An association of German data protection authorities has issued a “resolution” on web analytics tools which could significantly impact the use of user profiling techniques in Germany and beyond. Gereon Abendroth and Thao Tran of Osborne Clarke Cologne report.
Topic: On-line advertising
Who: The Dusseldorfer Kreis
When: November 2009
Law stated as at: January 2010
To date, approximately 17 percent of German website operators use web analytics tools to analyze their users’ surfing behaviour (i.e. amount of website visits, number, duration and kind of accessed websites).; ca. 13 percent of them use Google Analytics, ca. 4 percent use other tools based on collection and storage of IP-addresses. All parties agree that website audience measurement through website analytics tools is of high economical importance, especially for websites of social communities with personalised advertisement through IP-targeting or for websites offering location-based services.
In November 2009, the association of data protection authorities (“Düsseldorfer Kreis”) issued a resolution titled “Data Protection Compliance of Web Analytics Tools for Website Audience Measurement”. This resolution has a clear impact on business and contains many risks. The big question is whether the use of web analytics tools as it is today is still compliant with German data protection.
Coming out of this, website operators have to face the following key messages:
- IP-addresses are considered personal data.
- The storage of IP-addresses will be found non-compliant with German data protection.
- The use of web analytics tools based on IP-addresses will be found illegal and can be sanctioned with a fine up to €50.000.
The Düsseldorfer Kreis is an informal association of German Data Protection Authorities for the Private Sector that gather and consult on a regular basis in order to achieve a consistent interpretation of data protection legislations. Their decisions and resolutions, however, are not binding but constitute the basis on which Data Protection Authorities pursue the laws.
In this resolution, the authorities state that website operators, when creating user profiles, must comply with provisions of the German Telemedia Act (Telemediengesetz – “TMG”). According to this, website operators may only create user profiles by using pseudonyms or with user’s consent. In the scope of the TMG, however, the user’s IP-address is not to be considered a “pseudonym”.
Furthermore, the resolution points out that website operators should observe the following requirements:
- website operators shall give the user the right to object to the creation of his profile. The operators have to give prompt effect to any given objections;
- any pseudonymized user data may not be combined with any other information about the user standing behind the pseudonym. As soon as the storage of such data is no longer needed for analyzing purposes, the data in question have to be deleted. The same applies if the user demands deletion;
- in their privacy policies, website operators must inform the user in a clear and unambiguous way about the creation of pseudonymized user profiles and about their right to object;
- without the user’s prior consent, the user’s personal data may only be collected, stored and used to the extent that is necessary to enable the use of the website and for billing purposes. Any usage beyond this scope requires the user’s consent; and
- since IP-addresses are apt to identify the user, analysing the user’s surfing behaviour by using and storing the complete IP-addresses (including any geo localization) is only legitimate with the user’s prior, deliberate and unambiguous consent.
Without such consent, website operators must truncate the IP-address to eliminate the possibility of data being attributed to a specific user.
According to the view of data protection authorities, IP-addresses are personal data and thereby subject to data protection legislations. Based on this interpretation, the use of web tools analytics storing IP-addresses is non-compliant with data protection.
According to provisions of TMG, the collection and storage of personal data is only legitimate if necessary to operate the website. With IP-addresses based web analytics tools, this is not the case. Also, user profiles may only be created by using pseudonyms and may not be combined with personal data. Since web analytics tools usually combine created profiles with the respective IP-address, they fail to fulfil this requirement.
The general use of web analytics tools, however, is not forbidden in total. Web analytics tools that either truncate IP-addresses or refrain from storing them are still compliant with data protection legislations and can still be used.
Risks for Businesses
The risk for businesses is that by illegally using web analytics tools, website operators commit administrative offences that may be sanctioned with a fine up to €50.000. Also, in this context, most of the privacy policies will be wrong as they either do not inform users about the use of the tools or do not grant the user an opportunity to object.
Unlike the resolution, the data protections authorities seem not to have agreed on a common approach with regard to enforcement. Some authorities have publicly announced a willingness to cooperate with business and to find a common solution before issuing fine sanctions. Others say that they will randomly inspect and check. In the longer term, however, the authorities agree to prosecute website operators who keep storing IP-addresses without the user’s consent.
Recommendations for Business
Although the Dusseldorfer Kreis's resolution is not binding, it is nevertheless advisable for German businesses to follow this resolution. In the end, the authorities are authorized to take action against every act that is in their view not compliant with data protection. Since obtaining the user’s prior consent is not a feasible option for website operators, German website operators should observe the following:
- if possible, in their tools, website operators should deactivate the storage of IP-address. Alternatively, and even better, they should only use tools that are not based on IP-addresses or that truncate the latter;
- user profiles should only be created pseudonymized and without the IP-address. In their privacy policies, website operators should clearly and unambiguously inform the user about the creation of user profiles and about their right to object. Any objection should be effectively honoured; and
- to be on the safe side: website operators could refrain from using web analytics tools.
Gereon Abendroth and Thao Tran
Osborne Clarke, Cologne