Web analysis tools
Web analysis tools / Webanalyse-Tools
January 06, 2021
Under what conditions can web analytics tools such as Matomo be used in a DSGVO-compliant manner?
This article is about the use of open source web analytics tools that are hosted locally, i.e. on their own server in Germany, and can be used without setting cookies.
The question of the lawfulness of the use of such web analytics tools is primarily measured according to the General Data Protection Regulation (GDPR) and the EU Directive 2009/136/EC (Cookie Directive) due to the possible personal reference of the data processing. The decisive question here is whether personal data are actually processed and whether this can be justified by a "legitimate interest" of the user(s) in the sense of the GDPR or whether explicit consent of the user(s) must be obtained.
I. Processing of personal data / possibility of creating a user profile
First of all, it is checked whether personal data is processed when using the web analytics tool or whether it is possible to create a movement and usage profile.
1. Cookies
Cookies can be placed on a website for the purpose of tracking website visits and optimising user behaviour in order to store and process user information. They can thus collect and process personal data and allow an inference to at least one identifiable person.
The analysis tool can often be configured so that no tracking cookies are set. However, if these are to be used, it must be taken into account that, according to a ruling of the ECJ of 1.10.2019 (C-673/17), the prior consent of the user is mandatory if the use of the cookies is not required. Accordingly, the use of necessary cookies does not require consent.
2. “Device fingerprinting”
Often, the analysis tools are able to store certain information of the user in addition to the use or even without the use of cookies, read it out and combine it in such a way that a "digital fingerprint" can be created ("device fingerprinting"). A specific device can thus be identified relatively precisely, along with the user behaviour controlled by it.
II. Lawfulness of the data processing
Data processing through cookies and device fingerprinting is lawful if it is expressly permitted, corresponds to the legitimate interest of the user(s) pursuant to Art. 6 (1) lit. f DSGVO or consent has been given.
1. Legitimate interest / necessity
What cookies can be considered (still) necessary is a matter of dispute in individual cases. As a rough guideline, one can assume that such cookies that are necessary for the technical operation of the website and the provision of its functionality do not require consent. This includes, for example, cookies that are responsible for digital shopping baskets.
Cookies used for marketing, tracking and analysis purposes are to be understood as non-essential cookies, the use of which must be actively consented to.
Legitimate interest according to Art. 6 (1) f DSGVO includes such data processing that corresponds to the legal, factual, idealistic or economic interest of the controller(s) and that does not run counter to the legal order. In addition, the data processing must be necessary for the protection of these legitimate interests and must finally withstand a balancing of interests.
Based on these principles, the ECJ in its judgment of 01.10.2019 (C-673/17) referred to Art. 5 (3) of the EU Directive 2002/58/EC (ePrivacy Directive) and the requirement of necessity. This provision clarifies that technical storage of information should be possible without consent if it is strictly necessary. This includes all technical storage processes, not just the storage of information through cookies.
“Device fingerprinting" is to be classified as a technical storage process. When a website is called up, information is transmitted for technical reasons through the protocols used. The information generated in this way includes, for example, the device type, operating system, device performance, log-in files, resolution and plug-ins. Device fingerprinting" can thus be used, just like cookies, to process the usage behaviour of website visitors within the meaning of the GDPR. Although the ECJ only explicitly deals with the setting of cookies in its ruling, this includes all technologies that store and read data on the user's device. The scope of the ruling thus extends to many more use cases than the mere setting of cookies.
Insofar as device fingerprinting is not used to provide a service expressly requested by the user, this technical process is not considered necessary.
2. Consent requirement
If the use of cookies or device fingerprinting is not necessary, only explicit consent of the user can make the data processing lawful.
The ECJ also states in a press release that even if cookies do not allow any real reference to a specific person, i.e. they are not personal data in the narrower sense, explicit consent to data processing must be given. The same would then also have to apply to "device fingerprinting", i.e. a consent requirement would be given.
Consent to the use of cookies by means of a pre-set checkbox, which the user must uncheck in order to refuse consent, is not considered valid consent. Consent can be given via a cookie banner or a compliant cookie consent tool. At the same time, a corresponding possibility of revocation (opt-out) must be provided for the future.
III. Risk assessment
There are currently different opinions on the question of whether or not the user must consent to the processing of data using the "device fingerprinting" method. Four opinions are presented here as examples.
1. No consent requirement
1.1 State Commissioner for Data Protection and Information Security Baden-Württemberg
In a "FAQ on cookies and tracking" of 29 April 2019, the State Commissioner for Data Protection and Information Security of Baden Württemberg has taken a position on the use of web analytics tools. The author gives a clear answer to the question of whether tools for range analysis may be used without the consent of the user:
"Yes, if the services of external third parties are not used for the reach analysis. Reach analysis also works without providing third parties (such as Google Analytics) with information about the usage behaviour of website visitors. Instead, a log file analysis can be made or locally installed analysis tools can be used [An example of a corresponding analysis tool is the free open source software Matomo, see https://matomo.org/ - but here, too, privacy-friendly default settings must be selected] without merging the usage data across provider boundaries."
1.2 Web analysis tool Matomo
Matomo itself, for example, takes a similar view and states on its own website that the service can be used without consent, see https://matomo.org/privacy/.
2. Consent obligation
2.1 Article-29-Data Protection Group
The Article 29 Working Party already issued an assessment in 2014 and considers the collection of data and the resulting combination possibilities, including the creation of a movement profile and unique user identification, to be riskier for users than the use of cookies. The data protection group is clearly in favour of prior consent (opt-in) by users. Although the Working Party has since been replaced by the European Data Protection Board, and it is unclear what will be done with papers produced in the past, the Working Party has been an important advisory body. However, the committee has an important advisory function in the context of all questions of personal data protection at the European level and is therefore quite relevant, even if the opinions are only recommendations and do not have the character of law.
2.2 Conference of the independent Federal and state data protection supervisory authorities
The Conference of the Independent Data Protection Authorities of the Federal Government and the States underpins the requirement for consent and states in its "Guidance of the supervisory authorities for telemedia providers":
"Controllers must ensure that consent covers not only the setting of cookies requiring consent, but all processing activities requiring consent, such as procedures for tracking users through tracking pixels or div. fingerprinting methods, if these are not permitted on the basis of another legal basis."
3. Assessment
Responsible parties who use local analysis tools could currently refer to the opinion of the State Commissioner for Data Protection and Information Security of Baden-Württemberg, but they run a certain risk in doing so. This is especially true if another supervisory authority is responsible for the respective controller(s).
There is no known case law to date dealing with the issue of "device fingerprinting" and the obligation to consent, and this remains to be seen. Until then, the contradictory instructions for action shown above exist.
IV. Opt-Out
Even if no cookies are set, the user must have the option of revoking the tracking without cookies, as this also involves data processing. A corresponding opt-out option must be provided.
V. Anonymisation of IP addresses
Most web analytics tools store the IP addresses of users in the database by default. IP addresses constitute personal data according to current case law. However, the analysis tools can be configured so that all data is automatically anonymised, and no personal data is processed. Data is considered anonymised when the identification of a data subject is no longer possible due to the removal of the personal reference. Furthermore, the anonymisation must be irreversible. In case of doubt, an anonymisation of 3 bytes should be carried out here in order to meet the strict requirements of the GDPR.