How do you collect data while protecting the privacy of EU citizens?

Thomas co-wrote this article with Bram Ooms and Ben van de Burgt, Technical Web Analysts at Digital Power.

Disclaimer: The subject matter discussed in this blog may change. The blog is based on the situation in May 2023. Please contact us if you have any doubts about the situation at the time you read this blog!

On the legal front, we have seen an increase in laws and regulations in the European Union, and more recently, increased tensions between the EU and the US regarding the transfer of consumer data. Both developments go hand in hand when it comes to the subject of this blog: compliance with EU laws by removing personally identifiable information through server-side tagging.

What has happened?

In 2016, the EU and the US reached an agreement on the exchange of personal data for commercial purposes. This made it legal for companies conducting web analytics to store data with US companies. However, in 2020, the European Court of Justice ruled that this agreement was not sufficient to protect the privacy of EU citizens. This created opportunities for national data protection authorities to intervene in the transfer of personal data between EU websites and US companies (e.g., Google Analytics).

A concrete example of this is France, where the use of Google Analytics (GA) has been declared illegal since February 10, 2022, by the French data protection authority (CNIL). If your company operates in France and has a French domain name, you must remove tracking from your website. In other countries (Austria, Italy, and Denmark), data protection authorities followed CNIL's example and issued their own bans.

At Digital Power, we believe that any legislation created to enhance consumer privacy is good. Even if it means making web analytics more complex. We understand the critical perspective that data protection authorities have on data storage. On the other hand, we also believe that companies should be able to collect certain data to improve their services.

What is the impact on my activities?

If your company operates in Europe, you can no longer use Google Analytics in the usual way. This is because the tracking script communicates directly with Google Analytics through the visitor's browser, which is in violation of the law. If you do so, you may receive a fine, which can be quite high in some cases.

To comply with the previous GDPR legislation, you may have already taken measures to anonymise user data before sending it to Google Analytics. However, these measures do not meet the requirements of all data protection authorities in the EU. This is because Google Analytics still has the ability to set tracking cookies in the visitor's browser and receive the IP address of incoming network requests, for example.

Is there a way to maintain my current tracking implementation without breaking the law?

An alternative method of collecting data without violating the law has been developed by CNIL in France. This method applies only to anonymised and aggregated data that has been stripped of all tracking before being collected by Google Analytics. This means that you no longer have the ability to track individual visitors, and no personally identifiable information can be shared outside the EU.

In practice, this will result in Google Analytics dimensions such as 'device category' or 'session source/medium' no longer being functional. By using server-side tagging as a proxy, analysts can collect aggregated and anonymised performance data from websites in Google Analytics.

Privacy-friendly measurement using server-side tagging: how it works

Server-side tagging can be a viable alternative if a complete cessation of web/app data collection is not acceptable for your company. You need to set up a tag server that acts as a proxy between your website visitors and Google Analytics.

On the server, you make various changes to the data stream. This ensures compliance with national data protection requirements.

Does the legislation only apply to Google Analytics?

For the readability of this article, Google Analytics has been used as an example. However, Google can easily be replaced by any American company processing incoming data in the United States. For instance, the Austrian Data Protection Authority (DSB) has ruled that the Facebook tracking pixel violates the GDPR. Google Analytics is the most commonly used external provider with tracking capabilities in the EU and therefore receives the most attention from local authorities.

Guide for setting up server-side tagging

From a technical perspective, managing a tagging server is considerably more complex than managing a web container in a tag management system like Google Tag Manager. The latter only requires a JavaScript code snippet on your website that needs to be implemented by a developer. All communication between the browser and Google Analytics is handled by Google itself. Now, you have to take over from Google and run your own server environment that receives, analyses, and sends network traffic to Google Analytics.

The requirements for properly and cost-effectively setting up a tagging server are complex for an Online Marketer or Web Analyst to manage. Depending on the technologies you want to use, Data Engineers and Developers are needed to set up your server environment.

It is important to note that the default solution provided by Google Cloud Platform's App Engine Instances is insufficient to meet CNIL's requirements. This service uses servers located in the United States by default, which does not achieve the purpose of implementing a server proxy.

Below are the five steps we recommend for setting up the server proxy based on CNIL guidelines:

1. Consult your company's legal team

When moving your website from a web to a server tag environment, end users can no longer see which third parties receive their browsing data. This is because all web streams lead to your own server. Therefore, you need to adapt your website's privacy policy to this new reality.

If you are using Google Analytics, it is also important to consider which data needs to be removed before it is transmitted. CNIL has compiled a list of data that needs to be removed. The data listed below is included in the list, among others. The complete overview can be found here.

1. IP address
2. Geographic location
3. User agent (device fingerprinting)
4. Referrals
5. UTM parameters

2. Check if your Key Performance Indicators (KPI) framework needs to be updated

Some KPIs of your company for web and app may be affected by the legislation. Ensure that internal stakeholders are aware of the data collected server-side and have them agree to the updated KPI framework.

3. Assemble a task force consisting of Developers, Technical Web Analysts, Analysts, and legal staff

As mentioned earlier, the process of setting up a tagging server is complex and requires the cooperation of various stakeholders. Look for team members willing to be involved in this project. Once the legal obstacles have been overcome and the name for your server-side endpoint has been determined, the Engineers and Developers need to get to work to set up the tagging server. The key question here will be where the server should be hosted. Since the central theme of this blog is privacy, it is recommended to use (cloud) servers owned and managed by your company. Some of our clients use Azure App Services or Azure Kubernetes Services for this purpose.

Next, the Technical Web Analysts can migrate the existing tagging to the new tagging server. They ensure that the implementation meets the legal requirements. Finally, the Data Analysts can verify the incoming server-side data stream and create dashboards displaying the company's KPIs.

4. Implement a test tagging server

Running a tagging server costs money as you pay for for the data storage you use. Make sure to first deploy the implementation in a test or acceptance environment before rolling it out to the production environment. This way, you can avoid unpleasant bills. We have both Data Engineers and Technical Web Analysts who can collaborate with you as a multidisciplinary team.

5. Assign roles for maintaining the production server environment

The tagging server becomes an integral part of your company's data architecture. This means that work on the server is never done. After the implementation work is completed and the data flows through it, the server needs to be maintained and monitored. It's important to pay attention to scalability and downtime detection. Individual stakeholders should take responsibility for performing these tasks. If no one is accountable, issues are likely to remain unresolved.

Could you use assistance in ensuring the privacy of end users while also complying with the legislation? Contact us, and we'll be happy to help! We understand that analysing data in a privacy-friendly manner is crucial for improving your services.

Receive data insights, use cases and behind-the-scenes peeks once a month?

Sign up for our email list and stay 'up to data':