Recherche avancée

Sur d’autres sites (2940)

• Meta Receives a Record GDPR Fine from The Irish Data Protection Commission

  29 mai 2023, par Erin — GDPR

  The Irish Data Protection Commission (the DPC) issued a €1.2 billion fine to Meta on May, 22nd 2023 for violating the General Data Protection Regulation (GDPR). 

  The regulator ruled that Meta was unlawfully transferring European users’ data to its US-based servers and taking no sufficient measures for ensuring users’ privacy. 

  Meta must now suspend data transfer within five months and delete EU/EEA users’ personal data that was illegally transferred across the border. Or they risk facing another round of repercussions. 

  Meta continued to transfer personal user data to the USA following an earlier ruling of The Court of Justice of the European Union (CJEU), which already address problematic EU-U.S. data flows. Meta continued those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”), adopted by the European Commission in 2021. 

  The Irish regulator successfully proved that these arrangements had not sufficiently addressed the “fundamental rights and freedoms” of the European data subjects, outlined in the CJEU ruling. Meta was not doing enough to protect EU users’ data against possible surveillance and unconsented usage by US authorities or other authorised entities.

  Why European Regulators Are After The US Big Tech Firms ? 

  GDPR regulations have been a sore area of compliance for US-based big tech companies. 

  Effectively, they had to adopt a host of new measures for collecting user consent, ensuring compliant data storage and the right to request data removal for a substantial part of their user bases. 

  The wrinkle, however, is that companies like Google and Meta among others, don’t have separate data processing infrastructure for different markets. Instead, all the user data gets commingled on the companies’ servers, which are located in the US. 

  Data storage facilities’ location is an issue. In 2020, the CJEU made a historical ruling, called the invalidation of the Privacy Shield. Originally, international companies were allowed to transfer data between the EU and the US if they adhered to seven data protection principles. This arrangement was called the Privacy Shield. 

  However, the continuous investigation found that the Privacy Shield scheme was not GDPR compliant and therefore companies could no longer use it to justify cross-border data transfers.

  The invalidation of the Privacy Shield gave ground for further investigations of the big tech companies’ compliance statuses. 

  In March 2022, the Irish DPC issued the first €17 million fine to Meta for “insufficient technical and organisational measures to ensure information security of European users”. In September 2022, Meta was again hit with a €405 million fine for Instagram breaching GDPR principles. 

  2023 began with another series of rulings, with the DPC concluding that Meta had breaches of the GDPR relating to its Facebook service (€210 million fine) and breaches related to Instagram (€180 million fine). 

  Clearly, Meta already knew they weren’t doing enough for GDPR compliance and yet they refused to take privacy-focused action. 

  Is Google GDPR Compliant ?

  Google has a similar “track record” as Meta when it comes to ensuring full compliance with the GDPR. Although Google has said to provide users with more controls for managing their data privacy, the proposed solutions are just scratching the surface. 

  In the background, Google continues to leverage its ample reserves of user browsing, behavioural and device data in product development and advertising. 

  In 2022, the Irish Council for Civil Liberties (ICCL) found that Google used web users’ information in its real-time bidding ad system without their knowledge or consent. The French data regulator (CNIL), in turn, fined Google for €150 million because of poor cookie consent banners the same year. 

  Google Analytics GDPR compliance status is, however, the bigger concern.

  Neither Google Univeral Analytics (UA) nor Google Analytics 4 are GDPR compliant, following the Privacy Shield framework invalidation in 2020. 

  Fines from individual regulators in Sweden, France, Austria, Italy, Denmark, Finland and Norway ruled that Google Analytics is non-GDPR compliant and is therefore illegal to use. 

  The regulatory rulings not just affect Google, but also GA users. Because the product is in breach of European privacy laws, people using it are complacent. Privacy groups like noyb, for example, are exercising their right to sue individual websites, using Google Analytics.

  How to Stay GDPR Compliant With Website Analytics 

  To avoid any potential risk exposure, selectively investigate each website analytics provider’s data storage and management practices. 

  Inquire about the company’s data storage locations among the first things. For example, Matomo Cloud keeps all the data in the EU, while Matomo On-Premise edition gives you the option to store data in any country of your choice. 

  Secondly, ask about their process for consent tracking and subsequent data analysis. Our website analytics product is fully GDPR compliant as we have first-party cookies enabled by default, offer a convenient option of tracking out-outs, provide a data removal mechanism and practice safe data storage. In fact, Matomo was approved by the French Data Protection Authority (CNIL) as one of the few web analytics apps that can be used to collect data without tracking consent. 

  Using an in-built GDPR Manager, Matomo users can implement the right set of controls for their market and their industry. For example, you can implement extra data or IP anonymization ; disable visitor logs and profiles. 

  Thanks to our privacy-by-design architecture and native controls, users can make their Matomo analytics compliant even with the strictest privacy laws like HIPAA, CCPA, LGPD and PECR. 

  Learn more about GDPR-friendly website analytics.

  Final Thoughts

  Since the GDPR came into effect in 2018, over 1,400 fines have been given to various companies in breach of the regulations. Meta and Google have been initially lax in response to European regulatory demands. But as new fines follow and the consumer pressure mounts, Big Tech companies are forced to take more proactive measures : add opt-outs for personalised ads and introduce an alternative mechanism to third-party cookies. 

  Companies, using non-GDPR-compliant tools risk finding themselves in the crossfire of consumer angst and regulatory criticism. To operate an ethical, compliant business consider privacy-focused alternatives to Google products, especially in the area of website analytics. 

• Google Analytics 4 (GA4) vs Matomo

  7 avril 2022, par Erin

  Google announced that Universal Analytics’ days are numbered. Universal Analytics will be replaced by Google Analytics 4 (or GA4) on the 1st of July 2023. 

  If Google Analytics users want to compare year-on-year data, they have until July 2022 to get set up and start collecting data before the sun sets on Universal Analytics (or UA).

  But is upgrading to Google Analytics 4 the right move ? There’s a lot to consider, and many organisations are looking for an alternative to Google Analytics. So in this blog, we’ll compare GA4 to Matomo – the leading Google Analytics alternative. 

  In this blog, we’ll look at :

  What is Matomo ?

  Matomo is a powerful privacy-first web analytics platform that gives you 100% data ownership. First launched in 2007, Matomo is now the world’s leading open-source web analytics platform and is used by more than 1 million websites. 

  Matomo’s core values are based on ethical data collection and processing. Consistently more businesses and organisations from around the globe are adopting data-privacy-compliant web analytics solutions like Matomo. 

  Matomo offers both Cloud and On-Premise solutions (and a five-star rated WordPress plugin), making for an adaptable and flexible solution. 

  What is Google Analytics 4 ?

  Google Analytics 4 is the latest version of Google Analytics and represents a completely new approach to data-modelling than its predecessor, Universal Analytics. For an in-depth look at how GA4 and UA compare, check out this Google Analytics 4 vs Universal Analytics comparison. 

  Google Analytics 4 will soon be the only available version of analytics software from Google. So what’s the issue ? Surely, in 2022, Google makes it easy to migrate to their newest (and only) analytics platform ? Not quite.

  Google Analytics 4 vs Matomo

  Whilst the core purpose of GA4 and Matomo is similar (providing web analytics that help to optimise your website and grow your business), there are several key differences that organisations should consider before making the switch.

  Importing Historical Data from Universal Analytics

  Google Analytics 4

  Users assuming that historical data from Universal Analytics could be imported into Google Analytics 4 were faced with swift disappointment. Unfortunately, Google Analytics 4 does not have an option to import data from its predecessor, Universal Analytics. This means that businesses won’t be able to import and compare data from previous years.

  Matomo

  If you don’t want to start from scratch with your web analytics data, then Matomo is an ideal solution for data continuity. Matomo offers users the ability to import their historical Universal Analytics data. So you can keep all that valuable historical data you’ve collected over the years.

  

  User Interface

  Google Analytics 4

  GA4’s new user interface has been met with mixed reviews. Many claim that it’s overly complex and difficult to navigate. Some have even suggested that the tool has been designed specifically for enterprises with specialised analytics teams. 

  

  Matomo

  Matomo, on the other hand, is recognised for an easy to use interface, with a rating of 4.5 out of 5 stars for ease of use on Capterra. Matomo perfectly balances powerful features with a user-friendly interface so valuable insights are only a click away. There’s a reason why over 1 million websites are using Matomo. 

  

  Advanced Behavioural Analytics Features 

  Google Analytics 4

  While Google Analytics is undoubtedly robust in some areas (machine learning, for instance), what it really lacks is advanced behavioural analytics. Heatmaps, session recordings and other advanced tools can give you valuable insights into how users are engaging with your site. Well beyond pageviews and other metrics.

  Unfortunately, with this new generation of GA, Google still hasn’t introduced these features. So users have to manage subscriptions and tracking in third-party behavioural analytics tools like Hotjar or Lucky Orange, for example. This is inefficient, costly and time-consuming to manage. 

  

  Matomo 

  Meanwhile, Matomo is a one-stop shop for all of your web analytics needs. Not only do you get access to the metrics you’ve grown accustomed to with Universal Analytics, but you also get built-in behavioural analytics features like Heatmaps, Scroll Depth, Session Recordings and more. 

  Want to know if visitors are reaching your call to action at the bottom of the page ? Scroll Depth will answer that.

  Want to know why visitors aren’t clicking through to the next page ? Heatmaps will give you the insights you need.

  You get the picture – the full picture, that is. 

  

  Data Accuracy

  Google Analytics 4

  GA4 aims to make web and app analytics more privacy-centric by reducing the reliance on cookies to record certain events across platforms and devices. 

  However, when site and application visitors opt-out of cookie tracking, GA4 instead relies on machine learning to fill in the gaps. Data sampling could mean that your business is making business decisions based on inaccurate reports. 

  Matomo

  Data is the backbone of web analytics, so why make critical business decisions on sampled data ? With Matomo, you’re guaranteed 100% unsampled accurate data. So you can rest assured that any decisions you make are based on actual facts. 

  Compliance with Privacy Laws (GDPR, CCPA, etc.) 

  Google Analytics 4

  Google is making changes in an attempt to become compliant with privacy laws. However, even with GA4, users are still transferring data to the US. For this reason, both Austrian and French governments have ruled Google Analytics illegal under GDPR.

  The only possible workaround is “Privacy Shield 2.0”, but GDPR experts are still sceptical of this one. 

  Matomo

  If compliance with global privacy laws is a concern (and it should be), then Matomo is the clear winner here. 

  As an EU hosted web analytics tool, your data is stored in Europe, and no data is transferred to the US. On the other hand, if you choose to self-host, the data is stored in your country of choice.

  In addition, with cookieless tracking enabled, you can say goodbye to those pesky cookie consent screens. 

  Also, remember that under GDPR, and many other data privacy laws like CCPA and LGPD, end users have a legal right to access, amend and/or erase the personal data collected about them. 

  With Matomo you get 100% ownership of your web analytics data. This means that we don’t on-sell to third parties ; can’t claim ownership of the data ; and you can export your data at any time.

  

  Wrap up

  At the end of the day, the worst thing an organisation can do is nothing. Waiting until July 2023 to migrate to GA4 or another web analytics platform would be very disruptive and costly. Organisations need to consider their options now and start migrating in the next few months. 

  With all that said, moving to Google Analytics 4 could prove to be a costly and time-consuming operation. The global trend towards increased data privacy is a threat to platforms like Google Analytics which uses data for advertising and transfers data across borders.

  With Matomo, you get an easy to use all-in-one web analytics platform and keep your historical Universal Analytics data. Plus, you can future-proof your business by being compliant with global privacy laws and get access to advanced behavioural analytics features. 

  There’s a lot to weigh up here but fortunately, getting started with Matomo is easy. Try it free for 21-days (no credit card required) and see for yourself why over 1 million websites choose Matomo. 

  While this is the end of the road for Universal Analytics, it’s also an opportune time for organisations to find a better fit web analytics tool. 

  21 day free trial. No credit card required.

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I hereby accept the terms and conditions and the data processing agreeement (DPA).

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  

  » Start improving your websites now

  

• How to not process any personal data with Matomo and what it means for you

  22 avril 2018, par InnoCraft

  Disclaimer : this blog post has been written by digital analysts, not lawyers. The purpose of this article is to explain how to not process any personal data with Matomo in order to avoid going through the GDPR compliance process with Matomo analytics. This work comes from our interpretation of different sources : the official GDPR text and the UK privacy commission : ICO resources. It cannot be considered as a professional legal advice. So as GDPR, this information is subject to change. GDPR may be also known as RGPD in French, Spanish, Portuguese, Datenschutz-Grundverordnung, DS-GVO in German, Algemene verordening gegevensbescherming in Dutch, Regolamento generale sulla protezione dei dati in Italian.

  Are you looking for a way to not process any personal data with Matomo ? If the answer is yes, you are at the right place. From our understanding, if you are not processing personal data, then you shouldn’t be concerned about GDPR. Our inspiration came from this official reference :

  “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.“

  In this blog post we are going to see how you can configure Matomo in order to not process any personal data and what the consequences are.

  Which data is considered as personal according to GDPR ?

  From : eur-lex.europa.eu

  (1) “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’) ; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ;”

  (30) “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

  So according to your Matomo configuration, it may leave some traces within the following data :

  1. IP addresses
  2. Cookies identifiers
  3. Page URL or page titles
  4. User ID and Custom “personal” data
  5. Ecommerce order IDs
  6. Location
  7. Heatmaps & Session Recordings

  Let’s see each of them in more detail.

  1. IP addresses

  IP addresses can indirectly identify an individual. It can also give a good approximation of an individual’s location.

  IP addresses are therefore considered as personal data which means you need to anonymize them. To do so, a feature is available within Matomo, where you can anonymize the IP. We recommend you to anonymize at least the last two bytes :

  

  See our configuration guide for more information

  What are the consequences of using this feature ?

  When applying IP anonymization on two bytes, you will no longer be able to see the full IP in the UI.

  Moreover, there is a small chance that 2 different visitors with the same device and software configuration will be identified as the same visitor if the anonymised IP address is the same for both.

  2. Cookies

  It is not clear for us yet if all cookies are considered equal under GDPR. At this stage it is too early to make a definite decision.

  Did you know ? Matomo lets you optionally disable the creation of cookies by adding an extra line of code to your tracking code see below.

  

  See our configuration guide for more information

  What are the consequences of using this feature ?

  Matomo is using a few first party cookies, and the following cookies may hold personal data :

  • _pk_id : contains a visitor id used to identify unique visitors
  • _pk_ref : to identify from where they came from

  If Matomo cannot set cookies, it will use a technique called Fingerprint. It is based on several metadata such as the operating system, browser, browser plugins, IP address, browser language ; just to name a few to identify a unique visitor. As this feature is less accurate than the one using cookies, the number of visitors and visits will be affected.

  3. Page URLs and page titles

  URLs are not mentioned within the official GDPR text. However, we know that according to the different CMS you use, some of them may have URLs including personal identifiers.

  For example :

  

  As a result, you need to find a way to anonymize this data.

  There are several ways you can perform this action according to your website. If your website is adding the personal data through query parameters, you can define a rule to exclude them from Matomo.

  If the personal data are not included within query parameters, you can use the “setCustomURL” feature and write your code as follow :

  

  See our developer documentation for more information

  If you are also processing personal data within the title tag, you can use the following function : “setDocumentTitle”.

  What are the consequences of using this feature ?

  By anonymizing the URLs containing personal data, some of your  URLs will be grouped together.

  4. User ID and custom personal data

  User ID is a feature (a tracking code needs to be added) which allows you to identify the same user across different devices.

  A User ID needs a corresponding database in order to link a user across different devices, it can be an email, a username, a name, a random number… All those data are either direct or non direct online identifiers and are therefore under the scope of GDPR.

  It will be the same situation if you are using custom variables and/or custom dimensions in order to push personal data to the system.

  To continue using the User ID feature but not recording personal data, you can consider using a hash function which will anonymize/convert your actual User ID into something like “3jrj3j34434834urj33j3”.

  Alternatively, you can enable the feature “Anonymise User IDs”. This feature will be available starting in Matomo 3.5.0 :

  

  What are the consequences of using this feature ?

  Under GDPR, User ID is personal data. Anonymizing the User ID using a hash function or our built-in functionality make the User Id pseudo-anonymous, which means it can’t be easily identified to a specific user. As a result, you will still get accurate visits and unique visitors metrics, and the Visitor Profile, but without tracking the original User ID which is personal data.

  5. Ecommerce order IDs

  Order IDs are the reference number assigned to the products/services bought by your customers. As this information can be crossed with your internal database, it is considered as an online identifier and is therefore under the scope of GDPR. As for User ID, you can anonymize order IDs using our built-in functionality to Anonymise Order IDs (see section 4. about User Id).

  What are the consequences of anonymizing order ID ?

  It really depends on your former use of order IDs. If you were not using them in the past then you should not see any difference.

  6. Location

  Based on the IP address of a visitor, Matomo can detect the visitors location. Location data is problematic for privacy as this technology has become quite accurate and can detect not only the city a visitor is from, but sometimes an even more precise position of a visitor.

  

  In order to not leave any accurate traces, we strongly recommend you to enable the IP anonymization feature. Next, you need to enable the setting “Also use the anonymized IP address when enriching visits”. You find this setting directly below the IP anonymization. This is important as otherwise the full IP address will be used to geolocate a visitor.

  

  What are the consequences of anonymizing location data ?

  The more bytes you anonymize from the IP, the more anonymized your location will be. When you remove two bytes as suggested, the city and region location reports will not be as accurate. In some cases even the country may not be detected correctly anymore.

  7. Heatmaps & Session Recordings

  Heatmaps & Session Recording is a premium feature in Matomo allowing you to see where users click, hover, type and scroll. With session recordings you can then replay their actions in a video.

  Heatmaps & Session Recordings are under the scope of GDPR as they can disclose in some specific cases (for example : filling a contact form) personal data :

  

  To avoid this, Matomo will anonymize all keystrokes which a user enters into a form field unless you specifically whitelist a field. Many fields that could contain personal data, such as a credit card, phone number, email address, password, social security number, and more are always anonymized and not recorded.

  See our configuration guide for more information

  Note that a page may still show personal information within the page as part of regular content (not a form element). For example an address, or the profile page of a forum user. We have added a feature which allows you to set an HTML attribute “data-matomo-mask” to anonymize any personal content shown in the UI.

  What are the consequences of using this feature ?

  Mainly, you will not be able to see in plain text what people are entering into your forms.

  What should you do with past data ?

  Once more, we have to say that we are not lawyers. So do not take our answers as legal advice. From : ec.europa.eu/newsroom/article29/document.cfm ?doc_id=50053

  “For example, as the GDPR requires that a controller must be able to demonstrate that valid consent was obtained, all presumed consents of which no references are kept will automatically be below the consent standard of the GDPR and will need to be renewed.”

  Our interpretation is that, if you were previously relying on consent, unless you can demonstrate that valid consent was obtained, you need to get the consent back (which is almost impossible) or you need to anonymize or remove that data.

  To anonymize previously tracked data, we are actively working on a feature to do just that directly within Matomo. Alternatively, you may also set up the deletion of logs after a certain amount of time.

  We really hope you enjoyed reading this article. GDPR is still on the go and we are pretty sure you have a lot of questions about it. You probably would like to share our vision about it. So do not hesitate to ask us through our contact form to see how we are interpreting GDPR at Matomo and InnoCraft.

  The post How to not process any personal data with Matomo and what it means for you appeared first on Analytics Platform - Matomo.