The Landscape in the EU and Beyond

Today, basically any business with a website is affected by General Data Protection Regulation (GDPR) and ePrivacy—even if they only access the most basic of audience data. Recent moves by European regulators are shaping the definition and expectations of digital privacy, challenging the status quo and forcing businesses to reevaluate their digital strategy.

Recently, several governments decried that Google Analytics—and by association, every business that used it—was breaking the European Union’s data privacy regulations. GDPR states that data can’t be exported to countries that don’t have an “adequate level of protection”—i.e., the same level of data privacy legislation as the EU. By transferring European user data into the United States to be processed, Google has been deemed non-compliant.

December 2021- Datenschutzbehörde—the Austrian Data Protection Authority—ruling that  a brand’s use of Google Analytics  was breaking the European Union’s GDPR.

February 2022- France’s Commission Nationale de l'Informatique et des Libertés (CNIL) made a similar decision against a different company. 

March 2022- Liechtenstein announced its own ruling following suite.

GDPR and ePrivacy may be European legislation, but—as we’ve already seen—that doesn’t mean it only affects businesses in the EU. The Internet, after all, is border-free. “When GDPR came into force, one of the immediate results was an increase in the number of US websites denying or restricting access to EU visitors,” Timo Rein, co-founder and former CEO of CRM tool Pipedrive, told Forbes soon after GDPR was brought into effect. “[T]his approach isn’t sustainable.” 

The Risk of Non-Compliance

Using data in a way that breaches ePrivacy or GDPR can have consequences. If you’re found noncompliant, you risk a warning, fines, and/or a temporary or permanent ban on processing personal data. You can also be forced to delete all of the data you’ve already collected. 

If that’s not a risk you’re willing to take, creating a thought-out data strategy and finding a digital analytics provider that understands GDPR and ePrivacy—with the expertise on hand to stay on top of legislative requirements—can help.

Finding a Privacy-First Analytics Solution

When searching for a privacy-first digital analytics solution, start by considering the following.

How “Personal Data” Is Defined

GDPR definition of “personal data” is specific. If you want a solution that will remain compliant, you require a provider that employs the same definition—including cookie IDs and IP addresses as personal data, for example. If the tool doesn’t designate personal data in the same way, it risks becoming noncompliant.

How Data Is Used and Stored 

The rulings happening across Europe have revolved largely around where data is stored and how it’s being used. To adhere to GDPR, then, the private data of European users must stay in Europe or countries with the same level of data protection. Also important to look for: whether audience, navigation, and behavior data is pseudonymized, and anonymized and encrypted. 

Consent Exemption 

ePrivacy consent exemption is recognized by data protection agencies such as the CNIL. It allows a website or mobile application publisher to bypass the need to obtain prior consent from a consumer before depositing cookies. Consent exemption is only granted to solutions that maintain a high standard of privacy compliance and meet several conditions, including:

• General compliance with the GDPR
• Collection of data that’s only strictly necessary for the provision of the service requested by the user
• A purpose limited to the strict measurement of the audience

As well as ensuring stricter privacy, consent exemption can also be a sign of better quality data. A solution that meets ePrivacy exemption policies can collect 100% of audience data, as opposed to those that don’t, which will only be able to access approximately 50% of the same data.

In-House Expertise

GDPR and ePrivacy legislations are nuanced and the way we use data is ever-changing. That’s why a privacy-first solution needs to have GDPR and ePrivacy experts on their team, and experience guiding companies through their data privacy needs. Look for customer support as well as data and legal expertise to ensure your provider can keep up with new data privacy legislation and help you stay up to date. 

Putting Data Privacy First

Prioritizing privacy over cost savings means you’ll be confident that your provider remains on top of regulatory changes, and that you won’t find yourself caught in the middle of decisions like those happening across Europe in 2022.

But moving to any new solution means migrating your data—a step that can make your data vulnerable if you don’t take the right approach. So how do you do that safely while respecting your customers’ privacy needs? 

Download Report

To learn more, including what to consider when migrating to a new data analytics platform, download our Putting Privacy First eBook

Piano Analytics (formerly AT Internet’s Analytics Suite Delta) is a digital analytics solution that offers functionality across a range of use cases, with a unified data model that supports real-time queries and 1,400 event parameters. And at Piano, the privacy and security of user data is one of our highest priorities, with measures in place that ensure user data remains private and that data privacy laws are maintained at all times.