Are your site’s tracking technologies breaking the law?

Two irresistible yet conflicting forces are creating a real risk for businesses that operate on the web, which is every business that exists in 2022. Those forces are tracking technologies and data privacy regulations.

Plugins that enhance the amount of information companies collect about the visitors to their site help fuel a business environment where every speck of customer data is collected because it could be monetized someday.

However, three pharmacies in Sweden recently reported themselves to the Privacy Protection Authority for deploying the ubiquitous Facebook “tracking pixel” on their site and sharing consumers’ personal data the pixel collected with the world’s largest social network. Other sites may be unintentionally collecting data illegally through well-intentioned “telemetry” designed to help debug the pages or measure engagement.

The European Union’s General Data Protection Regulation (GDPR) and other regulations require companies to take a close look at their tracking technologies – or potentially face the wrath of regulators. But for businesses that care about their customers’ privacy, this close look shouldn’t be seen as just another bureaucratic box to check.

The risks that come from overly collecting and poorly protecting personal information are real. And the time to address these risks is before you’re facing a fine or some other significant consequence.

Think about what you should collect, not what you could collect

Data collection should start by considering a basic fact: Any piece of information you collect is both an asset and a liability.

The GDPR defines personal data as “any information that relates to an identified or identifiable living individual.” It’s hard to think of much information that could be collected that doesn’t fit into that label. Lawmakers purposely made this distinction broad because personal data is always a potential target for attackers, especially when that data could be used for monetary gain. This includes (but is not limited to) information that relates to financial accounts, and a broad variety of information, including personal data related to health care.

The terrifying case of Vastaamo – a Finnish psychotherapy practice that went out of business after criminals attempted to extort patients with hacked treatment files – shows how even medical data can be monetized by ruthless attackers. But criminals don’t need extensive notes from therapy sessions to take advantage of stolen data.

When threat actors gain access to a large set of data, they will attempt to correlate that data. Even if the collected information doesn’t include obvious identifiers such as a name or phone number, the data can be used to create connections between users and their information.

When seemingly innocuous data can easily be connected to extremely sensitive medical data, you can see why regulators with customers’ privacy in mind have every incentive to be proactive in taking on companies that are not following the law.

But we’re just trying to serve you better!

Telemetry in the context of eCommerce is universally used to describe information that is automated to be collected to either improve site performance or user engagement.

The whole point of telemetry and other technologies used to improve diagnostics or site usability is that users don’t realize it’s happening. Psychologically, you’re more likely to behave differently if you know you’re being watched. So informed consent would seem counterproductive to your objectives. And given that the entire point of this kind of data collection and analysis is to create generalized optimizations that work for a maximum number of potential customers, there’s little chance that companies will use telemetry to track or target individual users.

However, even this sort of tracking can potentially violate the law.

One of the cornerstones of the GDPR as it is enforced by European countries is informed consent—if data is being collected, both the GDPR and the California Consumer Privacy Act (CCPA) require that users must be told *before* collection begins so they can decide if they want that personal information in someone else’s hands.

And regulators have clearly stated that “Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.” Your business could always make the argument that the data collected could not be used to “re-identify” a person, but that’s more a speculative argument than a technical one.

Pixels are cookies on steroids

Tracking pixels from Facebook collect HTTP headers that include IP addresses, which can be used to identify the user. And unlike traditional cookies, these pixels can potentially track your users wherever they go after they leave your site.

Even if Facebook does not share that information with the owner of the site, this creates potential privacy and regulatory risks for any company that uses this technology or shares this information with the online advertising giant.

Meta, Facebook’s parent company, says that businesses that “…advertise with the Facebook companies can continue to use Facebook platforms and solutions in the same way they do today.” However, the company then immediately notes that “Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today.”

Notably, Google Analytics’ pixel does not collect IP addresses as of version 4. But this hasn’t stopped Italy from becoming the third country to have banned the service, saying it violates the GDPR.

Chances are that Facebook and Google have employed more lawyers to consider these questions than your business ever will. So, when these entities that are worth the good part of a trillion-dollar feel the need to carefully displace responsibility on to the sites they work with as they feel the scrutiny of regulators closing in, you would be wise to consider auditing your own data collection principles – or you could face grave consequences of your own.

What should you do?

The guiding principles of data collection are simple:

1. Only collect what you absolutely need

If your company is audited or forced to deal with the aftermath of a breach, regulators will consider exactly how much data you collected from visitors. If you consciously tried to “only collect what you absolutely need”, that could be the deciding factor in assessing any penalties that might be assessed to you.

2. Always get permission

Get your visitors’ consent for any kind of data collection, sharing, diagnostics, or telemetry you do or may do. However, everyone knows the biggest lie on the internet is the box you click to say you’re read a site or app’s terms and conditions. So, while you’ve checked a key box with mandatory consent requirement, you shouldn’t assume that you’re home free when it comes to regulations or proper treatment of consumers’ privacy.

3. Stick to your agreement

Once you have users’ data, you must remember that a core principle of the GDPR is that data still belongs to those users—it’s not yours. It cannot be shared or utilized in any way that wasn’t explicitly part of the original consent.

Constantly assessing and minimizing the data you collect helps you follow both the letter and the spirit of law. Tracking pixels and telemetry are powerful technologies, but if they benefit other companies more than yours or cannot provide explicit benefits, it might be better to skip using them.

That way you may protect your customers—and your business.