Legitimate interest as a legal basis for the use of etracker Analytics in standard cookie-less mode.
The question arises whether the cookie-less mode of etracker Analytics provided by default can be legitimized by Art. 6 (1) lit. f GDPR. According to this provision, the processing of personal data is lawful “if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.
Article 6(1) of the GDPR is supplemented by recital 47:
„The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.“
The starting point of any balancing of interests within the framework of Art. 6 (1) f GDPR is, on the one hand, the personal right of the data subject and the effects that processing the data in question will have on him, and on the other hand, the interests of the controller or third parties. As part of the balancing process, the circumstances that the data subject can reasonably assume when visiting a website must also be taken into account. This means that as long as the data processing carried out by etracker on behalf of the data controller is within the scope of these expectations, it is reasonable to base the permissibility of the corresponding data processing on Art. 6 (1) lit. f GDPR.
In this respect, it must be taken into account in the context of the balancing of interests that the persons affected by the web analysis have a comprehensive right to object at any time (Art. 21 (2) GDPR), to which they must be expressly informed in the website’s data protection notices (Art. 21 (4) GDPR). According to Article 21 (3) of the GDPR, the objection has the consequence that personal data may no longer be processed, in particular used, for statistical purposes.
If the above considerations are applied to the facts to be assessed here, the following can be stated:
1. Existence of a legitimate interest of the data controller or a third party.
For example the German data protection authorities explicitly list as legitimate interests of website operators, among other things, audience measurement and statistical analyses as well as the optimization of the respective web presence and personalization/individualization of the content tailored to the respective users.
2. Necessity of data processing to safeguard legitimate interests
According to the above-mentioned guidance, the processing must be suitable to achieve the interest of the controller in the statistical analysis and optimization of the website, whereby no milder, equally effective means may be available. When using etracker Analytics, the processing is limited to the necessary extent. The collection of significantly less personal data is not technically possible, as a reduction to the technically necessary level is already achieved through the TCP/IP protocol. Personal data is not transmitted to third parties by etracker.
3. Balancing with the interests, fundamental rights and freedoms of the data subject in the specific individual case
a) Reasonable expectation of the data subjects and foreseeability.
When using websites and apps, a user does not usually expect that user data will be processed by third parties for their own purposes, that extensive profiles will be formed across different websites or that granular session recordings will be made (so-called session recordings).
With etracker Analytics, user data is processed exclusively on behalf of the service provider and not also for the service provider’s own purposes with the aim of creating personal advertising, without linking it to personal data obtained from other contexts and without passing it on to third parties.
b) Possibilities of intervention by the data subjects (transparency & possibility of objection)
The statutory standardized right of objection of Art. 21 (2) GDPR is effectively guaranteed. It is possible at any time for a visitor to a website on which etracker’s technology is used to object to the processing of his or her data. The associated transparency obligations can be complied with in every respect in accordance with the requirements of Art. 13 and 14 GDPR. For this purpose, etracker provides pre-formulated sample texts and opt-out sliders.
c) Linking of data
By default, there is no linking or enrichment of data sets. The transfer of cross-device identifiers is optional and requires a separate impact assessment.
Actual data processing is done exclusively and quite deliberately on a pseudonymized basis (probably even anonymized basis). Pseudonymization is an effective means of reducing interference with the rights of the data subject. The shortening of the IP address is automated at the earliest possible point in the processing and does not require any adjustment of the settings or the tracking code. This fulfills the requirements of Art. 5 GDPR and its technical-organizational implementation according to Art. 25 GDPR, in particular Art. 25 para. 2 GDPR (privacy by default). “Information with which the personal data can be assigned to a specific data subject” (Art. 4 No. 5 GDPR) is not stored by default in the web analytics system. Nor are identifiers provided that would allow conclusions to be drawn about the person of the visitor.
d) Actors involved
As a processor, etracker operates as a separate, independent company from a company headquarters and data center in Hamburg. In particular, there are no social relationships with companies outside the EU or in unsafe third countries, which would make it more difficult to protect the rights of data subjects.
e) Duration of the observation
The duration of the observation is limited to a maximum of one day, since all visit identifiers are automatically linked to the respective date and thus on subsequent days a recognition of visitors in standard mode is excluded.
f) Group of persons affected (e.g. persons requiring special protection)
Even when used on websites that are aimed at particularly vulnerable persons such as children or provide content on sensitive topics, this does not result in the interests, fundamental rights and freedoms of the data subjects being given a higher weighting. This is because there is no profiling or risk of exploitation of particular vulnerabilities.
g) Categories of data
The interference with the rights of the data subjects is minimal and has no legal effect on the data subjects. In contrast to what would be the case, for example, with a credit rating by a bank, the use at hand here is solely about the analyses of pseudonymous, if not anonymous data as a rule in aggregated form for an improved web presence.
h) Scope of data processing
It can be stated that no particularly extensive data sets or even sensitive data are processed. The depth of intervention is therefore low.
In cookie-less mode, all interactions on the website can be recorded in the same form as with the cookie-based method. However, it is impossible for user profiles to be created and visitors to be tracked over time (identification or re-identification is ruled out in both methods, as the IP address is truncated by default at the earliest possible time and thus anonymized).
In cookie-less standard mode, the following data is collected and made available for analysis:
- Information on the end device used, operating system and browser;
- geo-information up to a maximum of city level;
- the URL called up with the associated page title and optional information on the page content;
- the website from which the accessed individual page was reached (referrer site including assignment to search engines and social media sites as well as readout of campaign parameters);
- the subsequent pages that were called up from the called-up website within a single website in the session;
- the length of time spent on the website;
- other interactions (clicks) on the website such as search terms entered, files downloaded, external link views, videos watched, registrations, inquiries, items ordered, etc.
It is not possible to show unique visitor values, the frequency distribution of sessions per visitor over the period, or the chaining of visits into customer journeys or conversion paths that occur over multiple visits over periods longer than 24 hours or across multiple devices.
Legal basis consent versus legitimate interest
In a recent ruling, the Administrative Court of Mainz (ruling of 20.02.2020 – 1 K 467/19.MZ, BeckRS 2020, 5397) states:
“Finally, the admissibility elements contained in Article 6 (1) of the GDPR are equivalent in terms of their legal function and apply alongside each other, without it being necessary to assume a tiered relationship. It cannot be concluded from the enumeration of the various permissible elements that consent pursuant to Art. 6 (1) sentence 1 lit. a of the GDPR is a priority element and that the general weighing of interests pursuant to Art. 6 (1) sentence 1 lit. f of the GDPR is to be understood as ultima ratio. In this respect, the statutory elements of permission take into account not only the data protection interest of the data subjects, but also the creditable interests of the controller in exceptionally permissible data processing.”
Consent, which is equally possible, is therefore not “better” or more privacy-friendly than processing based on legitimate interests. Rather, consent brings with it a host of additional requirements to be valid as truly active, voluntary, and informed. One could even argue that it is more in the interest of users to be able to assume that processing is privacy-friendly than to be asked for consent to suboptimal data processing. In very few cases, when confronted with such dialogs, users are aware of the extent and risks of the data processing involved, nor are they likely to be able to reasonably assess the implications without significant effort,research and expertise.
The legal basis of the legitimate interest thus corresponds to the principle of Privacy by Design or Privacy by Default if the etracker technology is not misused.
Please note: We have written this article after extensive research, discussions with specialist lawyers specializing in data protection law, as well as the external review of etracker solutions and award of the ePrivacyseal. This article does not constitute legal advice. Please also note the associated information on data protection in accordance with our General Terms and Conditions and the Data Processing Agreement.