Website tracking and data collection: How do I protect customer data and still collect data about website usage?
Website tracking is a crucial aspect of a company’s digital presence. It provides insights into visitor behavior and helps improve the user experience. In this article, we will explore the different types of data that are collected, specifically personally identifiable information (PII), and how to ensure that this collection is legally compliant and customer friendly.
Before we go into depth, let’s first look at the two main types of data collected through website tracking: Web page meta-data and personally identifiable information (PII). First, we’ll take a look at “website meta-data” and explain it, then follow up with a discussion of the special importance of PII data.
In the following section, we will take a closer look at the General Data Protection Regulation (GDPR) and highlight how it should be considered in connection with website tracking. We will then turn our attention to data storage.
1. meta data of the website:
Web page tracking also captures meta-data, which can include information such as the page template (default or blog), the page ID, and possibly information from the CRM.
Meta data provides important information about the structure and content of the web page. This includes information about the type of page (standard or blog) and possibly unique identifiers such as page IDs. In some cases, information can also come from customer relationship management (CRM), captured to provide a comprehensive view of customer interactions.
1.1 Customer-related data also referred to as PII:
1.1.2 What are PII?
Personally Identifiable Information (PII) includes data that directly identifies an individual, such as full name, home address, email address, and telephone number.
Such information is extremely sensitive, as it provides a direct link to an individual person. Protecting this data is critical to maintaining user privacy.
1.1.3 Where can PII occur / in website tracking:
During website tracking, PII can be captured at various touchpoints, including contact forms, purchase transactions, logins, and other interactions.
The security and legally compliant handling of this data is critical. Therefore, it is important to ensure that the information collected is handled in accordance with applicable data protection laws, whether collected through contact forms, registrations, purchases, or newsletter sign-ups.
The General Data Protection Regulation (GDPR) is a European regulation that came into force on May 25, 2018. It sets strict rules for the protection of personal data and affects companies that operate in the EU or process personal data of EU citizens. GDPR compliance is critical to ensure that data collection is legally compliant and respects user privacy. Below, we will discuss measures that help ensure GDPR compliance in website tracking.
Note tracking ninja
2. GDPR compliance:
The General Data Protection Regulation (GDPR) is a crucial set of rules that ensures the protection of personal data in the European Union. In the context of website tracking, there are specific measures that must be taken to ensure GDPR compliance. This section covers important steps, starting with the implementation of a cookie banner and ending with the verification and safe removal of personally identifiable information (PII) in tracking data. Every measure is aimed at respecting the privacy of users and ensuring the security of their data. Here are the details of each step
2.1 Cookie banner:
Implement a cookie banner that informs users about the use of cookies and asks for their consent before tracking starts.
Implementing a cookie banner is an important step in obtaining user consent for website tracking. This banner informs visitors what types of cookies are used and allows them to give or refuse their consent.
2.2 Start tracking only after approval:
Make sure that tracking is enabled only after the user has given consent.
It is crucial that website tracking does not start until the user has given explicit consent. This ensures that data collection complies with the law and respects the privacy of users.
2.3 Filtering PII in GA4 (Google Analytics 4):
The use of personally identifiable information (PII) identification and filtering features in Google Analytics 4 (GA4) is critical to ensure privacy compliance.
Google Analytics 4 provides powerful features to detect and filter out PII. This ensures that no sensitive information is captured. This is a key protection mechanism that respects and preserves the privacy of users.
Below are some examples of PII filtering in GA4:
- Filtering by email addresses (checking strings with an @ symbol)
- Filtering by phone numbers (investigating whether unintentional number sequences are stored in web tracking and identifying the nature of these number sequences).
For detailed instructions and specific examples, we recommend the official article in the Google Analytics 4 documentation: Detect and Filter PII Data in Google Analytics 4.
2.4 Verification of PII in tracking data:
Regular audits are critical to ensure there is no PII in the tracking data.
It is advisable to conduct periodic audits to ensure that there is no PII in the tracking data. This ensures that data protection regulations are complied with and that customer data is secure.
2.5 Removal of PII:
If PII is discovered, it must be removed immediately to ensure the security of customer data.
If it is determined during audits that PII was captured after all, it is critical to remove it immediately. This ensures the security and privacy of users.
3. conscious collection of data:
It is equally important to know what data should not be collected in order to respect the privacy of users. Here are some examples:
- Avoid collecting sensitive information such as gender, social security number, and customer status. While this information may be collected, it should not be stored in Google Analytics or Matomo tracking and therefore does not belong there.
- Limiting data collection to the minimum necessary for analysis. It is advisable to expand tracking gradually, as needed.
4. data storage:
4.1 Why store data only to a limited extent:
Limit the storage of data to the minimum necessary to increase security.
It is advisable to limit the storage of data to the absolute minimum in order to increase security. The less data is stored, the lower the risk of a data breach.
Google Analytics 4 offers a data retention solution. Here you can find more information: Data Retention in Google Analytics.
4.2 Masking, encrypting or deleting data:
After a certain period of time, data should be masked, encrypted or deleted, especially sensitive information such as transaction data and customer addresses.
Sensitive information such as transaction data and customer addresses should either be masked, encrypted or deleted after a certain period of time. This is an important protection mechanism to ensure the security of the data.
4.3 Secure offline storage:
For secure offline storage of data, it is recommended to use contemporary encryption algorithms in combination with a unique “SALT”. The term “SALT” here refers to a randomly generated data sequence that is integrated into the encryption of passwords. This additional security measure provides significant protection against unauthorized access to stored data.
There are several options for offline storage, depending on individual requirements and circumstances. For example, data can be stored on physical media such as external hard drives or USB sticks.
The durability of offline storage depends on several factors, including the type of storage medium and environmental conditions. For large amounts of data, it is advisable to use robust and reliable storage solutions that ensure long-term data security.
GDPR Basics and Best Practices:
Follow the basic principles and best practices of the General Data Protection Regulation to ensure the integrity of customer data. This includes the transparent provision of information and secure data processing.
You can find more information about the GDPR here: EU General Data Protection Regulation.
6. consult data protection officer:
In complex cases or where there is uncertainty about data protection, it is advisable to consult a data protection officer. This expert can provide specific guidance and recommendations to ensure compliance with privacy regulations.
In conclusion:
Effective website tracking is critical to the success of a digital presence. It not only provides in-depth insights, but also a customer-friendly experience. If you have any questions or need support in the area of website tracking, Trackingninja will be happy to help.