The EU's General Data Protection Regulation (GDPR) brought a new standard of user consent. It also brought a lot of browser pop-ups and, with it, some quite unclear rules about when consent is required.
Most people understand that the cookies used for targeted advertising require consent. But what about analytics? Is tracking how many users land on your website, how they navigate your pages, and how they interact with web forms really held to the same privacy standards?
In this article, we'll be exploring the clear rules and the legal grey areas when it comes to getting consent for your use of analytics, and looking at the requirements of several important analytics providers.
Below, we're going to look at the consent requirements of some popular third-party analytics providers. But first, let's take an overview of the privacy law that applies in this area.
Yes, you need EU users' consent before your website sets the cookies and trackers necessary for most web analytics.
To some extent, consent for analytics is a "grey area" in EU law. Data Protection Authorities in certain countries, such as France and the Netherlands, have allowed analytics without consent in some circumstances.
However, the most authoritative interpretation of the law comes from the Article 29 Working Party, an EU body that preceded the European Data Protection Board (EDPB). According to the Article 29 Working Party, analytics require consent.
The rules arise from a combination of the consent rules under the GDPR, and the technical rules under another EU law called the ePrivacy Directive.
Note: Although the UK has now left the EU, the ePrivacy Directive still applies in the UK, under a national law called the Privacy and Electronic Communications Regulations (PECR).
Here's the relevant extract, from Section 25 of the ePrivacy Directive:
So, EU law states that "users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment." "Terminal equipment" means computers and mobile devices, which we'll be calling simply "devices."
The main reason cookies are so tightly regulated in the EU is due to targeted advertising. So aren't cookies an exception to the strict rules on consent?
There are two types of cookies that fall under an exception to the general rule that cookies require consent:
Such cookies include load-balancing cookies, user-input cookies (for example, to remember preferences), and cookies that allow logged-in users to share content on social media.
All other types of cookies, i.e. those that are not essential for communications or user-requested services, require consent in the EU. This includes cookies used for advertising, social media tracking, and, yes, analytics.
Some developers may feel that analytics are "necessary" for them to provide their services. However, analytics cookies don't meet the "strictly necessary" threshold provided for under the ePrivacy Directive.
This is confirmed by the UK's Data Protection Authority, the Information Commissioner's Office (ICO):
The EU sets the bar for privacy very high. What is considered a privacy issue in the EU may not be considered a privacy issue in other jurisdictions, such as the United States.
Analytics can also involve the collection of detailed information about a user's location, device, and online activity. These sorts of information are considered personal data under the GDPR.
Check out our free tools for website owners:
There are legitimate uses for the types of information collected by analytics. But they are primarily for the benefit of the website operator, and, therefore, require consent according to the rules described above.
Additionally, using analytics can involve the transfer of personal data to companies such as Google or Adobe. Because these are not the companies providing the service your user has requested, it is reasonable to request the user's consent for this.
Yes, the EU's cookie consent rules apply to non-EU companies with users in the EU.
Because of the interplay between the ePrivacy Directive and the GDPR, the GDPR's rules on "territorial scope" apply in respect of the ePrivacy Directive's rules about cookies (according to Opinion 5/2019 of the EPDB).
This means that the rules described in this article apply to any company (wherever it is based) that either:
Under condition "A," you need to comply with the EU's cookie rules if you have customers or you target potential customers in the EU.
Under condition "B," you may fall under EU law even if you don't offer "goods or services" to people in the EU. According to Guidelines 3/2018 of the EDPB, using cookies and other trackers can qualify as "monitoring the behavior" of people in the EU.
Some people believe that consent for analytics is only required if you use analytics for certain purposes, or if the user data you collect cannot be considered "personal data" under the GDPR.
However, you should still obtain users' consent if you are not collecting personal data from users.
The law affects cookies or similar technologies that "store information or to gain access to information stored in the terminal equipment of a subscriber or user."
"Information" in this context does not need to be personal data.
Analytics can be used in such a way as to present very minimal risk to a user's privacy. There are techniques that can help protect users' identities, such as erasing all but the first two or three octets of an IP address.
Under the GDPR's principle of "data minimization," you should apply these techniques wherever reasonably possible. But even if you collect seemingly anonymous data from users' devices, you still need consent for this.
This interpretation is confirmed by the Article 29 Working Party (at page 9 of the linked PDF):
As we've seen, the ePrivacy Directive requires you to obtain consent for analytics cookies. And the way in which you obtain consent is dictated by the GDPR.
Under the GDPR, consent must be:
This definition derives from Article 4 of the GDPR:
Because consent must be given via a "clear, affirmative action," the concept of "opt-out consent" doesn't exist under the GDPR.
Consent is just one of the GDPR's "lawful bases" for processing personal data. Under certain circumstances, you can also process personal data if it is in your "legitimate interests" to do so. You should offer an opt-out in most cases where you are relying on your legitimate interests.
However, due to the ePrivacy Directive you can't rely on legitimate interests for using non-necessary cookies.
Therefore, you can't enable analytics first, and then invite your users to opt out. You can only analytics once your users have consented.
As mentioned, there is some disagreement about how to interpret the rules on analytics. One analytics provider, Matomo, claims it has an analytics solution that can operate on an "opt-out" basis. We'll look at this proposed solution below.
Certain analytics providers enable users to configure their analytics tools so as not to employ cookies. It is possible that such solutions may not require consent.
The ePrivacy Directive refers to cookies and "similar devices." This includes any technology that can "store information or to gain access to information stored in the terminal equipment of a subscriber or user."
Certain analytics solutions can provide basic audience measurement information without needing to "store information or to gain access to information stored" on a user's device. It is possible that these methods would fall outside of the ePrivacy Directive and not require consent.
Note that if you are using such a method to collect information that could be considered "personal data," the GDPR applies. So although you may not need to get consent, you will still need to comply with the GDPR's requirements, including:
Mobile apps use analytics in much the same way as web analytics, except that they generally use mobile identifiers rather than cookies.
You still need to get consent for using analytics on mobile.
The EU law on cookies is, frankly, pretty confusing. The fact that there is disagreement on interpretation between different EU countries arguably shows that it is not fit for purpose.
The ePrivacy Regulation is a major upcoming EU privacy law that was originally supposed to pass concurrently with the GDPR. After years of delays, it is likely to finally become law in 2021.
The ePrivacy Regulation is likely to create an exemption to the rules on consent for certain audience-measuring analytics.
The draft text has been amended several times, and the most recent version states that cookies used for audience-measuring can be set without consent, by either the website owner or a data processor employed on the website owner's behalf.
Under these rules, even certain third-party cookies could be exempt from the consent requirement, but only if the website operator enters into a Data Processing Agreement with the analytics provider.
These new rules would be welcomed by many website operators. However, the ePrivacy Regulation is not law yet, and it may change significantly by the time it eventually passes.
We've explained the legal position when it comes to analytics and consent. Now we're going to look at some of the Terms and Conditions of some popular analytics providers.
Google has a number of policies that you must accept before using its products. We've extracted the information relevant to obtaining consent when using Google Analytics.
Here's the relevant section from the Google Analytics Terms of Service:
This paragraph also appears in the Google Analytics for Firebase Terms of Service.
Here's the relevant section from Google's EU User Consent Policy:
There are several instructions given in these excerpts:
Google also encourages you to direct users to its Google Analytics Opt-Out browser add-on.
Note that it is possible to disable cookies with Google Analytics. If you disable all cookies and similar technologies, it may be possible to configure Google Analytics in such a way as to negate the requirement for consent.
The Adobe General Terms covers the use of Adobe Analytics and other Adobe Enterprise Cloud products.
Also governing your use of Adobe Analytics is the Adobe Data Protection Terms, which states the following:
Adobe states that, as a user of Adobe Analytics, you must comply with all obligations under data protection law, in particular:
Matomo (formerly Piwik) is a popular analytics tool that markets itself as an "ethical" and "privacy-protecting" alternative to Google Analytics.
Matomo includes a range of tools that allow website operators to anonymize the data they collect via the analytics tools. It also offers an analytics solution that, Matomo claims, does not require consent.
Matomo provides three reasons why its "cookieless tracking" does not require consent:
It is not clear whether these three characteristics in and of themselves would excuse a website operator from obtaining consent.
However, there might be another reason that Matomo's "cookieless" solution negates the consent requirement.
If the tracking technology used by Matomo doesn't "store information or to gain access to information stored" in a user's device, this might mean that it doesn't require consent. It isn't clear from Matomo whether this is the case.
When using Matomo's cookieless solution, you are required to take several measures to help ensure GDPR compliance:
It's important to ensure that your users can withdraw consent as easily as they can grant it.
Consent for analytics under the ePrivacy Directive and the GDPR is a complicated area and there are still some disagreements on interpretation of the law.
A sensible interpretation of the law and the guidance presented by the Article 29 Working Party and the European Data Protection Board is as follows:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
15 August 2020