Get started free
Try online demo
Log in
Data Strategy for Web Analysis - Part 3

Keeping your data strategy compliant

Stay inside the law

One downer when it comes to website analysis is that you are no longer allowed to collect everything you can about your visitors without asking for permission. (Of course, the exact rules and regulations are different around the world.) However, even though it was easier before doesn't mean it was ethical. The lack of regulations on the internet has meant the lines were crossed before governments could catch up. Remember the information leaked by Snowden? Or Cambridge Analytica? There are reasons why you shouldn't be able to collect every piece of information about someone on the internet. 

 

Visual insights that improve your business copy

What is GDPR?

GDPR (General Data Protection Regulation) was implemented by the European Union in 2018, and limits what information can be collected and how. The purpose is to protect the privacy of European citizens. Before, companies such as Facebook and Google could make a lot of money selling personal data to advertisers, because they knew where you lived, what websites you visited, what companies you liked, how old you were, and all the things advertisers want to know. And advertisers really liked this, because the more data they have, the more successful the ads would be. But internet users never signed up for this invasion of their privacy.

One of the changes after GDPR was introduced is that websites now must explain what data they collect about the visitor and give the visitor the option to opt out if they don't want to share this information. You are also not allowed to collect personal data that you don't need, and any personal data you no longer need should be deleted. The regulation not only apply to companies within the union, but to all collecting personal data about EU citizens. That means that American companies with Swedish visitors need to comply with GDPR. 

But what if you just ignore GDPR...?

Well, it may be fun in the moment to be able to do whatever you want, but it's less fun when you're found out. The fine for not complying with GDPR can be up to 4% of your annual global turnover or €20 million, whichever is the highest. 

Here are some examples of companies that have been fined:

  • Amazon was fined €746 million by the DPA in Luxembourg in 2021. The reason being failing to process personal data in compliance with the GDPR.
  • Meta was fined €1.2 billion by the Irish DPA in 2023. The reason being insufficient legal basis for data processing.
  • Uber was fined €290 million by the Dutch DPA in 2024. The reason being transferring personal data of European drivers to the USA without sufficient privacy safeguards.

These are just some examples in a long list of companies. The GDPR Enforcement Tracker currently has 2,664 entries.

How does GDPR affect website analysis?

Since you can't collect everything about everyone anymore, you can't track all your visitors regardless of tool (and cookieless tracking has its own limitations). Only those accepting cookies for an analytics tool will be included in your analytics data. And only those accepting cookies for a survey will be able to participate. As far as how many reject cookies, there are no exact numbers to give, but you can assume that about 25-50% reject cookies. Possibly even more in some cases. You should be able to get an accurate number from your cookie manager. 

Being able to track 75% of your visitors is still good, and should be representative of your visitors at large. However, it cannot be said if those rejecting cookies tend to behave differently from those accepting cookies, since we don't have any data about those who rejected cookies. Even so, assuming that the remaining 75% represent all visitors is good enough.

How does GDPR affect which tools you can use?

Besides limiting what data you can collect, GDPR also affects where and how the data is stored, to ensure safe storage. All EU companies storing data within the EU must comply with GDPR, and are therefore trustworthy companies to work with for your web analysis. It becomes more tricky when the company (or its headquarters) is located outside of the EU, even if the server is located in the EU, as they have different rules to follow. And possibly less strict, and less safe, rules.

By using tools by non-EU companies, you risk the personal data not being handled in accordance with GDPR, which could then lead to your company being fined. GDPR should therefore be a factor when you select tools for your data analysis.

There are some non-EEA countries that are "pre-approved", meaning that the European Commission has adopted adequacy decisions for them. Some examples are Canada, Japan, the United Kingdom, and the United States. However, when it comes to the US, there are some big warning signs.

Can you really send data to the US?

Well, yes, for now. There has been a lot of back and forth, and at times, Google Analytics has been banned in some European countries. 

To back up a bit, in 2013, Snowden revealed that the US routinely spied on other countries. Back then, US intelligence services were allowed to access any data they claimed to need for national security. In 2016, the European Commission passed the Privacy Shield, which allowed for data transfers to the US or US-controlled servers. In 2020, the EU Court of Justice ruled that the Privacy Shield couldn’t sufficiently protect personal data, known as Schrems II. The reason being that the US intelligence services could still access the data, which was the problem in the first place.

Following Schrems II, several European countries banned Google Analytics. However, this was only the beginning of banning all American companies. Neither party wanted this. In 2022, US President Biden signed an executive order that limited access to personal data by the US intelligence services. In 2023, the European Commission introduced the Data Privacy Framework, which again allowed for transfers of personal data to the US. 

However, the story doesn't end there. The new framework is reviewed periodically by the European Data Protection Board. In 2024, they concluded that the US did not fully comply and listed several concerns. noyb, the organisation behind Schrems II, have also announced that they are planning to challenge the new framework too. With a new president in the White House, the executive order that paved way for the Data Privacy Framework could easily be revoked, allowing the US intelligence services full access to EU citizens' personal data again. 

For short-term use, there is no problem with using American companies for your web analysis. However, if you are planning your data strategy for the next few years, it may be a good idea to look for alternatives - of which there are many.

Check your cookie settings

Even if you use GDPR compliant tools, you need to make sure you don't collect any data about your visitors before they have accepted cookies. This is a mistake we have seen many times, and a mistake that could be costly if it results in a fine. 

In conclusion

If your data strategy involves website visitor from the EU, you need to comply with GDPR. The purpose is to protect the privacy of these individuals. If you do not comply, you risk a hefty fine. Although you can currently use American companies, if you want to future proof your strategy, you should probably think twice before selecting an American company. Another option is to exclude EU citizens from your data collection.

If you want to read more about data strategy for website analysis, you can click here.

Or you can read about the different tools for website analysis here.

Related articles

Data Strategy for Web Analysis - Part 1: Crafting a strategy 

Data Strategy for Web Analysis - Part 2: Choosing the right tools

Malmö office

Djäknegatan 9

211 35 Malmö

+46 (0)40 44 10 10

Stockholm office

+46 (0)8 88 20 20

Extellio International AB, Djäknegatan 9, 21135 Malmö, Sweden