etracker analytics – Consent-free in accordance with TTDSG and GDPR

by Katrin Nebermann

The current requirements of the supervisory authorities

In order to be able to use web analytics services in accordance with the current guidance of the German supervisory authorities for telemedia providers in a legally compliant manner without the need for consent, the TTDSG and GDPR require that analytical cookies are not used and that data protection-friendly processing is guaranteed under the overriding legitimate interest of the website operator.

1. consent-free according to TTDSG (cookie-less)

The Telecommunications and Telemedia Data Protection Act (TTDSG) contains regulations on access to the user’s terminal equipment. By default, etracker analytics only uses functional or strictly necessary cookies. There is no active access to the user’s end device. According to the supervisory authorities, the processing of browser and header information on which etracker is based does not require consent:

For session tracking, etracker analytics does not store any data in the user’s end device, but assigns interactions to the respective visits purely on the server side via securely hashed session tokens:

The following technically required accesses to the terminal equipment can be made within the meaning of § 25 para. 2 No. 2 TTDSG:

(a) If users object to data processing for analysis purposes via the data protection notice on the website, the objection is stored in a cookie (_et_oi_v2). If this cookie is set and has the content “NO”, no data will be collected for this user.

(b) The website operator can obtain consent to the use of cookies for analysis purposes at any time by opting in. For this purpose, etracker provides a consent banner and function calls that can be connected to external consent management platforms. Corresponding instructions are available at https://www.etracker.com/docs/integration-setup/consent-management-tools/. If consent is given, a cookie is set to indicate that etracker may set cookies. If you withdraw your consent, the cookie will be deleted.

(c) The scroll depth measurements for the scroll map report are temporarily stored in the session storage so that not every scroll movement leads to a data transfer, but the scroll depth data is sent “bundled” to etracker every few seconds. The use of session storage for scroll depth measurement is a purely technical delay in transmission in order not to negatively affect the user experience due to longer loading times. The scroll depth measurement can also be optionally deactivated or configured so that scroll tracking only takes place with consent.

2. consent-free according to GDPR (overriding legitimate interest)

The General Data Protection Regulation (GDPR) regulates the processing of personal data. Reporting in etracker analytics is based on anonymized and mainly aggregated data. However, anonymization already constitutes a processing operation in accordance with the GDPR, i.e. also the standard automatic and earliest possible shortening of the IP address in the memory of the data acceptance server.

There are two possible legal bases for this (anonymization) processing: consent and overriding legitimate interest. The current guidance confirms that the legal basis of consent is not preferable to legitimate interest under data protection law, i.e. it is not more data protection-friendly:

“The processing of personal data is only lawful if at least one of the conditions of Art. 6 para. 1 GDPR is fulfilled. All of the legal bases mentioned in this standard are of equal rank and value. For the processing of personal data by non-public controllers in the provision of telemedia services, it is generally possible to rely on consent in accordance with Art. 6 para. 1 lit. a) GDPR, on contractual obligations pursuant to Art. 6 para. 1 lit. b) GDPR or on overriding legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR.”

The legal basis of overriding legitimate interest places high demands on processing with regard to data protection friendliness and requires a balancing of interests under the criteria already mentioned by the Data Protection Conference in 2019. These criteria were used as a basis for the independent audit of etracker analytics by ePrivacy Consult and are set out in this model statement of interests.

The result of the audit is:

ePrivacy Consult certifies etracker analytics amongst others:

• Conclusion of the AV contract with the account registration, see https://www.etracker.com/en/dp-agreement/.
• The IP address is shortened as early as possible and automatically (in the server cache) and thus only persisted anonymously.
• Reporting is carried out with anonymized and almost exclusively aggregated data without the possibility of identifying the user.
• Session identifiers for linking individual interactions to visits are limited to a maximum of 24 hours, as a daily time stamp is included in the hash value automatically generated by the server. This excludes the possibility of permanent recognition unless cookies are activated after consent has been given. Browser fingerprinting in accordance with OH Telemedia and the Art. 29 Data Protection Group therefore does not take place.
• The data is processed exclusively on behalf of etracker and is not used for etracker’s own purposes or linked with data from other etracker customers.
• No personal data is passed on to third parties (Google, Facebook & Co.).
• No granular mouse movement recordings are made.
• An objection function is provided for the privacy policy.

If a website operator comes to the conclusion that its legitimate interests do not prevail due to its individual circumstances, such as the possible enrichment of web analysis data or its further processing in third-party systems, the tracking opt-in option can be used.

The complete paper with information on cookie-less session tracking can also be downloaded here.

---

This article does not constitute legal advice and cannot replace individual legal advice. We work closely with lawyers specializing in data protection and are happy to establish direct contact for individual consultations.