Many businesses thought that by adding Cookie consent banners to their web pages and opt-in forms for email newsletter subscriptions they have satisfied the GDPR requirements.

As it turns out, this is not the case. There are rulings by the Datenschutzbehörde in Austria, CNIL in France and a court in Munich that show how far reaching GDPR actually is (and always was). Besides getting the consent of users, it is important to know where the data actually is stored and what kind data is stored.

GDPR compliant analytics

This is of particular importance if you use analytics tools on your website or in your apps. These tools are for many businesses just black boxes: they are plugged into their webpage or their apps. They have terms and conditions and when user express their consent, they also agree to the terms and conditions of these tools. However, and this is important, as the rulings show, tools like Google Analytics or Google Fonts are violating the GDPR rules when not configured properly. It doesn't matter if the majority of users gave their consent: it is sufficient that a single user files a complaint.

This requires careful handling when you use these tools. After all, youhttps://www.ikangai.com/contact are responsible for the data of your customers. It's not enough to argue that you as a business didn't know about how Google Analytics handles data and refer to Google's terms and conditions. You as a business are responsible for user data. Period. Now, if you use a tool from an US company like Google, you are at risk violating the GDPR, because these tools are hosted on servers in the US. This means, that your customer data automatically goes to the US. Period.

Note that you can configure those tools in a way so that only uncritical data is shared with US companies. But: if you make a mistake in the configuration and the data is shared you are still responsible.

What about Facebook Pixel and App Analytics?

While the current rulings apply to Google only, it is reasonable that the same principles will apply to other tracking and analytics tools as well. Facebook Pixel is another example where data is transfered into the US. Even when there is no current explicit ruling against the use of Facebook Pixel, the principles of GDPR also apply. We also recommend out customers to stop using Facebook Pixel: it's only a question of time when there will be a ruling. Hopefully, it won't be against your company in an example case.

Also, app based tracking isn't excluded from GDPR. With the infamous do not track popup, Apple has already set a precedent - although app providers do not necessarily comply. This is certainly a risky business: Apple can ban you from the App store if you violate their rules. Aside from being banned from the App store, data protection agencies haven't started to look into how Apps treat user data on a broader scale. It's also due to the fact, that it is much more complicated (on technical level) to determine if an App transfers data without the consent of the user and where the data goes.

What to do?

We highly recommend to use alternative tools like Matomo for analytics. You can install a self hosted solution with access to all raw data that is collected. This requires technical know how: you have to know how to install Matomo on a server and manage the server on your own (backups, OS updates, security patches, Matomo updates, user management, firewalls, etc.). There is also a Docker container available. But with that you are on the safe side and as a plus you get access to all of the data.

Server side tracking

Instead of client side tracking with Javascript code, you can go for server side tracking. Server side tracking has several benefits over client side tracking, mostly when it coes to data quality. However, it requires deeper technical know how, because you must intercept the requests from clients like web browsers on your server. This means that some programming work must be done to do that. How much effort depends on your backend: if you have custom APIs that "talk" with your apps or your website then it is obviously more complex.

The takeaway

GDPR has been in effect since May 2018. As it so often the case for new laws, it simply takes a while before the actual consequences are understood by businesses and rulings bring clearity. It's time to move to alterative - GDPR compliant - solutions before you run into troubles.

Get in touch with us to learn how to set up a GDPR compliant web site.