General Data Protection Regulation (aka GDPR) is a European privacy law that restricts how personal data is collected and handled. It came into force on May 25, 2018, and applies to businesses and organizations that operate in the European Union or process data of EU residents. To be compliant with this law, you need to ask your site’s visitors for consent to data collection and usage.
Here’s what your website should have to comply with the GDPR:
- Purpose of the collected data
- Scope of the collected data (scope in Piwik PRO)
- Cookies (cookies used by Piwik PRO)
- Data location
- Data retention period
- Sub-processors (Company or contractor that may receive collected visitor data.)
Tip: You can use this sample disclousure on your site.
- Form for collecting data requests: Include a form that lets visitors see, change or delete their data. According to the GDPR, these are the rights that visitors have. Read more
- Procedure for responding to data subject rights: You can use the form in Consent Manager, which is linked to the panel where you can manage visitor data requests. Read more
- Method for collecting data: We recommend using Consent Manager that lets you collect all data from visitors who consent and non-sensitive data from visitors who don’t consent (or no data at all from those who opt out). If you don’t want to use Consent Manager, you can turn off a session hash and visitor cookies. This may result in less accurate data, but it can help you comply with privacy laws. Read more
- Form for collecting consents: Before you collect any data, make sure to ask for consent from your website visitors. Clearly state what data you intend to collect and give a reason for doing so. Remember, the consent form should not include any pre-selected checkboxes for cookie categories, except those necessary for your website’s basic functionality. You can use our consent forms found in Consent Manager. Read more
- Consent for using data by third-party services: Make sure the tools and services you use on your website follow GDPR rules. Check how data flows between your site and these services. If you add Google Ads, Facebook Ads or similar tools to your site, include an option for people to agree to remarketing.
- GDPR-compliant data hosting: Make sure that your data is hosted in the EU or GDPR approved countries.
Note: Piwik PRO offers safe hosting on cloud and private cloud in France, Germany, Hong Kong, the Netherlands, Sweden or the USA.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Therefore, under the GDPR, this data is treated as personal data:
- Online identifiers: IP addresses, cookie identifiers, account login and other identifiers
- Location data: geolocation of the website visitor
- Other: email address, first name, last name, middle name, postal address and more
Anonymous data is exempt from GDPR unless it can be re-identified.