Web analytics: data privacy when creating a profile

In recent years, web analytics has become an instrument of central importance in the world of online marketing. With an ever-increasing number of website operators relying on tracking tools such as Google Analytics and Piwik, it’s now easy to monitor and respond to user behaviour in real time. Using these tools, websites operators can make their webpages more user-friendly and their businesses more streamlined. It’s now almost impossible for online merchants to imagine a world without web analysis tools, with data privacy activists having expressed concerns about the security of user’s sensitive information. The biggest fear for these groups is that the type of user data extracted by website operators is often unclear or completely undisclosed – and their purposes are often even more ambiguous. The potential for conflict primarily arises from how website operators handle the personal data provided by users when creating profiles. However, it is possible to use web analytics that are data protection compliant with established solutions. This means that certain requirements must be fulfilled, which sometimes can demand changes to the tracking tool’s programing code.

Legal framework for data security

In principle, if the appropriate legal measures have been taken to protect users’ privacy, there should be nothing controversial about monitoring user activities on a website. However, around the world, legislation varies wildly. In the United States, for example, laws are decided at a state level, with many states being comparatively relaxed when it comes to data privacy. Meanwhile, in other parts of the world, data security is a far higher priority. Depending on where your online business is based, you may encounter some difficulties when using certain web analytics tools. This is because, in their standard configuration, most web analytics tools record IP addresses, which, in some countries, counts as sensitive data. Their legal usage would therefore only be possible with the explicit permission of the website visitor. When building an online business, it is essential to check if this is the case in any of the countries and states you operate in. This way, you can avoid unknowingly collecting sensitive data, which will also prevent you from incurring any fines.

The 2011 EU Data Protection Directive, which applies in all European Union member countries (including the United Kingdom), prohibits the collection of sensitive information without users’ explicit consent. All web analytics tools are subject to the EU cookies law, which means that to use Google Analytics and similar tools, the website owner must have approved consent of the user.

The issue of transparency

When tracking technology is used on a website that falls under EU law, website owners are legally obliged to notify visitors that their behaviour is being monitored in the form of user profiles, the extent to which their data is being collected, and the purpose of this data collection. According to data protection authorities, it doesn’t matter whether the recording of user data is anonymous or based on personal data. A comprehensive and transparent privacy statement should be accessible for users at any time and from any page. It’s therefore recommended to include a link to the privacy statement in the website’s navigation bar or in the footer.

Right to object

For your web analytics usage to fall in line with EU cookie laws and certain state laws, website operators are required to give their users the right to refuse the terms and conditions of the privacy policy. The technical implementation of this right to object depends on the tracking tool being used.

Data processing

If a website operator within the EU is using web-tracking tools that save personal user data on external servers, a written contract for data processing is sometimes required. With this, the legislator understands the collection, processing, and use of personal data by an external service provider. In such an agreement, both parties determine which services are involved and which rights and obligations arise. In some circumstances, such as in the case of an anonymous survey, a data processing contract might be necessary, particularly if IP masking is taking place on the provider’s server.

Old data

If your business is also operating within Germany, Austria, and Switzerland, please take note: the tracking of visitors is only permissible when the abovementioned criteria are fulfilled. Any personal visitor data collected in advance must be deleted without exception.

Secure web analytics with Google Analytics, Piwik, and etracker

With the cookie laws that apply across the European Union, as well as legislature that applies to individual countries and regions, varying levels of security are required when running a Europe-based website. While the United Kingdom has uniform legislation across all regions, there are certain areas of Europe, such as the Düsseldorf region in Germany, in which none of the established tacking tools can be used without tweaking the programing. It then becomes the responsibility of the website operator to ensure their web analytics usage complies with local legislation. We recommend using the following checklist for this purpose:

1. Complete contract for order data processing

2. Ensure anonymisation of IP addresses

3. Integrate order data protection including right to objection

4. Delete any old data

Read on to find out how to configure web-tracking software, using Google Analytics, Piwik, and etracker.

Google Analytics

In its standard format, Google Analytics doesn’t legally comply with some countries’ strict privacy laws. While this is not the case in the United Kingdom, for those companies operating within Germany, Austria, and Switzerland, the analytics market leader offers anonymisation code extensions in addition to an opt-out function. These can alter the software to adapt to various requirements.

1. Contract for data processing: as a provider of Google Analytics, Google assumes the position of a contractor, according to German law. Thus, website operators are obliged to initiate a contract for the processing of the order data before using the software. Google therefore has a model contract that complies with German law that is available as a download. To be within the legal guidelines, website operators just need to print, sign and submit the bilingual version of this to Google Ireland Ltd. in Dublin. Google then signs the papers and returns a copy.

2.  Anonymisation of IP addresses: anonymisation of the user IP addresses can be implemented with Google Analytics by the specially provided code extension "anonymizeIp". Website operators must manually enter this into the program code of the tracking software. You can find a technical explanation about anonymisation. Currently there are two variations of the tracking software in use. Depending on whether a website uses traditional analytics or universal analytics, the following code sections are added to the program code:

In traditional analytics, the following extension is added with the _anonymizelp function from the JavaScript library ga.js:

var _gaq = _gaq || [];
_gaq.push (['_setAccount', 'UA-XXXXXXX-YY']);
_gaq.push (['_gat._anonymizeIp']);
_gaq.push (['_trackPageview'])

Universal analytics, on the other hand use the ga('set', 'anonymizeIp', true) function from the JavaScript library, analytics.js:

ga('create', 'UA-XXXXXXX-X', 'beispiel.de');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');

For both variants, the last octet of an IPv4 address is set to zero. For IPv6 addresses, IP masking includes the last 80 bits of memory.

3. Privacy policy and right of refusal: according to Google Analytics’ terms of use, website operators are obligated to indicate the use of the software in a data protection statement and to disclose the scope of the data collection. This declaration must also give website visitors the option to object to the terms. You can find a link to the Google Analytics browser add-on provided by Google here.

4. Delete old data: any personal user data collected before making the adjustments described here must be deleted without exception, so it is recommended to create a new Google Analytics account for the affected website.


Like Google Analytics, Piwik’s privacy settings must also be adjusted to be used legally anywhere in the world. Unlike Google Analytics, however, the open source software Piwik runs on its own server. This means that sensitive user data is never passed on to third parties; therefore, a contract for order data processing (1.) no longer applies.

1. Anonymisation of IP addresses: there is a special Piwik plugin, AnonymizeIP, which can mask IP addresses. Unlike Google Analytics, this can easily be activated in the program settings under the ‘Plugins’ tab. AnonymizeIP enables users to mask the last one-to-three octets of the IP address. The website operator can define the extent of the anonymisation in the config.ini.php file under the ‘Tracker’ option:

ip_address_mask_length = 2

The code example directs the Piwik program to mask the last two octets.         

2.  Privacy statement and right to object: Piwik’s opt-out iFrame can be used to create an objection option as part of the obligatory privacy statement. The following snippet can be found on the services section on the official project website:

<iframe frameborder="no" width="600" height="200" src="http://beispiel.tld/index.php?module=CoreAdminHome&action=optOut&lang=de"></iframe>

In addition, Piwik respects the ‘Do not track’ request from Web browsers Firefox, Internet Explorer, Chrome, and Opera, unless this feature is disabled.

3.  Delete old data: website operators have to delete previously collected data before making any changes to the Piwik programing. Piwik also offers an automatic function. Find out more here.