The General Data Protection Regulation (GDPR) has changed how companies around the world are handling the personal information of their users. This privacy law out of the European Union extends its jurisdiction to any company or entity that collects or processes the personal information of residents of the EU.
This means that the location of the company does not matter, but rather the location of the customers/users.
If a business has users in the European Union and collects or processes personal data such as email addresses, mailing addresses, phone numbers or credit card information, it must be fully compliant with the GDPR.
As a result, it is crucial for companies and website owners to be aware of where their traffic comes from.
By using analytics suites and other services there are ways to discover the origin of your website traffic so that you can determine if you have users in GDPR-protected countries. We will explore these methods in this article to help you uncover whether or not you need to comply with the GDPR.
Google Analytics is one of the most popular services that can help you identify users' locations. It can be used to determine where your traffic comes from, including whether or not any of it is based in the EU.
In the example above, it appears that the heaviest amount of traffic comes from the US, yet most of the world including virtually all of Europe accesses the website. This means compliance with the GDPR would obviously be needed by this business or blog if personal information is handled.
Other popular services with similar functionality include WordPress, Clicky, Woopra, and many other analytics, tracking, or even hosting services. Since determining where your traffic comes from is a pretty fundamental aspect of running a website and marketing, most analytics suites will have this functionality.
If you do not use analytics software, your hosting service, such as WordPress, may have the capability to show you what countries your traffic is coming from. Try looking in your cPanel or on your admin account page. If any of that traffic comes from the EU, you should be sure that you are compliant with the GDPR if you handle personal information.
Remember that the GDPR protects residents across the entirety of the EU. These countries include:
- Republic of Cyprus
- Czech Republic
- United Kingdom
Certain instances of simply using a language of a European country can be considered targeting EU residents under the GDPR. For example, if your website is written in Bulgarian, that could be enough to qualify as targeting a residents of the EU as it suggests intent to serve residents of Bulgaria.
It is your responsibility as an entity that collects or processes personal data to be compliant with the relevant privacy laws. Ignorance of the laws or of the origins of your users is not an acceptable defense. It is up to you to determine if you have users in the EU in order to determine compliance requirements with the GDPR or you could face heavy fines.
By using Google Analytics and other similar services, this should not be an issue.
How to use Google Analytics to determine the location of your users
Google Analytics provides a host of tools to help you understand where your website traffic comes from and how they behave on your website.
Geographic reporting is just one of the tools offered by Google Analytics and other analytics and tracking services. To use this feature, go the the "Audience" category in the left-hand navigation and click on "Geo" to expand it. From there, simply select the "Location" subcategory.
If your account and website are set up properly with location tracking enabled, you will see a color-coded heat map showing the density of traffic from different regions, like the one shown earlier in the article. You can use this map to see how much of your traffic is coming from countries in the EU to help you determine your susceptibility to jurisdiction under the GDPR.
There are also a variety of ways to sort, filter, and display this data in different charts and graphs to help you determine how much of your traffic comes from which countries. Google Analytics relies on IP address data to estimate locations. This is accurate on a large scale for things like country or state of origin, but not for specific locations like cities or neighborhoods in most cases.
This is especially true for mobile devices where accuracy becomes much less dependable on a small scale basis when that device may often travel between different cities. Also be aware that things like a VPN can be used to conceal the true location of visitors.
Google Analytics allows you to view this data with varying degrees of detail. These are as follows:
- States and territories
Once again, the less detailed categories are more dependable and are all you should need to determine how much of your traffic is coming from GDPR-protected areas. Looking at the continent of Europe is probably not accurate enough, but sub-continents and countries will allow you to confidently determine if you are receiving traffic from the EU.
From there it may be necessary to determine which specific countries you are receiving traffic from so that you can designate an appropriate EU representative in one of those countries (as required by Article 27 of the GDPR).
The accuracy beyond countries, states, and territories becomes much less reliable and is often not recommended for specific tasks that require accuracy on a city-by-city level, though you may be able to glean some useful information by exploring your data.
Other analytics suites have similar tools, including geographic heat maps, filterable charts and tables, and other statistics which can help you determine the origin of your traffic. Many of these behave similarly and can be found by navigating features or menu options.
How to use WordPress to determine the location of your users
Current versions of WordPress include some basic analytics functions by default. "Views by country" is the basic offering that displays information about the location of your visitors as well as a heatmap. You can find this tab in the left-hand navigation of your WordPress admin page. This basic information should be enough for you to determine if you have traffic originating from the EU to determine if you need to comply with the GDPR.
You can also find a summary that will breakdown top views by country so you can see exactly how many visitors your site is receiving from which countries.
There are also a plethora of plugins available for WordPress that offer a variety of geographic tracking and targeting options more advanced than those provided by default. There are even some plugins for linking Google Analytics to your WordPress site.
Here are some of the most popular Wordpress plugins that offer geographic tools:
- WP Power Stats: A simple and light plugin that provides basic statistics on visitors including geographical information, frequency of visits, and more. It lacks some accuracy and detail, though it is a good introductory tool that requires no code.
- GeoIP Detection: Offers geographic data based on IP address information. Also includes functionality to hide information from users in certain locations.
- GeoTargeting Pro: This is a premium plugin that offers a suite of geotargeting tools. Can deliver different content based on location of visitor or even redirect to different website versions.
- WordPress.com Stats via Jetpack: Offers and easy and attractive interface that allows you to review basic information such as views per page, number of visitors, and location of visitors including a map
- IP Geo Block: Can be used in conjunction with tracking plugins to allow blocking of IPs based on geographic location or other factors (such as to prevent bots and bandwidth bloat)
- WP Slimstat: Perhaps the most powerful WordPress plugin for geographic stats. WP Slimstat boasts the most accurate IP geolocation and browser detection, though it is demanding and may cause slowdowns on your site.
In addition to providing location statistics that can be used to determine the origin of your users, many of these plugins also offer advanced functionality such as geotargeting and IP blocking, which could potentially be used to prevent residents of GDPR-protected countries from accessing your site and therefore eliminate the need for GDPR-compliance.
However, this is a complex issue that requires more consideration than simply installing a plugin and flipping a switch.
The GDPR is a strong and far reaching set of privacy laws that has a significant impact on how companies and websites handle the personal data of their clientele. Currently, the GDPR is so far reaching that it seems it will affect the vast majority of websites around the world. Most websites currently serve residents of the EU or wish to in the future and even those that don't may still interact with foreign visitors enough to encourage compliance.
By using analytics tools to uncover the origin of your visitors you can determine your need to comply with the GDPR. However, in most cases, compliance seems to be the safer route at the moment and can also help your company in the future. If down the road you expand to include the European market it will be useful to already be compliant with the GDPR.
Even if you don't expand into the EU, it's only a matter of time before other countries follow suit by updating their own privacy laws to offer the same protections as the GDPR to their citizens on the internet.