Privacy-compliant tracking on websites

Created 23. May 2023

Tracking website visits is important for optimizing websites and online marketing. It provides conclusions about which topics work particularly well on the website and which marketing measures lead to results. We show you how to implement tracking in a privacy-compliant manner.

As we all know, there are two sides to every coin. From the user's point of view, tracking is quite annoying. Why should the website operator be able to know which websites a private person has visited. However, from the website operator's point of view, there is hardly any other way to optimize the website and constantly adapt it to the users' needs. The user's interest in protecting his personal data is therefore in conflict with the website operator's interest in the best possible and, above all, economically successful performance of his website.

When is tracking allowed?

As with any processing activity of personal data, tracking also needs a legal basis, especially if cookies are used to identify the visitor in the process. For some time, the legitimate interest of the site operator according to Art. 6 (1) f DSGVO was considered sufficient for this purpose. Since the Telecommunications Telemedia Data Protection Act, or TTDSG for short, came into force, the user's consent to the storage of a cookie required for tracking is now required, Section 25 (1) sentence 1 TTDSG.

Only for cookies that are technically necessary for the operation of the website, there is an exception. For them, the consent requirement does not apply. Since tracking on a website is not technically necessary, consent of the visitor must always be obtained in principle before processing. Tracking may only be "armed" after consent has been given and cookies may be set accordingly.

Download: Your complete data protection technology guide

E-Book image

How to reliably identify privacy gaps on your customers' websites using free tools.

Download now

Do other regulations apply to fingerprinting?

To circumvent the obligation to consent to cookies, many tracking tools now use canvas fingerprinting to identify the visitor. This involves giving the user's browser a hidden text to display. Based on various parameters, such as the operating system, the browser, the graphics card and installed fonts, the user can be recognized with a very high degree of probability. Although canvas fingerprinting is not a cookie, the same rules apply here. This is because the regulations from the TTDSG are explicitly formulated in an open manner and refer in Section 25 (1) TTDSG to access to information "that is already stored in the terminal equipment". Therefore, consent must also be obtained before canvas fingerprinting.

Is Tracking possible without consent?

In fact, tracking without consent is conceivable. For example, if cookies are not used and fingerprinting is only carried out via the data which the browser supplies anyway with each page call, such as the user agent, the browser language, or the anonymized IP address. Since no cookies are set, the TTDSG is no longer relevant. If there is no personal reference, the provisions of the GDPR no longer must be observed. The Conference of Independent Federal and State Data Protection Authorities (DSK) also follows this opinion.  In addition, the product used for tracking must not process the data in insecure third countries, such as the USA.

What applies to Google Analytics?

In the meantime, many data protection authorities came of the opinion that the use of Google Analytics violates the GDPR, and that processing is not permitted even with consent. The Austrian data protection authority was the pioneer regarding this opinion. In the meantime, the French and Italian data protection authorities have joined this legal opinion. The reasoning is as follows: When Google Analytics is used, data flows to the USA. However, the USA is not considered a safe third country under data protection law. In addition, Google Analytics does not ensure an adequate level of protection within the meaning of Article 44 of the GDPR in the view of the authorities. In particular, the data would only be anonymized in the USA.

In the meantime, however, the situation has changed. With the new Google Analytics version GA4, anonymization no longer takes place in the USA, but on servers in Europe. Google has also adopted the new EU standard contractual clauses in its terms and conditions. This has significantly improved the level of data protection.

Nevertheless, it can be assumed that the data protection authorities will continue to dislike Google Analytics in principle.

Website operators must think carefully about whether they want to oppose this - and use Google Analytics anyway. However, this requires at least the use of GA4, consent to the processing and a transfer impact assessment, i.e, a kind of risk assessment of the intended data transfer. The effort involved is very high and disproportionate to the benefit. The pragmatic solution would therefore be to switch to other tools that comply with the required level of data protection without any problems.

Author: Henning Zander

Henning Zander is a certified external data protection officer (TÜV) and a specialist in issues relating to data protection requirements in the healthcare sector. His clients include, in particular, medical, dental and psychotherapeutic practices as well as pharmacies in northern Germany.

Back to overview