Is there a 100% GDPR compliant analytics tool for website owners? Many website owners still haven't managed to comply with the new GDPR rules. An additional risk for them is using third party analytics tools, that use the visitor data for their own purposes. Find our advice on how to choose an analytics app that complies to GDPR.

1. Understanding GDPR Compliance:
GDPR Analytics Tools

2. We've covered this before, even before the data protection law was being enforced, offering
advice on steps to be GDPR ready to website owners. Yet, many entrepreneurs, website
owners, and startup teams still ignore GDPR or do not know how to fully handle it.
Disclaimer: if you are unsure whether your business is implementing GDPR correctly,
please also consult an attorney specializing in such matters.
In the current context, this has become extremely dangerous, as we are beginning to see
heavy fines for several companies, big and small, if they don't stick to standards for data
privacy. Please note that any online business and website that is accessible to EU citizens,
regardless of the country they are operating from, has to comply with the same
standards.
Therefore, companies outside of Europe must also be on alert.

3. GDPR consists of a set of regulations that act as law in all situations when the personal user
data of EU citizens is being handled by companies or other organizations. According to this
regulation, all individuals who, voluntarily or unknowingly, give personal information to a
company, through any sort of contact, must give explicit informed consent for the gathering,
storing and processing of that data.
What is GDPR and what does it mean for website operators?

4. What is GDPR and what does it mean for website operators?
GDPR consists of a set of regulations that
act as law in all situations when the
personal user data of EU citizens is being
handled by companies or other
organizations.
According to this regulation, all individuals
who, voluntarily or unknowingly, give
personal information to a company, through
any sort of contact, must give explicit
informed consent for the gathering,
storing and processing of that data.

5. What is GDPR and what does it mean for website operators?
The type of personal data whose processing
requires user consent includes:
● names,
● contact information,
● location,
● health status,
● interests,
● demographical data.
In the informed consent lies the obligation to
inform individuals on the type of data being
gathered, how and for how long it will be
stored and to what purpose.

6. Moreover, you need to provide access to ones’ personal data, on request, as well as to make
sure you have data security in place.
The data must be protected from being stolen and misused. In case of data breaches, as a
company, you should have procedures in place to notify all those concerned. This applies to
all business conducted online, as well as offline.
But for those who work online, the situation is much more complicated than for businesses
that primarily act offline. There are various parties interested and involved in the process of
data collection online. It is not only the website operator itself that may be gathering
information on visitors and customers, but other third parties too, mostly for
advertising purposes.

7. Web tracking apps or web analytics tools fall
into that category, starting with the most
famous one of all, which is Google Analytics.
Remember that the website operator needs
to make sure that he has explicit, distinct
ways to inform the user about all the
different types of data being gathered, as
well as who is gathering them.

8. These rules are not to be taken lightly. Some website owners have
made use of simple pre-ticked boxes, to give some sort of informed
consent to users entering their websites.
Others have created just one GDPR box, grouping several provisions
behind the same button, without specifying all the ways the data
would be used. These two cases do not comply with the standards
and will not save website owners from getting fined.
Instead, every third party has to have a clear separate “I agree”
section right at the first contact the user has with the landing page,
which the visitors may or may not tick.
Pre-ticked boxes are not GDPR compliant.

9. The consequences for the digital giant are potentially devastating. In recent weeks and
months, website operators in Germany who are using Google Analytics have been under fire.
According to Datenschutzbeauftragter, there are already an estimated 200,000 reports
nationwide against web operators that are not properly disclosing the use of data by this
particular third party.
What is the consequence of GDPR regulations for Google Analytics?

10. This is a true headache for website operators that are trying to implement this disclosure.
How will they handle the situations when users do not tick the box next to the Google
Analytics data processing agreement? It could well be a technical and legal challenge. We
cannot expect them all to be legal experts, nor can we expect that they all afford legal advice.
Complying with GDPR may have been a nightmare for many. If GDPR was not enough, now
there is the issue of using GDPR compliant analytics.
In this context, a climate of fear may be settling in. Rather than risk heavy fines for the
activities of a third party, could it be that website operators will, at least temporarily, suspend
their Google Analytics accounts? What alternatives do they have? If they take a closer
look at current regulations, they may find some. Sometimes the devil is in the little details.

11. Some authorities have stressed the fact that
the situations being investigated are those
when:
“third-party services integrated into
websites also use the data collected for
their own purposes”.
(Ulrich Kelber, data protection official in
Germany)

12. This may refer to Google Analytics, who, at least for the time being, use personal data not
only in the interest of their customers, but also to cross and intersect data from one
Google service to another. This, of course, has to do with their interests in terms of paid
services, such as advertising. But, if we take this interpretation of the law to be true, then
there are other ways for website owners to get GDPR analytics.
One way is to look for other analytics tools, which are simply not connected to advertising
services and do not share the data with any other third party. If the sole purpose of the
analytics tool is to generate aggregated, anonymized data for their customers, then no
additional informed consent should be required. And there is no shortage of analytics tools
out there, but how can we differentiate between those who are 100% GDPR compliant
and those who are not?

13. Things to consider when
choosing a GDPR
compliant alternative to
Google Analytics
If, as a website operator, you decide
that Google Analytics is too much of a
liability or a hassle to fit it in your
GDPR provisions, you could start
looking for an alternative.
If or when you do this, consider the
following (disclaimer: keep in mind
that this is not official legal advice. If
in doubt, consult an attorney):

14. ● Do some research to answer the
question does this tool have its’ own
tracking system or is it based on the
Google Analytics code?
Many tools just add their own graphics and
user experience to the data provided to them
by Google Analytics. While they may look
different, the issues surrounding data
privacy, data processing and GDPR
requirements are the same
● Make sure that the new tool has a Data
Processing Agreement and take some
time to read it
● In the Data Processing Agreement,
look for the provision that the
analytics tool processes personal
data only to the extent, and in such
a manner, as is reasonably
necessary for the purposes of the
contract you have with them.
This ensures that they cannot use the
data for their own purposes, thus
making them completely GDPR compliant,
without the need for you to ask your users
for separate consent. See an example
below, from the Data Processing
Agreement of Visitor Analytics

16. ● Contact the providers of the tool
and sign the DPA (Data Processing
Agreement) with them. This should
be done for all third-party apps you
are using, not just analytics.
● Make sure the data used is
pseudonymized and that there are
options to opt-out of tracking.
● Check to see access provisions to
the database.
You need this to be able to provide the
right to access to your users if they
should request it. Keep in mind that if
anyone in your lists/database wants to
obtain from you the confirmation as to
whether or not personal data concerning
them are being processed, where and for
what purpose, you have to respond and
shall provide a copy of the personal data,
free of charge, in an electronic format.

17. ● Check to see if there is an option to
delete data, as some of your users
may request that. In all fairness,
Google Analytics has also taken steps
to comply with this measure and you
are now able to delete views and
visitors. Visitor Analytics also offers this
option.
● Also check data retention settings. For
how long will the analytics tool
provider (data processor) keep the
data on individual users? Google
Analytics now gives the option to
control retention.
● Is the analytics tool of your choice
ISO 27001 certified? This is a
certification of the fact that the
organization keeps information assets
secure.
● Last but not least, check provisions
about the ownership of the data. Try
to find an analytics tool that gives you
ownership of the data.
See the "control over data" section in the
Visitor Analytics GDPR compliance overview
for a good practice example.

18. An example of how data ownership should be defined

19. Before this regulation was effective, the rules governing the collection and use of personal
data were much more relaxed. As a consequence, there were cases when personal data such
as name, address, phone number or other sensitive information would be mishandled,
easily misappropriated or even sold from one company to another, without the
knowledge and consent of the individual.
Why do we need GDPR in the first place?

20. This could have a very serious impact on any given individuals' private life. One thing that
would often happen is you could more easily be targeted by marketers, including by the use
of intrusive advertising.
Other, more serious consequences, would deal with stolen identities. Health providers were
(and sometimes still are) a predilect target for those who would want to misuse personal
data. For example, a criminal might file a fraudulent tax return or apply for a credit card using
the dates leaked from a hospital data breach. In this context, it was felt that data privacy and
protection should be taken more seriously.
Why do we need GDPR in the first place?

21. If you want to find out more about
how we, at Visitor Analytics,
comply with GDPR, here are some
nice reads to consider on this
topic:
● Our GDPR Commitment — a page about
GDPR and how do we comply and
safeguard the personal data.
● A Data Processing Agreement & Cookie
Information — You can find it (and sign it)
in your Visitor Analytics Settings.
● A short article about our updates &
changes under GDPR
● An article about the ISO27001certification
● An article about what you should add in
your Privacy Policy in order to be
GDPR-compliant.
● Everything about our Terms of use