Visitor statistics: What can I do? What can I not do?

Every website operator is interested in obtaining statistics about their visitors, if only because you are a blogger who is happy when you read your own content. For commercial providers, however, it is also relevant to know which and how many visitors consume my content, from which sources these visitors come (apart from probably 90 of the Google search) and also how these visitors feel on their own page. to move.

But is user tracking allowed at all? And what exactly can I save without the consent of the users?

Data processing and the setting of cookies is only required in accordance with Article 6(3). 1 book. f) GDPR permitted without the user’s separate consent if these are necessary for the functionality of the website, i.e. if there is a legitimate interest of the website operator.

It is not permitted without the express consent of the user, and such a data will hardly be possible in the present time as a website operator, to merge the usage data with further data about the individual user or to assign characteristics or characteristics or interests for the purpose of profiling. The data may only be processed for statistical analysis and should not be used by a third party for its own purposes.

In any case, their own users must have an opportunity to object in the form of an opt-out procedure in order to delete personal data.

So can’t I store personal information? Yes. A counter on the website that counts only page views is unproblematic. However, it is also quite pointless if, for example, no distinction can be made between visitors and page views.

So can’t I store personal information? In principle, yes. The only question is whether such data exists at all. The storage of, for example, ip addresses without the consent of the users in the context of a visitor counter or analysis tools is very controversial, because most data protectors consider IP addresses as personal data, which theoretically means that storage and processing is only possible with the prior and express consent of the user. As a normal visitor, there will be hardly any explicit consent. Legally safer are the pure storage of hashes, which do not allow conclusions about an IP address, but can distinguish equal visitors. In theory, however, these can also be regarded as personal data.

The setting of cookies within the framework of analysis tools is almost certainly not permitted without the consent of the users. This for this purpose this report. However, this also applies to alternative ways of detecting devices or other computers.

In last year’s Data Protection Commission position paper, this became quite clear:

In any case, prior consent is required for the use of tracking mechanisms that make the behaviour of data subjects on the Internet comprehensible and when creating user profiles. This means that informed consent in accordance with the GDPR, in the form of a declaration or other clearly confirming act must be obtained before the data processing, i.e. e.g. before cookies are placed or stored on the user’s terminal device. information is collected.

In doing so, it clarifies the european legal situation

This view is in line with the European legal understanding of Article 5(3) of the ePrivacy Directive. In the majority of EU member states, the ePrivacy Directive has been fully transposed into national law or the supervisory authorities already require an “opt-in” in accordance with Article 5 (3) of the Directive.

It is likely that a few more answers will emerge on these questions in the coming months. Until then, you probably have to decide for yourself whether you o’t do a tracking completely or try to make it at least as little personal as possible and thus at least try to comply with the data protection idea. It is not recommended to completely ignore any data protection requirements, such as the use of Google Analytics without IP anonymization and other recommended settings, without a user expressly agreeing to do so.

Of course, a user can also agree to a tracking at any time to use a specific function or, for example, a mobile app. Certain situations can also be seen differently for logged-in users in online shops or on browser games. But more on that in another article in the next few days.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.