How do you collect privacy-friendly website statistics?

December 6, 2018

Many Dutch websites have not set up Google Analytics in a privacy-friendly way and therefore violate the law by tracking users without consent. This is evident from a quick inspection that I have done on cookies on 11,309 Dutch websites. This shows that 3,186 websites with Google Analytics have linked these cookies to the Google Doubleclick advertising network. As a result, website visitors can receive targeted advertisements outside of the website. And that is only allowed if the visitors have given separate consent for this.

No consent required for statistics

It is not necessary to ask visitors for consent to collect website statistics if the owner of the website ensures that the collected personal data are only used for the statistics of that website.

Tracking visitors across multiple websites requires separate consent. However, by concluding a processor agreement, the website owner can determine that the supplier of the statistics package may only use the collected personal data for that particular website. The website owner can also choose to install his own statistics package on the server, such as Matomo (formerly Piwik).

Google Analytics manual

Many Dutch websites use Google Analytics to keep track of statistics Almost half of the surveyed websites (5.550 websites) use Google Analytics. According to the Dutch Telecommunication Act (the implementation of the ePrivacy Directive) websites are allowed to use the Google Analytics cookies without asking for separate consent if the cookies are set in such a privacy-friendly manner that there are no or very few risks to the privacy of the website visitors.

The Dutch Data Protection Authority has published a good manual [pdf, in Dutch only] with which Google Analytics can be set up in a privacy-friendly way. This manual explains how a website owner can enter into a processor agreement with Google, and additionally, how the different privacy-promoting options can be switched on. This survey shows that there are still many websites that have not fully followed this advice.

Survey Privacy Company

I conducted the survey to get a general picture of the use of online tracking techniques in the Netherlands, not to name and shame individual websites for violations I started with a generic list of 1 million popular domain names. I have visited all (11,309) domain names ending in ".nl" with a normal web browser. All network traffic was stored in a database so that I could search for patterns efficiently. Of course I did not visit the websites manually. I have made scripts both for visiting and analysing the websites.

Tips for website owners

Do you use Google Analytics? Then look at your own website traffic if you accidentally encounter DoubleClick traffic. Maybe you have used incorrect settings for Google Analytics. To get a first impression of the cookies set by your website, you can enter the URL of your site in the cookie tool of the Swedish NGO Dataskydd,

Look beyond cookies. Techniques to track users are making increasing use of alternatives to cookies such as browser fingerprinting. Websites are complex and problems can occur in unexpected places or moments. For example, it is possible that a cookie is only set during the first visit and is therefore no longer noticed during subsequent visits.