Hamburg Data Protection Authority: Data protection-conforming use of Google Analytics
Article by Dr. Sebastian Kraska (attorney at law, external Data Protection Officer).
The Hamburg Data Protection Authority arrived at an agreement with Google on the data protection-conforming use of Google Analytics. This agreement had been expected, according to related statements. A protracted dispute about the use of Google Analytics appears to be resolved. In the following, read about what website operators will soon have take into account.
Background
Data protection authorities passed a resolution at the end of November 2009 that makes the analysis of user behavior, based on the personal linkage of these data by using their full IP address, only permissible with the user’s deliberate and explicit consent. Thus, the use of Google Analytics in practice had to be discouraged in most cases until Google could subsequently present the first adaptation options that conform to data protection.
Finalized proposed resolution
The Hamburg Data Protection Authority has now come to a finalized resolution with Google and recommends implementing the following measures for an unimpeachable operation of Google Analytics:
- Conclude Data Processing Agreement: Website operators must enter into the Google-issued Data Processing Agreement in writing. It should be noted here that the website operator is formally the Principal, and Google is merely acting in accordance with instructions regarding the processing of personal data. The processing of personal data on order entails certain control obligations, and Google will support website operators by presenting the corresponding back-up documentation.
- Enhance the Privacy Policy: In the Privacy Policy, the website operator must explain the processing of personal data as part of Google Analytics to the user of the website, and point to the user’s ability to opt-out of the tracking by Google Analytics. A corresponding draft text can be found at the end of this article.
- Adjust tracking code: The website operator must instruct Google to abbreviate the IP addresses through the corresponding settings in the Google Analytics program code. To do so, each Internet site with analytics integration of the tracking code must be modified using the function “_anonymizeIp()”.
The Hamburg Data Protection Authority furthermore indicates that any aged data retrieved through Google Analytics to date must be deleted. Based on the information from the Hamburg-based regulatory agency, Google offers the only means to do so: shut down the existing Google Analytics profile and then initialize a new one. Please note that you will potentially obtain a different tracking code or another web property ID (UA-XXXXX-YY) and have to adapt your websites accordingly.
Guidelines for Data Privacy Policy
We have expanded the text from Google Analytics by a few lines (red font). We make no warranty as to completeness or accuracy.
“This website uses Google Analytics, a web analysis service provided by Google Inc. (‘Google’).Google Analytics uses ‘cookies,’ which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. In the event IP anonymization is activated on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other signatory states of the Treaty on the European Economic Area. The full IP address will be transmitted to a Google Server in the USA and shortened there only on an exceptional basis. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services to website operators relating to website activity and Internet usage. Google will not associate the IP address transmitted under Google Analytics by your browser with other data held by Google. You may prevent the storage of cookies by selecting the appropriate settings on your browser software; however, we must advise you that in this case, you might not be able to use all functions of this website to the full extent. You may prevent Google from recording the data generated by the cookie and pertaining to your use of the website (including your IP address), or processing these data by downloading and installing the following browser plug-in available through the following link [insert link here; the current link is http://tools.google.com/dlpage/gaoptout?hl=en]. In view of the discussion on the use of analysis tools with complete IP addresses, we wish to advise you that this website uses Google Analytics with the expansion ‘_anonymizeIp()’; therefore, only abbreviated IP addresses will be further processed, so that a direct connection to the individual user is eliminated. For browsers on mobile devices, please click this link [please link with <a href="javascript:gaOptout()">Link</a>] to, in future, prevent anonymous tracking by Google Analytics on this website.”