GDPR & Webtracking - How should I solve this in a future-proof way?

Reading time: approx. 20 minutes

Google confirmed the upcoming end of third-party cookies in March 2021. Apple and Mozilla have already been limiting the tracking of user behaviour within their Safari and Firefox browsers respectively for some time. Decision-makers in EU authorities are determined to continue strengthening ePrivacy while also national data protection supervisory authorities are increasingly dedicated to the execution of supportive legal frameworks.

Within two years, the world of online marketers and data analysts alike has been turned upside down. The General Data Protection Regulation and the national telecommunication laws with ePrivacy Directive have reshuffled the cards and thereby created major uncertainty in the industry. 

Which practices are legal?
Can I make reliable decisions based on data that is attained only from compliant sources? Which data can I rely on in the first place?

Conventional solutions do not yet promise legally compliant data collection approaches that focus not only on GDPR but also on individual national implementations of the ePrivacy Directive.

So, do I have to learn to live with significant losses of critical data? Or is there still a way to collect reliable and relevant data?
In order to be able to answer this question more precisely, we will provide you with the most important insights below, which we have taken into account during the development of our tracking solution in close cooperation with lawyers.

These insights should act as a sort of guide for you to be prepared better than your competitors in the case of an audit by data protection supervisory authorities.

To gain a better understanding of the current legislation, here is a brief explanation of the applicability of the national ePrivacy Directive and the European General Data Protection Regulation (GDPR).

National implementations of the ePrivacy Directive vs. the European General Data Protection Regulation (GDPR)

Put very simply, all national implementations of the ePrivacy Directive have one thing in common. They determine the influence companies are allowed to take on users' personal devices.
In comparison, the GDPR, which applies to all of Europe and EEA, determines how companies and other organisations - for this purpose "data controllers" - must handle personal data collected from, stored on and redistributed by natural persons - in this sense "data subjects". All data tracking tools must follow both laws.

(c) Jentis GmbH - 2021

Data with objective personal reference 

Anyone in the world or
you as the user of such data are able to
establish a personal reference
based on the collected date.

Data with subjective personal reference 

You as the user of such data are able to
establish a personal reference
based on the collected date.

As a consequence, data such as IP addresses or car license plates are inevitably classified as "data with an objective personal reference".

Ad 2: Why might I use collected data?

Getting Consent - Does Positive Consent Exist?
To use users’ personal data (objective and subjective) for analytics, marketing and other purposes their consent is required in accordance with the GDPR. If you obtain this consent - usually by using a Consent Management Platform (CMP) - you can also prove this consent.

ATTENTION: A detail that is often disregarded is that you may NOT send this data to companies from third countries (such as the USA) without further user consent - even though you have received consent from the user for its usage. This possibility is not allowed by the fact that the PrivacyShield has been dropped. A forwarding to European companies is still no problem for you, of course.

Fulfilment of contract impossible - Other justification than "consent".
One of the two simpler reasons for collecting and using personal data is the fulfilment of a contract (e.g. online purchase). Data for contract performance is really a "no-brainer" in this context.

However, remember that the purpose of data collection must be communicated to the user and connected to the data you collect. Moreover, at any point in time, you may only access this data if it is used for exactly the same purpose.

For example, you may not use data from the contract fulfilment reason "shipping" to create an analysis in which you can see which regions/cities you deliver orders to most frequently.

Legitimate interest - Other justification than "consent".
Data collection for legitimate interest is quite a simple justification on the one hand, but rather difficult to define unfortunately on the other hand.

Your legitimate interest comes into play when your company's interest in using personal data exceeds the user's interest in privacy. But seriously - what can that be, other than, for example, anonymising your user's data before you simply send it out into the world?

In our opinion, the mentioned example is indeed a good reason not to use data illegally.

Sharing data with non-EU countries in a GDPR-compliant way

So how can you escape this dilemma and still keep using all your usual, really good tools? It's rather simple.

  1. As a European company, store your collected data yourself on your servers (firstparty).
  2. Make sure you don't use a cloud operated by a non-EU company.
  3. Pay attention to the GDPR regulations 
  4. Anonymise personal data yourself
  5. Only send your data to tools from insecure third countries after you have anonymised them.

All your tools have an API that you can access after your server-side anonymisation. You only have to decide per API which data you want/need to anonymise before sending.

With these procedures in place you are already prepared for any requests from either self-appointed “data protectionists” or an unexpected, mandatory investigation by your supervisory authority - now you can relax and concentrate on your core business again.

TIP: To be on the safe side, your IT department should keep an eye on possible changes to the APIs in order to make data available within your tools without interruption and with the quality you require.

What is data transfer to third countries important?

In practice, it is usually the case that many of your tools are offered by companies which are owned by a majority by a non-EU entity. Taking the USA as an example, these companies are obliged to make their data accessible to the US government under the US CLOUD Act - an absolute no-go for all European data protectors.

Unfortunately, these tools are thereby completely lacking the required legal justification according to the GDPR. At least since the Schrems EUGH verdicts (Schrems II), popular and helpful tools such as Google Analytics, Facebook and Omniture (Adobe Analytics) are no longer compliant with the GDPR when integrated in the conventional way, because personal data is sent directly to the USA.

If you have received a consent for Google Analytics according to the ePrivacy Directive, you can still NOT send personal data to Google. The following example may clarify this:

  1. The IP address of your user is considered personal data.
  2. Your site sends its IP address to Google to anonymise it using "anonymizeIP=true". 
  3. And there you are, trapped!

It is simply not possible to leave the anonymisation of your data to a company in a third country. In that case, European (or equivalent) law is no longer the only law that applies to the data to be anonymised. In the above case, the US company Google would already be in possession of this information.

To illustrate a complete solution, you can see how JENTIS solves this challenge below.

  1. Consent for personal devices according to ePrivacy regulations is collected
  2. Personal data (such as IP address) is anonymised as an EU company
  3. We use EU cloud servers
  4. Anonymised data is sent “server side” to all other tools, without their ability to access personal devices.

If you want to save time, money and energy, this solution is available as a Plug&Play tool. In that way, you fulfil all requirements of the GDPR and your national ePrivacy regulations for your website and solve related issues easily and permanently.

With the patent-pending twin-server technology, absolutely reliable server-side tracking is possible for the first time, which guarantees client-side tracking according to consent. Data quantity, data quality, data sovereignty, data security, data distribution - all available from one source.

"Feed" all tools in your marketing stack that are dependent on data with JENTIS and become not only compliant but also future-ready in one swoop. If you don't want to solve these challenges alone, we are happy to share more about JENTIS with you.

Disclaimer: The information in this article is to be understood as non-binding advice only. JENTIS does not assume any liability for the accuracy of the information provided here.

👉 Let's talk 👈Back To Top

The ePrivacy Directive regulates the influence that companies are allowed to take on users' personal devices. This can be best described with the following question: Am I placing something (e.g. cookies) on the personal device of the data subject or am I reading information (e.g. device information) from her personal device?

Here are two example questions to make this more tangible: Has the user been on my site before? Does a user use my offer via mobile device or via desktop?

[There, the essential condition for tracking is NOT regulated by the GDPR but rather by the ePrivacy directive!]

The ePrivacy directives state that cookies may only be set without consent if they are technically necessary.

Consequently, data analysis, marketing, personalisation and other related use cases are not justified. Therefore, only with the user's consent are companies allowed to place and store let’s say a cookie on the visitor's computer, tablet or smartphone.
As a result, if you want to use data for the above-mentioned purposes, the user's consent becomes mandatory.

[The actual use of personal data is NOT included in the ePrivacy directive!]

Which brings us to the regulations within the GDPR.

What does the ePrivacy Directive address?

If you have received the above-mentioned consent to locate a technology (e.g cookie) on the user’s device, the GDPR regulates the concrete use of personal data. You need to determine the intended data application for each tool in your marketing stack.

How you can handle this

  1. Check whether data actually has a personal reference
    - Consider objective and subjective personal reference
  2. Check why you are allowed to use this data with personal reference
    - Obtain consent from the user
    - Fulfilment of contract would otherwise be impossible
    - Legitimate interest of your company

Ad 1: Do my collected data points have personal reference?

First of all, be clear about which data actually reflect personal reference. It is important to differentiate between two types of personal data described within the GDPR. Essentially, it is about who is able to establish personal reference.

Where does the General Data Protection Regulation come into play?

How can a solution look in detail