

64. Print backup codes
123
999
xxx

65. Tick this box
Now you can...

66. Thanks from Phil the
Analytics Adventurer