Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

GDPR in Web Analytics

GDPR and Web Analytics: Choosing Tools That Protect User Privacy

The General Data Protection Regulation (GDPR) enforces penalties on non-compliant organisations.
These penalties may amount to a maximum of 20 million euros or 4% of the company’s global turnover from the previous fiscal year, whichever is greater.

20 million euros or 4% of annual turnover. Yes, you read that right. That’s how much a business is fined if they don’t comply with the GDPR guidelines.

But, wait! How does that concern you, you may ask? “I neither have a business that big nor it’s located in the European Union (EU, the region where GDPR is applicable)”.

Why You Should be Worried About GDPR

Well, here is the thing. For a business to be liable under GDPR compliance, it need not be physically situated in the EU.

If your website renders services that are used by the natural citizens of the EU, then you must adhere to the GDPR.

Now, hold on a second. What if you just own, let’s say, a blog? You don’t sell anything. You are not asking for any major details other than users’ emails. Do you still need to be worried about the GDPR?

Online data safety and security compliances, like GDPR, are the reasons why search engines decided to do away with third-party cookies, opening doors to cookieless future impact.

Thanks to them, a once “info-rich” analytics landscape has now turned into “privacy-focused web analytics” in the last few years.

But even if you are not a big-timer like Google or other search engines, you should be aware of GDPR and its consequences for two major reasons.

First, EU citizens are deeply concerned about their online safety and security, as per a Fundamental Rights Survey Report published back in 2020 by FRA.

They care about how their data is shared, how much of it is shared, who can leverage it, etc.

So, if a EU member visits your website to read through the golden wisdom that you so lovingly share with your blog members, they would be curious to know if your data collection practices are GDPR compliant or not.

Secondly, no matter the kind of online services you provide, be it a blog, ecommerce, advice on financial management, or anything else, you must be using some kind of web analytics tool to collect and analyse user behaviour on your website, aren’t you?

No? In that case, you first need to go through this article on real-time traffic analysis to understand what you are missing out on.

If yes, then GDPR mandates that your choice of web analytics platform should adhere to its guidelines while collecting, storing, and analysing that data.

In a nutshell, GDPR in web analytics and other operations is no more choice. Because this is a global world, and your online presence is bound to be graced by someone from the European part of the world every now and then.

So it’s better to be safe than sorry.

GDPR in Web Analytics: How They Relate

The primary goal of GDPR is to give individuals more control over their personal data and to simplify the regulatory environment for international business by unifying regulations within the EU.

Some key principles and provisions of GDPR include:

1. Consent Management

It is all about getting the green light from individuals before you start gathering and tinkering with their personal data.

It’s not just a nod of the head; it’s a clear, affirmative “yes” that lets them know exactly what they’re signing up for.

Think of it like the bouncer at the club – no entry without the right ID, and in this case, no data collection without explicit permission.

2. Data Breach Notification

Data breach notification is like sounding the alarm when things go awry in the data world. When there’s a breach, you have a responsibility to blow the whistle to the right authorities and anyone who might’ve been hit by the fallout, like your website users.

It’s not just about fixing the leak; it’s about owning up to it and letting everyone know what’s going on – pronto.

Timing is crucial here; there’s no sitting on your hands when it comes to data breaches.

3. Right to Access

The right to access is like your users having a backstage pass to their own personal data concert. They can ask you, the publisher, for a peek behind the curtain to see what personal data you’re holding onto and how you’re using it.

It’s not just about knowing what’s in the file cabinet; it’s about understanding the whole playlist – from how the data was collected to what it’s being used for.

4. Right to be Forgotten

The right to be forgotten is like your users hitting the reset button on their personal data. Under certain conditions, they can ask you to wipe their personal data clean from their records.

It’s not just about tidying up; it’s about giving them the power to hit refresh on their digital footprint. So, if their data has served its purpose or they are just ready to move on, this right lets them clean house and start fresh.

5. Data Portability

This entitles your users to obtain their personal data in a format that is organised, widely recognized, and easily processed by machines, enabling them to transfer this data to another entity in control.

It is like them packing up their digital suitcase and taking your personal data on a journey. So, whether you’re switching platforms or just want to keep a backup, this right ensures that your data goes wherever you do, hassle-free.

6. Privacy by Design and Default

As a publisher, you are required to implement measures, like data masking techniques such as IP anonymization, to ensure that data protection is built into their products and services from the outset and that only necessary personal data is processed

Now, let’s understand how the above key principles and provisions of GDPR play out in web analytics using a hypothetical scenario that establishes the whole cycle right from when a user lands on your website till they leave.

Understanding Principles and Provisions of GDPR Using a Hypothetical Scenario

1. User Interaction

Imagine a user. Let’s call her Sarah. She lands on your website to shop for clothes.

2. Consent Management

As soon as Sarah visits your website, she sees a banner/pop-up explicitly informing her about the use of cookies for tracking and analytics purposes and all other info that would be collected because of her use of the website, especially when it comes to tracking and storing stuff for browser fingerprints*.

The website requests her consent to proceed with data collection and processing. Sarah provides clear and affirmative consent by clicking on the “Accept” button. To understand more about cookie consent management, read the other article.

*Note: Fingerprinting GDPR is a much-discussed topic. Here, browsers utilise a multitude of APIs to capture diverse aspects of the user, their device, and their interactions, consolidating them into a digital fingerprint, also known as a “hash.”

Read more about browser fingerprint.

3. Data Collection and Processing

While Sarah browses the website, her actions, such as pages visited, products viewed, and items added to the shopping cart, are tracked by your website’s analytics tool.

This helps you collect this data to improve user experience and personalise recommendations for Sarah and users like her.

4. Right to Access

After exploring the website, Sarah decided to review her account settings. She finds an option to access her personal data, including her browsing history and account information.

She exercises her right to access and requests a copy of her data, which your website promptly provides in a structured format.

5. Data Portability

Impressed by the website’s products, Sarah decides to sign up for an account to save her preferences and previous purchases.

As part of the registration process, she is given the option to download her personal data in a machine-readable format.

Sarah chooses to download her data for safekeeping and future reference.

6. Right to be Forgotten

A few months later, Sarah decides to close her account on the website as she no longer shops there regularly.

She submits a request to the website to delete her account and erase all her personal data.

In compliance with GDPR, the website promptly deletes Sarah’s account and removes all associated personal data from its systems.

7. Data Breach Notification

A year later, the website experiences a data breach due to a security vulnerability. As soon as the breach is detected, your security team initiates an investigation.

Upon confirming the breach and identifying affected individuals, including Sarah, your team promptly notifies the relevant data protection authorities and informs Sarah about the breach, providing guidance on steps she can take to protect her information.

In this scenario, we see how GDPR’s key provisions and principles are applied throughout Sarah’s interaction with the website, ensuring transparency, accountability, and respect for her data privacy rights from the moment she lands on the website until she decides to leave.

Will Your Web Analytics Tool Take Care of GDPR Compliance on Your Behalf?

Now we know what GDPR is, its importance, and how GDPR in web analytics works using an example.

Let’s take another scenario. What if you are more than happy to comply with all these guidelines to protect the safety and security of your website user but you can’t say the same about your web analytics provider?

After all, they are the ones holding and processing the data on your behalf, aren’t they?

That’s where a Data Processing Agreement (DPA) comes into the picture.

DPA serves as a contractual arrangement between the data controller (you, the organisation collecting and determining the purpose of data processing) and the data processor (the entity processing data on behalf of the controller, such as your web analytics platform).

The DPA outlines the terms and conditions governing the processing of personal data, ensuring alignment with GDPR principles.

Significance of DPAs

GDPR mandates the establishment of DPAs to ensure that data processing activities are conducted in compliance with the law.

By entering into a DPA, organisations hold their service providers accountable for adhering to GDPR requirements, mitigating risks associated with non-compliance and data breaches.

Key DPA Clauses

When reviewing a DPA, it’s essential that you consider key clauses that address various aspects of data processing. These include:

1. Specific Data Processed

The DPA should clearly define the types of personal data being processed, ensuring transparency and accountability in data handling practices.

Example: A clothing retailer, ABC Apparel, engages an analytics provider to track website visitors’ behaviour for marketing insights.

The DPA clearly outlines that the analytics provider will process personal data such as IP addresses, browsing history, and demographic information, ensuring transparency about the types of data being processed.

2. Purpose of Processing

It’s imperative to articulate the purpose for which personal data is being processed, aligning with GDPR’s requirement for lawful and transparent processing.

Example: The purpose of processing personal data by the analytics provider is to analyse website traffic patterns, user interactions, and product preferences to enhance ABC Apparel’s marketing strategies and improve user experience on its online platform.

This purpose is explicitly stated in the DPA, aligning with GDPR’s requirement for lawful and transparent processing.

3. Security Measures

The DPA should outline the security measures implemented to protect personal data from unauthorised access, disclosure, alteration, or destruction. This includes encryption, ip anonymization, access controls, and regular security assessments.

Example: The DPA specifies that the analytics provider will implement robust security measures to protect personal data from unauthorised access, such as encryption of data in transit and at rest, role-based access controls limiting access to authorised personnel only, and regular security assessments to identify and address potential vulnerabilities.

4. Sub-processors

If the analytics provider engages sub-processors to assist in data processing activities, the DPA should specify the conditions under which sub-processing is permitted and the obligations imposed on sub-processors to maintain GDPR compliance

Example: Sub-processors, in this case, can be cloud hosting services or data storage providers. The DPA stipulates that sub-processing is only permitted with prior written consent from ABC Apparel.

Furthermore, the analytics provider ensures that any sub-processors engaged adhere to GDPR compliance standards and impose contractual obligations on them to maintain data security and confidentiality.

5. Handling of Data Subject Requests

GDPR grants individuals certain rights regarding their personal data, such as the right to access, rectify, or erase their data.

In accordance with GDPR, the DPA outlines the procedures for handling data subject requests.

If a website visitor, such as a customer of ABC Apparel, submits a request to exercise their right to access, rectify, or erase their personal data, the analytics provider promptly notifies ABC Apparel.

ABC Apparel, as the data controller, collaborates with the analytics provider to fulfil the request within the stipulated time frame, ensuring compliance with GDPR requirements.

The DPA should detail the procedures for handling data subject requests and the respective responsibilities of the controller and processor in fulfilling these requests.

So next time you are looking for a web analytics tool that claims to be GDPR-compliant, check for these important clauses in your DPA.


So, here’s the deal: sticking to GDPR rules is a must for any business diving into web analytics, no matter how big or small or where they’re based. Those potential fines for not playing by the GDPR playbook?

They’re no joke. We’re talking serious cash. Keeping tabs on GDPR principles like getting user consent, reporting data breaches, and giving users access to their info is key for any business using web analytics tools.

And don’t forget about those Data Processing Agreements (DPAs) – they’re your best pals for staying on the right side of the law. Bottom line? Making GDPR compliance a priority in your web analytics game is crucial for keeping user data safe and staying out of legal hot water in the digital world.

Try out our privacy focused web analytics tool.