Consent-free and legally compliant
With etracker analytics, companies benefit from the fact that data can be verifiably collected in accordance with TTDSG and GDPR even without consent.
The current requirements of the supervisory authorities
In order to be able to use web analytics services in accordance with the current guidance of the German supervisory authorities for telemedia providers in a legally compliant manner without the need for consent, the TDDDG and GDPR require that analytical cookies are not used and that data protection-friendly processing is guaranteed under the overriding legitimate interest of the website operator.
1. consent-free according to TTDSG (cookie-less)
The Telecommunications Digital Services Data Protection Act (TDDDG) contains regulations on access to the user’s terminal equipment. By default, etracker analytics only uses functional or strictly necessary cookies. There is no active access to the user’s end device. According to the supervisory authorities, the processing of browser and header information on which etracker is based does not require consent:
“Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the end device when a telemedia service is called up, this is not to be regarded as ‘access to information already stored in the terminal equipment’.” (See https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf, page 8)
For session tracking, etracker analytics does not store any data in the user’s end device, but assigns interactions to the respective visits purely on the server side via securely hashed session tokens:
Examples of information that is transmitted when a telemedia service is accessed are
- the public IP address of the end device,
- the address of the website accessed (URL),
- the user agent string with browser and operating system version and
- the set language.
If users object to data processing for analysis purposes via the data protection notice on the website, the objection is stored in a technically required cookie within the meaning of Section 25 (1) GDPR. 2 No. 2 TDDDG stored.
2. consent-free according to GDPR (overriding legitimate interest)
The General Data Protection Regulation (GDPR) regulates the processing of personal data. Reporting in etracker analytics is based on anonymized and mainly aggregated data. However, anonymization already constitutes a processing operation in accordance with the GDPR, i.e. also the standard automatic and earliest possible shortening of the IP address in the memory of the data acceptance server.
There are two possible legal bases for this (anonymization) processing: consent and overriding legitimate interest. The current guidance confirms that the legal basis of consent is not preferable to legitimate interest under data protection law, i.e. it is not more data protection-friendly:
“All of the legal bases mentioned in this standard are of equal rank and equal value.”
The legal basis of overriding legitimate interest places high demands on processing with regard to data protection friendliness and requires a balancing of interests under the criteria already mentioned by the Data Protection Conference in 2019. These criteria were used as a basis for the independent audit of etracker analytics by ePrivacy Consult and are set out in this model statement of interests.
The result of the audit is:
“Based on our in-depth review, we believe that data processing by etracker Analytics and etracker Optimiser is also justified with regard to the DSK paper from December 2021 and the ECJ ruling of 01.10.2019 on the legal basis of Art. 6 para. 1 lit. f) GDPR (legitimate interest). In cookie-less mode (standard mode), the use of etracker Analytics is lawful under the GDPR and TDDDG without any consent requirement.”
The results of the audit can be viewed here.
The French supervisory authority CNIL also confirms that etracker analytics can be used without the need for consent: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience.
ePrivacy Consult certifies etracker analytics amongst others:
- Conclusion of the AV contract with the account registration, see https://www.etracker.com/en/dp-agreement/.
- The IP address is shortened as early as possible and automatically (in the server cache) and thus only persisted anonymously.
- Reporting is carried out with anonymized and almost exclusively aggregated data without the possibility of identifying the user.
Session identifiers for linking individual interactions to visits are limited to a maximum of 24 hours, as a daily time stamp is included in the hash value automatically generated by the server. This excludes the possibility of permanent recognition unless cookies are activated after consent has been given. Browser fingerprinting in accordance with OH Telemedia and the Art. 29 Data Protection Group therefore does not take place.
The data is processed exclusively on behalf of etracker and is not used for etracker’s own purposes or linked with data from other etracker customers.
No personal data is passed on to third parties (Google, Facebook & Co.).
No granular mouse movement recordings are made.
An objection function is provided for the privacy policy.
If a website operator comes to the conclusion that its legitimate interests do not prevail due to its individual circumstances, such as the possible enrichment of web analysis data or its further processing in third-party systems, the tracking opt-in option can be used.
Conclusion
When using etracker analytics, only processing operations that are justified on the basis of the website operator’s overriding legitimate interest are carried out. There is no obligation to obtain consent in accordance with the TTDSG. If consent is given, etracker cookies can be activated for anonymous recognition and journey measurement. Cookies can be activated via the integrated consent management or third-party CMP services. This enables the best possible data quality, regardless of consent, in harmony with the legal requirements. This is the basis for efficient website and campaign management. The license costs for etracker analytics can thus be quickly overcompensated by higher sales and increased marketing success (ROAS).
Do you still have questions? Then get in touch with us.
Whether on technical, functional, commercial or data protection topics.