Why etracker Analytics can legally record all visit data and conversion data without consent
Legal background
The question of the legal conformity of web analysis or tracking on websites is governed by two legal provisions:
- The General Data Protection Regulation (GDPR), which regulates whether consent is required for tracking with regard to the processing of personal data.
- the E-Privacy Directive 2002/58/EC (Cookie Directive), which deals – quite aside from a possible personal reference – with access to the user’s terminal device, also with the consent to cookies and similar technologies.
Tracking consent
According to the Conference of the so called Unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, consent to tracking is necessary in two cases:
1. If a milder, equally effective means is available for the purpose.
It explicitly states: “If the website operator uses an analysis tool for this purpose which passes on data on the usage behaviour of data subjects to third parties (e.g. social networks or external analysis services which merge usage data across the boundary of the website with data from other websites), this is no longer necessary.”
Translated by the author
2. If the processing operations do not meet users’ reasonable expectations.
Definitely requiring consent according to the supervisory authorities are:
a) Mouse tracking or techniques that capture keyboard, mouse and swipe movements on touchscreens.
b) Tracking pixels from advertising networks.
c) The involvement of third parties as service providers via analytics tools that link to their own data or aggregate data from different customers, websites and devices.
Conversely, tracking is possible without consent if it is carried out in a data protection-friendly manner (in the mildest form) within the framework of the reasonable expectations of users.
Cookie consent
According to Art. 5 para. 3 of the E-Privacy_Directive 2002/58/EC (Cookie Directive), consent is required when cookies are set that are not technically essential.
The Directive says: “Member States shall ensure that the use of electronic communications networks to store information or to gainaccess to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC,inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or accessfor the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.“
Consequently, in the BGH ruling of 28 May 2020, Case No. I ZR 7/16, “Cookie Consent II”, it is once again clarified that the consent of the user is required for the use of cookies to create user profiles for the purposes of advertising or market research.
According to Opinion 9/2014 on the application of Directive 2002/58/EC to the use of virtual fingerprinting, the collective term cookies also includes similar technologies that make it possible to pick out, link or infer a user, a user agent or devices over time. According to RFC6973, consent is required for all persistent identifiers and the processing of information elements that enable the identification of a person.
If, on the other hand, the tracking is purely visit-related without the use of cookies or other technologies to recognise visitors, no prior consent of the users is required.
The requirements for consent exemption
Tracking and web analysis without a consent requirement is possible. From the specific conditions for the consent requirement – which precisely do not formulate a blanket requirement for consents – the following requirements for consent-free web analytics can be derived:
1. Conclusion of a contract processing agreement with the processor.
2. No cookies or similar profiling techniques are used.
3. Personal data is processed exclusively in Europe.
4. The processor does not use the data obtained for its own purposes.
5. The processor does not link or enrich the data across different websites
6. An opt-out or revocation option and information on tracking are offered in the privacy policy.
7. IP anonymisation is ensured (without additional configuration, “Privacy by Default”).
8. Do-not-track settings in the browser are automatically taken into account as opt-out/revocation.
9. The website operator can prove compliance with points 1-8.
No consent required for etracker Analytics
etracker fulfils all of the listed criteria. Privacy by design and privacy by default are self-evident, as is a contract for processing data on behalf of the company and the processing of data in the EU. Also, etracker does not lay claim to the data, does not use it for its own purposes and does not make it available to third parties. All other regulatory requirements for the balancing of interests according to Art. 6 (1) f) GDPR are also fulfilled, so that no consent needs to be obtained for tracking with etracker Analytics.
No cookies are set in the standard mode of etracker Analytics. Only website data from web servers is used, as well as certain information that the web browser transmits to the web server for the retrieval of web pages. This information makes it possible to link individual page views and interactions into coherent sessions. Encryption together with a time stamp prevents the creation or linking of user profiles.
Due to the small number of information elements and the explicit time limit, it is impossible to link an individual person and thus identify or make an individual identifiable. Furthermore, the information is not made accessible to third parties and the hash procedure used and the individual information are not disclosed. Also, etracker Analytics is not used for the “purpose of processing for the provision of personalised content and advertising, i.e. for direct communication with a specific person” (translated by the author), but for the aggregated statistical evaluation of website usage.
Optionally, etracker cookies can be activated with consent. For this purpose, suitable function calls and instructions are available for integration into the common consent management solutions.
Independently audited and awarded
In order to enable our customers to meet their accountability obligations under Article 5 (2) GDPR, we have undergone an independent audit and certification by ePrivacy GmbH. As the result, the products etracker Analytics, etracker Optimiser and Signalize were awarded with the ePrivacyseal of quality for data protection. The test result certifies that consent does not have to be obtained for etracker in standard mode – neither for tracking nor for cookies:
“[…] On the basis of our detailed examination, we consider it acceptable to justify data processing by etracker Analytics and etracker Optimiser, also with regard to the DSK paper from March 2019 and the ECJ ruling of 01.10.2019, by the legal basis of Art. 6 Para.1 lit.f) GDPR (legitimate interest). In cookieless mode (standard mode), the use of etracker Analytics is legal without any obligation to give consent.”
Conclusion:
ECJ-, BGH- & GDPR-compliant with and without cookies: etracker Analytics enables consent-independent web analysis without data loss.
This article cannot replace individual legal advice, but represents a professional discussion and summary of the topic.