Updated: May 8, 2018.
Common for all Visiolink solutions are that they’re all – no matter the platform - linked to Google Analytics making them subject to the new General Data Protection Regulation (GDPR) that comes into effect May 25, 2018.
Some of our customers have User-ID tracking in their solution, some don’t. In each case, they’re affected by GDPR, because solutions that don’t have User-ID tracking still track on Client-ID which is also considered profiling, cf. Recital 30 in GDPR:
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
We’ve already been in contact with all our customers regarding the changes that need to be made on their solutions in order to ensure GDPR compliance. Below you can read about the necessary adjustments - which also applies to other products or solutions - as well as how Google will handle the adoption of the new EU-regulation.
Users need to be informed about tracking
Explicit information about Google Analytics tracking will have to be presented at the first communication with the user, cf. GDPR Article 21:
(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
This means that the user needs to be informed of tracking when the app opens the first time. This information also needs to inform the user about where data tracking can be switched off.
Users must have the possibility to Opt out
An opt out feature is required for Google Analytics both with and without User-ID, cf. Article 21:
(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Users have the "right to be forgotten"
If an end-user withdraws his or her consent, they will be allowed to have their tracked data erased, cf. Article 17:
(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
As of right now, there isn’t a feature that makes it possible to delete specific end-user data in Google Analytics, but we’ve been in contact with Google who says this will be implemented by May 2018:
“In terms of data deletion, by May 2018 Google Analytics will offer support for customers that wish to delete specific end-user data based on User-ID or Client-ID.” - Oxana from Google Analytics Help Center
In April, Google announced that they had released Google Analytics Data Retention Controls. These controls provide you with the opportunity to set an interval for deleting personal data automatically. Read more and learn how to use the controls here: https://support.google.com/analytics/answer/7667196?hl=en
Data Processing Agreement/Amendment with Google
All of our customers need to sign a Data Processing Agreement (DPA) with Visiolink and this will be communicated directly with each customer. Furthermore, they have to accept a Data Processing Amendment with Google.
UPDATE: Google has now updated their DPA so it accounts for the General Data Processing Agreement (GDPR).
This isn’t possible for the time being because the current DPA isn’t updated with the terms of the new Data Protection Regulation. According to Google, the new DPA will be released next year:
“The amendment that is currently visible in the GA account settings is not related to GDPR, but rather to previous data protection regulations (further details are available here). GDPR data amendments will be released next year.”- Oxana from Google Analytics Help Center.
In order to accept the DPA, you must go to your Google Analytics Admin and under “Account” press “Account Settings”. There you can review and accept the amendment under “Data Processing Amendment” (See picture below).
Google also have rules
The adoption of GDPR calls for some adjustments, but Google also have some rules you need to be aware of when working with user tracking.
User data may not be stored in plain text in Google Analytics. This means that sending e-mail addresses or names, for instance, in plain text, through custom dimensions is not allowed. Google can suspend your account if you breach this rule. Further information on what not to send when tracking in Google Analyctics can be found here:
None of Visiolink’s Google Analytics solutions contain tracking of personal information that violates these policies.
If you have any questions about GDPR, Google Analytics or User-ID tracking, feel free to contact me directly on email@example.com
This blog post provides general information on how GDPR are going to affect our customers and should not be taken as legal advice. All our customers are responsible for ensuring their own compliance with GPDR as well as other relevant regulations.