Year 1 - UE 05 - Digital Analytics

DISCLAIMER: this part of the course was not written by a lawyer. Please double check on your own everything that is said here and make your own opinion. DO NOT TAKE IT FOR GRANTED.

Privacy is about respecting the rights of your users.

One of the issues we are going through in this field is to distinguish which regulation we have to take into account to know those fundamental rights.

By chance the European Union has created a regulation named the GDPR (General Data Protection Regulation). It is, of course, not a worldwide consensus but it is so far the biggest privacy framework that has been achieved. It gives good guidance and explains what you should do and know about privacy. The other good news is that GDPR provides us with a good definition of what users' rights are about, and there exist a great many courses online to explain it in detail. We will use this framework for this course. The official GDPR text is available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 . It takes about 3 hours to read and to understand.

Note though that GDPR is not tailored for Digital Analytics but for information systems in general, including papers. Nonetheless, reading and interpreting it makes it accessible and understandable for whatever situation you are going to face. At the time of writing this part of the course, ePrivacy has not been published yet but will give better guidance about how to apply GDPR in the context of Digital Analytics.

One of the main concerns of GDPR is the rights of end users. Let's see them in detail.

User Rights Under GDPR

1. The Right of information: it means that you need to inform your visitor about the digital analytics activity you are running. So if you plan to use a digital analytics solution such as Matomo Analytics, you have to explain somewhere what this solution is, what it does, how you use, what you use for... Depending on your contact person at a privacy commission, the way this information should be displayed may vary: some may tell you to show it within an information banner, while others would say that it is fine to have it within a privacy policy page as far as it can be easily found out on your website.
2. The Right of access: it means that the visitor can request and access the data that you have been gathering about them. This right is tricky to respect as many challenges occur. First, you need to be able to identify the visitor in your information system and unless you collect the user ids, this is almost  impossible. The second challenge is to make sure that the person who is making the request (called the "data subject") proves that they are really the person they claim to be, which is as well very difficult to do. Whatever, your analytics solution must have an export feature or give the data subject access  to their data.
   
3. The right of rectification: on demand of the data subject you need to be able to rectify the information you collected about them. Just like the right of access, it is very difficult to apply especially since the data subject will have to know that the data you have collected about them are the wrong ones. In any case, you need to have a solution that is able to make those modifications upon request and that you can verify.
   
4. The right of erasure: as previously mentioned, it is always the same issue, you need to ensure that the data subject is the person he/she is claiming to be. If she/he can prove it, you then need to delete their data. This is very easy to do when you have a full access to the database.
5. The right to restrict the processing: the data subject has the right to ask you to stop processing its data but without deleting them. Here the idea is that you should not have the right to use their data any longer and probably this data subject suspects you to do something wrong with their data and will probably denounce you to a privacy commissionner.
6. The right to data portability: a data subject has the right to ask to get all its data in a readable and portable format. This does not really make sense for a digital analytics solution as they cannot do much with them, but you have to offer this possibility, which is actually the same as the right of access... in some ways.
7. The right to object: a data subject has the right to object to the data collection. This right is one of the most important in terms of digital analytics because here the big question is to know if you have the right to start collecting the data about them or if, by default you should not, unless you get their acceptance. There is a lot of debate in this area. In any case, you need to make the application of this right possible. In general the right to object is added on the privacy policy page.
8. Rights in relation to automated decision-making and profiling:  this right relates to an advanced usage of analytics in addition to other marketing techniques in order to have your website taking decisions based on the profile of your visitors. Let's say that you collect a lot of data about your visitors and that, based on their behavior, the different services will change accordingly, for instance the prices or that kinds of things. In any case, here it means that you cannot do it without the explicit consent of the visitor.
   

As you can see most of the rights to respect require you to choose the right analytics solution. Having a full access to the database really helps here as you can easily check the personal data that you collect.

OK, so you have to respect the rights of the visitors and from what you read visitors have to give their consent in order to be tracked... but and there is a but... there are exceptions to this rule.

The two main exceptions that coming through my mind are legal obligations AND anonymization.

Legal obligations

Under the law, you, as the person responsible for the website, need to collect every connection made to your website. This is a security as in case of control from the police, you should be able to show who access your website. Within the official GDPR text, it is saying:

"The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security"

My understanding of this sentence is that you can play with server logs, so reading the data within it, but only for security purpose. If you would like to use those data for marketing then you don't have the right... but ... and there is a but... GDPR is also saying:

"The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."

Those sentences are opening like a gray area aspect where if the logs are anonymized then we could use them for marketing. Here you can imagine the debate when some people will argue that processing the logs to anonymize them is fine where others will say that you do not have the right to do so. Still waiting for a clear guidance here.

Anonymization

As previously mentioned under GDPR, if a data is anonymized, it no longer is a personal data and, as such, GDPR rules do not apply. The issue here is that digital analytics solutions are still solutions, which are seen as intrusive. Thus even if they do not process personal data, should visitors give their consent first? Here the debate is as well wide open because some will argue that they need those data to improve the user's experience whereas others will argue that tracking consent has to come from the end users. The point of view of privacy commissioners differs from a market to another. So still waiting for clearer guidelines here from the EU. So far some privacy commissioners will give a clear advantage to Open Source solutions as the data are hosted at the same place as the organization itself, while for others it is still a privacy concern.

Ok so what can we conclude from this unit? The first thing to remember, end clients first, so respect their rights. Second thing, ask yourself if what you are collecting is acceptable or not. If you think you are crossing a line, you clearly need to get the consent of your users. And third, check what the privacy commissioners of your market are saying as they will have the final word.

If you are using Matomo Analytics here is the process to follow in order to make it GDPR compliant: https://matomo.org/docs/gdpr/.