GDPR Compliance for Tracker.ly
I’m not a lawyer and everything here is based on my personal understanding of GDPR.
What is GDPR?
The General Data Protection Regulation is a new anti-tracking law that effects all websites who have visitors from European Union residents, wherever they may be in the world. The gist is that you must obtain informed consent to do any tracking of personally identifying data, you need to provide methods to opt-out of that tracking if they do opt-in, and you cannot deny services if they opt-out. There are many other requirements, like the right to have information retrieved or deleted, and explicitly stating in plain language how you’re using any information you’re collecting.
For example, if you use cookies on your site, perhaps with Google Analytics, a “we use cookies” notice isn’t enough, as you’ve already tracked them without consent. Instead, you need to explain why you’re tracking them, ask permission before you can even load the Google analytics script, and if they say no, you have to erase all identifying information, not load any analytics, and you still have to show them the content. Where you are based, or your site is hosted, doesn’t matter, unless you’re confident no European citizens will ever access your site, even when traveling out of the EU.
How similar services are handling GDPR:
We have looked at what some other link redirection services with similar advanced tracking features have done to be GDPR compliant, and they are either doing nothing (yet) or letting you optionally show an opt-in message to people with European Union IPs before sending them to the destination, apparently every time they click a link. This does not actually get you fully GDPR compliant because it’s optional and because of the “wherever they may be in the world” part. I think the best solution is to show that opt-in notice to everyone, everywhere, the first time they click a link from your domain, and to provide instructions so they can opt-out at any time later, not just at the moment they clicked a link. This is not ideal.
Does using Tracker.ly violate GDPR rules?
GDPR is only concerned with personally identifying information. The point of Tracker.ly is to track anonymous data of how many people click on links to show which marketing links get the most traction over time. However, it has been using IP data and cookie tracking, as follows:
- We recorded visitor IP’s to help our clients identify their own testing traffic and fraudulent traffic.
- We also used those IP’s to let people know where visits are coming from geographically.
- We use cookies to provide different options for split-testing, like the option of repeat visitors being sent to the same location as last time, instead of a random location.
- We also allow users to inject additional code into links, which is typically used for retargeting people who click on links.
After a lot of reading, we’ve determined that we do violate GDPR with in some of these situations.
IP Report and Country report:
In Tracker.ly, the IP is just a random number, not at all associated with a user. It isn’t linked to any other data. So, it’s not really personally identifying information. However, it is the sort of information that could be used in conjunction with other data to personally identify people, even if we don’t currently. Therefore, it cannot be collected without permission and us collecting IP addresses makes Tracker.ly non-compliant. Instead of asking for permission to do so on every link, we’ve made the following changes:
- Incoming traffic now has the IP address anonymized by replacing the last section of the IP with 0. For example, an IP such as 123.123.123.123 becomes 123.123.123.0, which makes it no longer a personal identifying object, while still providing more than enough fidelity so that the country report won’t change at all.
- We’ve removed the IP tracking list, as anonymous IPs renders the IP tracking list pretty useless.
- We’ve deleted all previously recorded IP addresses.
- We no longer store any IP data and have deleted existing IP data.
Cookies:
The way we’re using cookies is not for tracking or for identification. When link split-testing is on, all we do is save an ID for the link we sent them to, so if they click the link again, we can send them to the same place, or to the next place in a sequence links. As I understand it, because it’s not identifying information, GDPR rules do not apply. This leads me to believe that no notice is required to be shown.
Note that this is our best interpretation of unclear rules, so we may have to return to this later. For now, we’re not making any changes to our use of cookies.
Injections and Retargeting:
Injections are a much bigger issue. It appears that when injections are used in a link, we should provide a categorization and clear explanation of each script each user injects and get permission before including the scripts. Since we don’t control what people can inject into their links, this is open-ended, which means that we cannot practically be perfectly compliant as things currently are.
We haven’t made changes to this yet.
Here’s what we’re going to do:
- On twe.to/klk.to domains and on custom domain hosted with us, links with injections will display an opt-in message, before redirecting people, if the visitor IP is from one of the 28 European Union countries. You have the choice of turning the opt-in message on only for EU countries, or on for everyone. You will not be able to turn it off for EU countries.
- If the domain the link is on is hosted with you, the retargeting code is being pushed out by your server. If you want to take more risk, it’s up to you. You will be about to turn the opt-in message off, on for European Union countries, or on for everyone.
- The opt-in message is going to be a generic message that will encompass all types of potential use cases, and allow opting in to all use cases or none.
- If the person clicking the link chooses not to opt in, no injections will be loaded on any links from that domain for that user.
- We’ll store the choice they make in the browser’s localStorage, so we don’t have to ask the question every time they click one of your links from that domain. Similar to our cookie use, we believe we can store this preference without violating GDPR rules, as it is not personally identifying.
- If the redirect link is loading a tracking pixel, and is embedded in a page, the opt-in won’t show. In this case, you are responsible for getting consent, before firing the pixel.
- On all domains with Tracker.ly installed, there will be a link added where people can go and opt-out. This link will be displayed in the opt-in message. If you want to link to this page from your privacy statement, you can.
- For twe.to and klk.to domains, when a person opts in or out, their choice will apply to all links on both domains, across all Tracker.ly users.
- On your privacy statement, you should indicate what you are injecting into links and how you are using whatever data you collect.
- Note that if you choose to disable the opt-in (on domains you host) or turn it on only for European visitors (on domains you host or host with us), this is not perfect compliancy. European citizens could be clicking on these links with injections while living or travelling outside of Europe, or while using a proxy server so their IP address is outside of Europe.
As each link can have a different set of injections added to it, the benefit of this all-or-nothing opt-in approach is that we only have to ask people to opt-in or out once per domain, instead of once per link.
It will take several months to get this setup and when it’s ready, it will require updating the Tracker.ly code on your self-hosted domains to be compliant.
We’ll let you know when we get this done.
Final thoughts:
Unfortunately, the anti-tracking movement continues to reach more and more ridiculous heights, which is what brought GDPR into being. Personally, I believe that the spirit of GDPR is a great thing and that it will improve the Internet in the long run, but it’s dangerous times we live in.
The way it has been rolled out and explained has been terrible, and it’s nearly impossible to figure out what you need to do unless you have a lot of resources and lawyers trained in GDPR at your disposal. In theory, anyone who gets in the cross-hairs of the GDPR police will be given a period to fix things, but it’s still very expensive to fully comply. Small analytics companies like ours need to comply but cannot possibly be fully compliant unless we were much bigger. Many bigger companies than us have either blocked all European visitors, or simply shut down because it was too expensive to become compliant.
Also, my bet is that the industry is moving further towards getting rid of retargeting, with multiple forces working against it. Many ad blockers block all tracking scripts, including Google Analytics and retargeting pixels. There’s GDPR, which requires multiple levels of consent opt-ins, depending on how you’re doing the retargeting. And there are a lot of increasingly bizarre, yet successful lawsuits against individual companies about tracking their users or even tracking usage within their own apps. I’m waiting for someone to sue Amazon for making recommendations based on previous purchases. As crazy as that may sound, a class action lawsuit is being planned right now, which basically comes down to the same thing. Maybe they are testing the waters with smaller companies and creating precedences before going after bigger ones.
My advice to you is to do everything you can to be compliant with GDPR and to check all the tools you use for GDPR compliancy. Anything that tracks users in any way, like how some refer-a-friend platforms track IP addresses, could put you at risk. If you use software that isn’t compliant, you’re the one who is responsible. The sharks are in the water.