Follow Piwik PRO – Cloud and Enterprise Analytics on Feedspot

Continue with Google
Continue with Facebook


If you want to know how to construct a lawful data processing agreement, you’re in the right place. In this blog post we’ll walk you through all the important elements of a DPA under GDPR.

GDPR imposes many obligations on companies wanting to collect and use personal data about their clients (we have tackled them in numerous posts on our blog, be sure to check them out). One of the most important obligations is signing DPAs with every other entity that has access to this data.

In case the term doesn’t ring a bell – a data processing agreement (DPA) or commissioned data processing clause is a legally binding document signed between two key data processing actors under GDPR – the controller and the processor. It regulates the particularities of data processing, such as its scope and purpose, as well as the relationship between those actors. In addition, it assigns certain obligations that are required by the Regulation.

When do you need a DPA?

Whenever a data processor carries out any processing on behalf of a data controller (that would be the case with CRMs, CDPs, analytics, and many other types of tools designed to analyze user behavior) you need to have a written contract in place.

The contract is important so that both parties understand their role in handling users’ personal data as well as obligations arising from it. It ensures that the chain of responsibility is clear to each participant in the process.

A Practical Guide to Acquiring Consent in the Age of GDPR

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

This isn’t really anything new, since signing this kind of document is required by many other data privacy regulations, including the British Data Protection Act and the predecessor to GDPR – Data Protection Directive 95/46/EC.

However, under GDPR, the contract requirements are broader and are no longer confined to just ensuring the security of personal data. They also aim to demonstrate that each party observes the particulars of the regulation.

According to the UK Information Commissioner’s Office:

Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.

Does a DPA have to be a separate document?

As you can see, this is a significant change in what is required by law, but in practice you already may have included many of those requirements in your existing contracts as good data privacy practices.

For that reason, many companies decide to insert a DPA into existing contracts with their partners. Afterall, there’s no legal restriction stipulating that a DPA can’t be a part of a regular contract between the processor and the controller. However, considering the complexity of the task, it’s advisable to create a separate document or annex to the main contract.

What should be included in a DPA?

GDPR, although its provisions are quite general, provides some guidance on how a DPA should be constructed. Based on the regulation’s text as well as our own experience and expertise, we’ve prepared a list of elements every data processing agreement should have. So, without further ado, let’s review the essential parts of a GDPR-compliant DPA.

This guide aims to provide you with some useful tips on constructing a proper DPA. However, in this case there’s no one-size-fits-all solution. When creating your own version of this document, you should also take into consideration your sectoral regulations and other specific needs of your business.

Typically, the more restrictions your industry has, the more responsibilities will be placed on both the controller and processor.

1) General clauses

In this part of the contract – like in virtually every other type of contract – you specify the definitions of terms used later on in the document. Among other things, you should define:

  • The object of the agreement – typically that would be all activities related to the contractual relationship between partners.
  • The scope, nature, and duration of data processing – the ways personal data is used for (for instance, to analyze user behavior on your website or to personalize user experience) and the party responsible for ensuring that the processed data meets the requirements of GDPR (that liability should rest with the controller).
  • The subjects of data processing – in this part you should define whether the data subjects are children, banking clients, patients, or simply website visitors (or maybe they fall into each of these categories).
  • Type of data you want to process – the categories of data that will be handled using the means of the data processor – for instance, technical characteristics of the browser, behavioral data on website activities, IP addresses, and more. In this point it’s also important to mention that the controller should inform the data processor if the data imported into the system meets the definition of a special data category.

    This is because such information should be processed in a more restricted fashion than regular types of personal data.

    If you want to read more about the categories of personal data, you should read this blog post:
    What Is PII, non-PII, and Personal Data?

  • Data storage – Although GDPR itself doesn’t forbid companies from storing users’ personal data outside the EU, it establishes certain restrictions related to the transfer of data beyond EU borders (see: Chapter 5). That’s why it’s worth including language stating that the data processor has no right to keep controlled data outside of Europe without prior consent.

    If data will be kept abroad, it’s important to describe the steps the data processor has to undertake to ensure a level of security equal to that cultivated within the EU. For instance, regarding data held in the United States, it will be a good idea to follow the Privacy Shield framework (however, this may change because of the most recent controversies surrounding it). Considering the number of details that will need to be addressed, it’s worth including this part in a separate clause or even an annex to the contract.

  • Term of the contract and conditions of contract termination – Here you should include information that all data regarding the controller’s clients should be removed from the processor’s databases after the termination of the contract and enumerate cases in which each party has a right to terminate the agreement (for instance, failing to inform the controller of a data breach or unauthorized changes to data processing procedures.)
A Practical Guide to Acquiring Consent in the Age of GDPR

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

2) Rights and responsibilities of data controllers

In the next part, you should address the duties of the data controller. Here’s some information you really need to include:

  • Under GDPR, the controller is the entity responsible for establishing a lawful data process and observing the rights of data subjects (including collecting data subject consents and requests).
  • The controller is also responsible for issuing instructions about data processing (including appointing employees to serve as point of contact). It means that the data processor should handle the data exclusively in the manner demanded by the controller.
  • However, if the data processor believes that the instructions issued by the data controller violate the provisions of GDPR, they have to immediately inform the data controller about their concerns.

To learn more about what GDPR has to say about the role of the data controller, here’s a little something to read from Article 24.

3) Responsibilities of data processors

Next it’s time to establish the duties of data processors.

Articles 28-36 of GDPR set out their responsibilities that must be addressed in the data processing agreement. Among other things, the data processor:

  • must have adequate information security in place
  • shouldn’t engage sub-processors without the prior consent of the controller
  • must cooperate with the authorities in the event of an enquiry
  • must report data breaches to the controller as soon as they become aware of them, without undue delay
  • may need to appoint a mandatory data protection officer
  • must give the data controller the opportunity to carry out audits examining their GDPR compliance
  • must keep records of all processing activities
  • must comply with EU transborder data transfer rules (if necessary)
  • must help the controller to comply with data subjects’ rights (including the processing of data subject requests)
  • must assist the data controller in managing the consequences of data breaches
  • must delete or return all personal data at the end of the contract at the choice of the controller, and
  • must inform the controller if the processing instructions infringe GDPR
It’s worth making sure that the text of a DPA doesn’t leave any room for misinterpretation. For example:
  • It’s important to establish the time limits in which the data processor must process data subject requests as well as within which the data processor has to inform the data controller about a data breach.
  • If a data protection officer has been designated, it’s also worth providing their contact details.
  • And if it is stipulated that the data controller has the right to audit the data processor, it should be specified how often this can be done and who will cover the costs of the procedure.

That way you make sure that there are no weak links and the data processor knows exactly what is expected of them.

As in every other case, the provisions of this part of the contract should be adjusted to the specific needs of the organization and industry-relevant requirements.

If you want to study the data processor’s responsibilities in more detail, you should visit this page.

4) Technical and organizational measures

After that, it’s time to delve deeper into the technical requirements the data processor has to meet in order to satisfy the provisions of GDPR. According to Article 32 of the Regulation:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  • the pseudonymisation and encryption of personal data
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

In this part of the contract it’s worth including information that the data processor should implement necessary all technical and organizational measures before starting to process users’ personal data.

After all, one of the most important roles of a DPA is ensuring that processors provide sufficient guarantees for the protection of the data transferred to them. Especially since, if a data breach happens – even one on the data processor’s side – it’s the controller who might be held liable.

Due to the complexity of these measures, it’s advisable to include them in a separate annex to the contract (see: Annex 1).

5) Sub-contractual relationships

This section aims to shed some more light on the relationship between the primary data processor and sub-processors. It’s worth including the following information in your agreements:

  • The data processor must obtain the written consent of the data controller to establish any kind of relationship with sub-processors.
  • The contract between the processor and sub-processor should ensure a level of data protection comparable to that provided by a DPA.
  • The data controller should be responsible for verifying sub-processors’ compliance on a regular basis (for instance, at least once every 12 months).

Also, it is a good practice to list the sub-processors in a separate annex to the contract (its content is discussed in the section called Annex 2).

6) Final clauses

This is a standard part of every contract. As always, we should mention there that any changes to the contract must be accepted by both parties. However, in the case of a DPA, it’s worth noting here that such a document supersedes all other agreements between the data processor and data controller.

This will leave no room for misinterpretation in case the provisions of other agreements conflict with the requirements of the DPA.

A Practical Guide to Acquiring Consent in the Age of GDPR

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide
7) Annexes

The DPA would not be complete without the aforementioned annexes. They complement and elaborate contractual arrangements previously agreed. Here’s what you should include in both of them:

Annex 1 – Technical and organizational measures

This annex is complementary to the points of a DPA concerning technical and organizational measures. In this part of the agreement the data processor should prove their ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as well as establish a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (both quotes are excerpts from Article 32 GDPR).

Below is a list of areas crucial for compliance with the demands of the new law:


This is the point where the data processor should prove their efforts to ensure the full security of the controller’s data. Among other things, they should describe:

  • the structure of the data center where they plan to store personal data
  • information security control protocols
  • physical access to the office and applied security measures
  • remote access to the office
  • access control for applications (software)

This part addresses issues of electronic transmission of input control. The data processor should prove that personal data can’t be read, copied, altered, or removed by any unauthorized party during data transfers.

Availability & resilience

In this section of the annex the processor should present their backup policies, as well as measures used to ensure data redundancy, recoverability, and high availability.

Procedures of periodic review

Here the data processor should detail a framework for periodic evaluation of technical and organizational measures presented in the previous parts of the annex.

Annex 2 – List of sub-processors

Nothing difficult here – this list should include all data sub-processors, as well as the addresses of their seats.

Data processing agreement under GDPR – some conclusions

We hope that this blog post gives you a decent idea of what a data processing agreement should look like. However, we know this is a complex issue and you might still have some unanswered questions.

If so, be sure to check out some additional sources of information about drafting a DPA, including this extremely informative guide provided by the UK Information Commissioner’s Office. Also, feel free to reach out to us anytime! Our team will be happy to help you out.


The post 7 Elements Every DPA (Data Processing Agreement) Should Have appeared first on Piwik PRO.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

With the beginning of the month we’re glad to announce that Piwik PRO Marketing Suite has been upgraded to version 6.2.0. The official release to our customers was on July 31 this year. The software update brings various new capabilities along with performance improvements, which is the result of numerous meetings, discussions, and significant input from both our customers and staff.

In this post, we’ll give you a run down of all the major changes and fixes so you don’t miss a beat. So, here we go.

What can you expect from the refreshed Tag Manager?

With the latest update to Tag Manager, our product has expanded its library of DoubleClick tag templates with Floodlight Counter and Floodlight Sales to let you more efficiently track conversion activities. The first one enables you to count how many times your users visited your website after they either clicked on or saw one of your ads. Thanks to the second one, you can record how many items users have bought and the value of the whole purchase.

What’s more, our team fixed issues concerning variables and even expanded their functionality. Currently, can now employ refactor variables, covering various types of variables like string, integer, boolean, and objects — depending on usage context.

Next, we made some changes regarding cookies. Namely, the cookie’s default expiry date has been reduced to one year, and that can’t be changed by the user.

What can you expect from the refreshed Consent Manager?

The recent update to Piwik PRO has introduced several new functionalities to Consent Manager. First of all, you can now manage consents with a JavaScript API that enables you:

  • get consent types
  • get new consent types
  • get consent settings
  • send data subject request

All in an easier and more convenient way.

Then, you can get a better view into visitors’ consent decisions with newly included Consent Manager reports. In this way you can see, for instance, if a user viewed the consent form, provided consent or just left the page without submitting any consent decision.

A view of one of the consent manager reports.

Furthermore, we added a new functionality so users with Edit & Publish authorization have the ability to easily manage all consents.

Consent Manager’s visual editor has been upgraded with an HTML elements tree for a better user experience. It enables you with an easy and convenient method to track and visualize changes in your consent. Moreover, with the product update you can easily see the history of all modifications to the copy in the consent form.

Lastly, you’ll be able to ask your visitors for consent again 6 months after their first consent decision was recorded. This can be used to encourage users to provide consent if they didn’t do so the first time, or if they changed their consent decisions at some point in time.

What can you expect from the refreshed Audience Manager?

Another product in our stack that also got a makeover is Audience Manager (Customer Data Platform). One of the most significant features was the addition of two API endpoints. You can now pull lists of created audiences and easily export all profiles into a CSV file from Audience Manager via API. This is particularly useful for automating data transfers from Audience Manager to your other marketing tools, such as your marketing automation platform.

What can you expect from the refreshed Analytics?

Last but not least, our flagship product — Analytics — has got a significant enhancement with row evolution reports for funnel steps. It’s a big asset as you can now take a closer look at each funnel step individually on each row of your report. This will come in handy as you can view how metrics change throughout time, for instance, due to modifications to the site or an increase in traffic. What’s more, you can apply annotations to charts on a particular date to mark the exact moment when a change occurs.

A view of row evolution report for each step of the funnel. To round out

As you can see, our team has introduced a host of improvements with the new update. Some include major changes, while other are small upgrades and with various fixes. We are constantly working on our products so they’ll run smoothly and help you address all your analytics issues on the spot. Naturally, we’ll be releasing more advancements, tweaks, and new features again soon, so stay tuned! If you have any questions or suggestions, we’re here for you so…

Contact us

The post The Updated Piwik PRO Marketing Suite 6.2.0 is here! appeared first on Piwik PRO.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Combine metrics, dimensions and events in flexible tabular and graphical report templates. Quickly compare results across segments and time periods. You’ll get faster loading times even with very large data sets thanks to a more efficient architecture requiring minimal pre-computing.

We work with a diverse set of clients and have seen over the years how many different ways they approach analytics. As more and more organizations use web and mobile analytics, the possible combinations of metrics and reports will only grow. To address this reality we’ve dug into the guts of our analytics platform to improve our custom reporting in four main areas:

  • Speed – Minimal pre-computing is required to create a report or filter results of an existing one.
  • Ease of use – Drag and drop metrics and dimensions to specify a report and filter the input data. Create a wide variety of reports without database know-how or technical expertise.
  • Flexibility – Select from a handful of tabular and graphical report formats, then add variables such as metrics, dimensions and custom events. Initially we’ll offer bar and line graphs plus flat and nested tables, with more options to be added in future versions.
  • Scalability – You won’t see a performance hit, even for very large datasets.

We’ve rethought many elements to make these improvements, but the biggest change is to the database back end. We changed from the row-oriented MySQL to the column-oriented ClickHouse. This is important because the column-oriented architecture is ideal for quickly aggregating large data sets – exactly what we want out of a modern analytics platform.

We’ve incorporated all the same privacy and security features Piwik PRO is known for as well as integration with our other products such as Consent and Tag Manager. Data privacy, security, regulatory compliance, flexible hosting and full data control were built in from the beginning of the project.

On top of these strong foundations, this update shouldn’t be a disruption to our current users. We’ll offer full data migration and the interface will be familiar to current Piwik PRO users.

Stay tuned for updates about the full release later this summer. Of course if you have any questions or would like a demo of our integrated marketing suite, be sure to get in touch.

Get a Free 1-on-1 Demo

Get a Free 1-on-1 Demo

The post Fast and Powerful Custom Reporting is the Focus of our Redesigned Analytics Engine appeared first on Piwik PRO.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

It’s hard to overestimate the value of proper analytics configuration. A thoughtful approach will result in detailed insights into the day-to-day behavior of your clients, data-based ideas for improving your business, and many more positive outcomes – things everyone can benefit from.

We’ve written about it in detail about in numerous articles on our blog, including:

However, skillful implementation of analytics is no walk in the park. You have to take many factors into consideration – like your business objectives, the type of data you want to track, and legal restrictions involved in dealing with particular types of information about users. Also, there will be a lot of writing, testing, and double-checking.

Sounds challenging? Don’t worry, we’ve got you covered! In this blog post we’ll walk you through all the stages of analytics implementation.

The tips gathered in this article will benefit both people starting their journey with product analytics and those who want to measure their website’s performance (web analytics).

You’ll also find a useful spreadsheet to help you create your own tracking plan.

So, settle in and let us show you the steps you should take to create a bulletproof analytics implementation plan.

1) Define your business goals and KPIs

The first thing to do is defining what you want to achieve using analytics.

At this stage, you should think about why your website or app exists. What are the primary goals? What subgoals are necessary in order to achieve the desired results?

For example, if you’re a healthcare provider, your main goal might be to sell more medical packages via online channels. And if you’re a bank, you might be aiming for an increase in online mortgage sales.

Setting your business goals might be achieved with the help of customer surveys. The outcome of these surveys will help you spot areas that need immediate improvement. They will also contribute to selecting more informed and customer-focused goals. After all, it’s their satisfaction that translates into increased client retention and higher MRR.

If you want to read more about setting effective business goals, we recommend these blog posts: Track Piwik PRO Goals and Improve Your Online Business: Part 1, Part 2

After you have your business goals in place, it’s time to assign your KPIs.

It’s important to note that your KPIs should help you not only connect the dots between stages of the customer journey, but also between every touchpoint where your clients connect with your brand, like your app or website. Your KPIs should reflect the complexity of this issue.

Here are some examples of appropriate KPIs:

  • Task rate completion
  • Conversion rate
  • Cost of client acquisition (CPA / CPS)
  • Customer retention rate
  • Number of active users
  • Revenue / revenue per user
  • Percent of new / returning users

However, your choice will depend on your own needs and requirements – the industry you’re in, the purpose of your business, etc.

Psst! If you operate in the banking industry, we think this ebook will serve as great inspiration in determining your KPIs: 15 KPIs to track for E-Banking and Mobile Banking.

It’s normal that at the beginning of your journey with analytics your KPIs and goals will be quite high-level. After all, you don’t have a lot of data that would allow you to come up with more in-depth ideas. But don’t worry, you’ll get there in a couple of months.

2) Analyze your website/product/app structure

Next it’s time to investigate the structure of your website, app, or product. At this stage, you should list all its features, then break them down into every action your users perform while using them.

Treat each feature as a separate funnel and make a list of everything your user has to do in order to send a report, create a playlist, photo album, contact your sales representative, etc. Start from the essential features or website areas, then move to the ones you consider less important.

For instance, this is how we described what users tend to do in our Analytics “Email reports” section to complete the task. They:

  • view “Email Reports”
  • click “Create and schedule a report”
  • write a description
  • choose a segment
  • schedule an email
  • send a report at X o’clock
  • send a report via mail/mobile
  • report format
  • send report to…
  • display options
  • select statistics

After they’ve done all those actions, an email report is created.

Also, when it comes to web analytics, it’s advisable to use this step to analyze every section and diligently examine their environment. Seek out any potential hurdles like multi-domain structures, the usage of ajax, frames, Flash, or any other technology that requires the creation of custom analytics scripts. Write it all down – this list will come in handy in the next steps of the implementation.

3) Operationalize your goals and KPIs

Now it’s time to translate your business objectives and KPIs into the things you can do and measure using analytics software.

In the case of product analytics, you’ll have to translate every user action into an event and decide what exactly is going to trigger each of them.

Then you’ll have to choose which events are more important than others and designate them as your goals. Every micro-conversion will also be a valuable source of information, but it’s your goals that will tell you if users have completed vital tasks in your software.

To map your product goals, you have to first translate them into desired user actions (for instance, uploading a picture, playing a song, or completing a meditation session), and then pair them with specific events and triggers.

If you want to learn more about event tracking, we recommend you check out this exhaustive blog post: Ultimate Guide to Piwik PRO Event Tracking.

Psst psst! One of the most popular frameworks for defining Product Analytics metrics and goals is the HEART framework. It was developed by the Google Venture Team and consists of five different categories of metrics:
  • Happiness: measures attitude or satisfaction (typically through some sort of user survey)
  • Engagement: measures the frequency, intensity, and depth of user interactions with a product
  • Adoption: measures how easily, often, and quickly users adapt to the new features of the product
  • Retention: measures how many existing users retain in a certain amount of time
  • Task success: measures the effectiveness and efficiency of the tasks users complete within your application

The main advantage of the HEART framework is that it’s extremely user-centric and allows you to measure the quality of the user experience. What’s more, it’s a very flexible approach. It can be used to evaluate and measure overall advancements made towards the main objectives, or simply to evaluate the performance of each feature separately.

Sounds interesting? You can read more about it here.

With web analytics you’ll have to decide which metrics are best aligned with your business goals and KPIs.

Of course, you can measure virtually anything that happens on your website, but should you really do that? You’d better take another close look at your online business objectives. Make sure that you’re going to track only things that are consistent with your goals and KPIs.

Some of the best ways to track your goals in web analytics:

  • URLs – keep track of specific URLs. Each time someone visits a particular URL, they trigger the goal. These are ideal for thank you pages, confirmation pages, and PDFs.
  • Time (visit duration) – track how many people stay on your site for a certain amount of time.
  • Pages per visit – instead of tracking how much time people spend on your site, this goal tracks the number of pages each visitor sees before they leave.
  • Events – these come handy in multiple places, especially where you can’t really settle for anything else. With Event Tracking you can record clicks on both clickable and non-clickable elements of your website, usage of video and audio players, scrolling down, leaving the page, filling out a form without submitting it, interacting with Flash elements, and downloads from your website. Even though these actions don’t generate changes in the website’s URL, they can be still recorded.
4) Create your tracking plan

After that, it’s time to write down everything you want to measure with your analytics and include it in your tracking plan. You can do this in various ways, but creating a spreadsheet seems to be the most convenient one.

A tracking plan clarifies what events to track and why those events are necessary from a business perspective.
Don’t even think about skipping this step and going straight to tool configuration. This document will serve you for years and you will modify it every time you change your analytics strategy. Without it, you’ll easily forget about your main goals or even overlook some important features whose performance you definitely want to measure.

When creating a tracking plan, consistency is very important – if you don’t develop a unified system, then later you’ll get lost in duplicate and unintuitive names of events, website/products sections, and so on.

So, come up with one naming convention and stick to it when drafting your tracking plan.

The way you organize your documentation will obviously depend on what you want to measure.

Need a Help with That?

Download a Free Product Analytics Tracking Plan

We think that for product analytics implementation one of the best solutions would be to divide it into the following groups:

  • Name of the product section
  • Name of the funnel
  • Name of the event
  • Conditions for firing an event
  • Event properties and values
  • Additional notes

Important tip! When it comes to product analytics, it’s convenient to separate what people are supposed to do in the onboarding phase from the rest of the user’s activities. That way, you’ll be able to distinguish the actions typical for new users and for users who have been with you for a while.

As for web analytics, apart from events you’ll also include every other analytics goal type you want to use to measure website performance, together with the properties and values attached to it.

5) Choose your weapon (tool)

Now when you finally know what you want to track using your analytics, it’s time to find a tool that will meet your expectations.

Of course, there are many more factors you should consider – including data privacy regulations (like GDPR or HIPAA), integration with other systems (like CRM, CDP or call center), and data ownership. We write more about this stuff in another article: 6 Features Every Enterprise Web Analytics Software Should Have. Be sure to check it out!

Important note! Many businesses also face another important issue – analyzing user behavior in the post-login areas of their websites or apps. This is especially tricky, because those places are filled with sensitive data about clients. Using regular web analytics to track this kind of information might not be the best idea. Fortunately, there are some alternatives, like Piwik PRO. You can read more about it here: How to Capture the Whole Customer Journey When Dealing With Secure Member Areas

6) Implement your tool

After you choose the right tool, it’s time to implement it on your website or in your product. This step involves adding tracking code and modifications necessary to track additional things like e-commerce features, contact forms, sending and importing data from CRM or other external tools, and more.

7) Configure the UI of your analytics instance

In this step, you or the person responsible for analytics implementation configures the tool’s interface. This means that they implement all the funnels, goals, and events outlined in the tracking plan. At this stage, it’s also good to exclude internal IPs so you don’t track your employees’ behaviors and actions – this can sometimes skew your data.

8) Create different views with different filters

Next it’s time to configure what you will see when you enter your analytics instance. From our experience, it’s important to create the following views at a minimum:

  • A “clean” view, without any filters, to always have access to the original data
  • Users of mobile devices
  • Desktop users
  • Specific countries (if you run an international business)
  • A view for analyzing paid campaigns
  • All other segments important to your company
  • A test view that allows you to check new ideas without losing your data

That way you’ll make sure that you have all the relevant data at your fingertips.

Important tip! It’s highly advisable to do steps 6 to 8 first in a test environment to avoid unexpected errors causing temporary website issues!

9) Grant proper permissions to new users

In this step you assign permissions to your stakeholders so they can view specific reports and dashboards.

The choice of who has access to particular information should be dictated by several factors, including security considerations and what data is needed in the day-to-day work of a given employee. It’s very likely that marketers will need a completely different data set than people in the UX department or customer success team, right?

10) Create dashboards, segments, and custom reports for each data view

Next it’s time to enrich your views with some additional information about user behavior. Here are some blog posts we’re sure will help you wrap your head around things:

11) Valide reports described in point 10

If everything’s working as it should, that means it’s time to automate reports. This will provide every stakeholder with a dedicated report on a daily basis without needing to log in to the analytics system.

Here’s some advice on automating reports in Piwik PRO: 3 Easy Steps to Manage E-mail Reports in Piwik PRO.

12) Constantly monitor changes to your website/product structure, goals, and KPIs

Your analytics strategy should never be a static document. Rather, it’s a constantly evolving process that changes with every new insight, business goal, a feature of your website or product, or new idea produced by experiments and tests. It is worth reviewing it every once and a while, refreshing goals, metrics, or reports if necessary. This way you will always be sure that your analytics system delivers only fresh and valuable data that is relevant to your business objectives.

A piece of advice: Consider using more than one web analytics tool. That way you’ll be able to spot data discrepancies, which helps you reach safer decisions and conclusions based on the collected data.

Analytics implementation – final remarks

We hope that the steps presented above will make the process of analytics implementation much easier for you.

However, we know that even with all these tips and tricks presented above, you might still have some unanswered questions. Don’t wait to contact us! Our team will be happy to help you with whatever we can.

Also, remember to download our tracking plan – we promise you’ll find it very useful!

Contact us

The post Analytics Implementation in 12 Steps: An Exhaustive Guide (Tracking Plan Included!) appeared first on Piwik PRO.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

GDPR, which took effect on May 25th, brings many changes to the digital marketing landscape. Processing and handling customer data is trickier than ever. This is true for all tactics and strategies that marketers employ. Among these, one in particular is affected – device fingerprint tracking, which is a controversial matter. Device fingerprinting is gaining ground these days, because it overcomes some of the insufficiencies of other customer-tracking methods like cookies. A study by the Electronic Frontier Foundation (EFF) revealed that, for the majority of browsers, the combination of their various properties is unique and serves as a fingerprint which can help track visitors without the use of cookies.

However, this method stirs a lot of confusion when it comes to privacy regulations and data protection. But what, exactly, is the issue here?

We’ve prepared this post to walk you step-by-step through this minefield and to show you everything you need to know about the hot topic of device fingerprinting. Here we go!

What is device fingerprinting?

As users navigate websites they leave digital traces behind: properties of their computers, smartphones, and tablets. Gathering and stitching them together allows us to identify and then track a particular user.

Though many people can have the same device, each of them has a different configuration. It’s all about types of browsers, plugins, fonts, hardware, and many other aspects. This unique set up and architecture creates what’s known as a device fingerprint.

Why employ device fingerprint tracking?

With the recent explosion in the use of mobile devices, tracking users has become more challenging. Marketers who want to reach their customers at an individual level are stumbling over more and more obstacles. First of all, cookies can’t be transferred from one device to another (for example, from a laptop to a smartphone) or shared between apps. Second of all, users can easily delete cookies, while in incognito mode they reset every time a user closes their browser. Finally, the rise of ad-blocking software and new privacy features, such as Apple’s Intelligent Tracking Prevention, are making cookie tracking much harder.

Enter browser fingerprint tracking. This method has been developed as an alternative to tracking via cookies. It works where cookies can’t. But digital fingerprint data can be used not only for precise tracking.

This method has proven itself as a good solution for security-related issues. In particular, it is commonly applied to fight fraud or credential hijacking. For instance, it allows you to verify if a user who logs into a particular account or site is the legitimate user in the event of a session hijack. In addition, fingerprint tracking supports anti-bot and anti-scraping services.

The ins and outs of device fingerprint tracking

So, what’s the mechanism underlying the whole process? It all comes down to the technology websites use and how they interact with your browser. First, when someone visits a website, the HTTP request automatically sense information regarding the user agent, operating system, and browser version/type to the server. You can also find out if the Do Not Track option is active.

What’s more, with special JavaScript code you can query your browser to identify:

  • IP address
  • browser language
  • installed plugins
  • location & time settings
  • audio settings
  • battery status
  • screen resolution
  • fonts (Flash or JavaScript)
  • and many more details
An example of a browser fingerprint

The technique allows you to determine many more properties of a user’s browser. For instance, you could even check if it supports VLC media player, Acrobat, Real Media, and so on. What’s more, websites can implement canvas or WebGL (Web Graphics Library) fingerprinting techniques that yield insights into how your hardware is configured.

The data on user browsing behavior is stored on the server side. User actions are tracked without the need to employ persistent identifiers kept on the visitor’s device.

All in all, these properties combined with cookies or some other identifiers significantly increase tracking accuracy and improve attribution.

Device Fingerprinting vs GDPR

GDPR doesn’t explicitly mention fingerprinting, as the EU tries to stay neutral in regards to technology. That’s why you won’t find comprehensive lists and examples of specific technologies in the Regulation’s text. Instead, GDPR lays down general rules that should be followed when it comes to tracking users across the Internet, irrespective of methods or techniques used.

PII vs Personal Data (Cheat Sheet INCLUDED!)

Learn how to recognize PII and Personal Data to stay away from privacy issues.

Download FREE Guide

The foundation of the regulation is the definition of personal data. Article 4 defines it as any information relating to an identified or identifiable natural person (‘data subject’). It means that various kinds of online identifiers like:

  • cookie identifier
  • device ID
  • network’s IP address

are personal data. And that’s where the fingerprint technique collides with the regulation, as processing such data can only be performed with the user’s consent. Even less specific information like the combination of browser properties, the foundation of fingerprinting, falls under this data category. The principal is that these bits of information relate to an individual and can be used to identify them, directly or indirectly.

Moreover, in the context of GDPR the user’s identity doesn’t have to be established. It’s enough when an entity that processes data can recognize and identify a user. That can be achieved with personal data, whatever its form.

So it doesn’t matter if advertisers want to identify individuals with this data or not. It’s more important that this data could be used to do so, which is what makes it personal data. A given advertiser might not care about who that person is, but if the data leaks, it would be very easy to do so with all that fingerprinting data. Therefore, such data needs to classified as personal data, no matter what the company’s intentions are.

That said, processing personal data can be legal under certain circumstances. For instance, if it’s based on legitimate interests. That’s one of the legal bases for that purpose and an important point in GDPR compliance. Some people consider it a get out of jail free card to escape the regulation’s limitations. And it could be a good strategy in some cases, but only in some.

Legitimate interests is not like the other lawful bases. If you go down this path, you can expect more twists and challenges. Although it’s more flexible, at the same time you can’t be sure it will be the most appropriate in every case. So how does it differ?

It’s not focused on a particular purpose (for example, executing a contract with the individual user), and it doesn’t process data that a particular person has agreed to. To process data based on legitimate interests you need to make sure that the rights and freedoms of data subjects are not seriously affected. It means you take more responsibility for respecting and protecting people’s rights and interests.

If you’re interested in some specific examples of legitimate interest grounds, then we recommend reading this document prepared by The Centre for Information Policy Leadership (CIPL).

Consent to solve the compliance issue

As you can see, processing based on legitimate interests is a tough path to follow. If you are unsure whether you can process personal data based on legitimate interests, make things simple for your organization and you customers by asking users for consent right away. It’s a win-win situation – you show respect to your users while making sure the company’s compliance is guaranteed. Show that you’re responsible and take your customers’ rights into consideration by informing them of your intentions and giving them a choice.

When a company wants to process personal data, that is, track users actions, match ads with user profiles, or provide targeted advertising across the site, then it needs to obtain that user’s consent. According to the Article 29 Working Party, device fingerprinting, covered by Article 5(3) of the ePrivacy Directive, can be performed with consent:

Parties who wish to process device fingerprints which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must first obtain the valid consent of the user (unless an exemption applies).

GDPR has introduced some major changes to data processing and a uniform definition of consent. It states that it must be:

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

One of the key elements of the concept is that you should clearly state your intentions and let people know what they are agreeing to. Your site’s visitors need to know from the beginning that they are consenting to the processing of their personal data. What’s more, they should be informed of their rights concerning this agreement, that they can withdraw their decision and can correct their data, and so on.

There are a couple of rules that you should follow when asking for consent. The request should be:

  • concise
  • prominent
  • easy to understand
  • written in plain language
  • separate from other terms and conditions

If you want to know more about consent and how you can introduce it into your marketing strategy, then read our post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users

Apply technology for managing consents

The changes introduced by GDPR have a significant impact on your marketing tools, especially those you use for online analytics. Whatever processing of personal data you do, including browser fingerprinting, you need to ensure that your technology is aligned with the Regulation.

There’s a lot of responsibility you need to take to fulfill the long list of requirements regarding consent. It sounds like a tough task, but you can find solutions that help you with this job.

PII vs Personal Data (Cheat Sheet INCLUDED!)

Learn how to recognize PII and Personal Data to stay away from privacy issues.

Download FREE Guide

You can use a tool that enables you to respect your visitors’ rights while at the same time remaining in step with your marketing practices. Going by various names, like Cookie Widget, GDPR Consent Manager, or Cookie Consent Manager, it’s a piece of software that process your customers’ consents and passes this information to your analytics system.

Naturally, these tools vary in their functionalities, UI, and other features. Most importantly, find one that lets you meet all GDPR demands. Some vendors offer privacy by design, and respecting their customers’ rights is the pillar of their organization. For instance, software like Piwik PRO Consent Manager was created to help you with the GDPR requirements for user consent. You can easily collect and handle visitors’ consents for particular types of data processing. Additionally, it lets you manage other requests regarding your customers’ rights.

On the whole, with the right tool your marketing tactics become transparent to your visitors and you meet your obligations under the new regulation. It’s really hard to find this kind of support on the market. And the absence of such practices is what worries people when they hear about device fingerprinting.

Users want to know what’s happening with their data, how it’s being handled, and why it’s being gathered. They must have the choice to decide whether they want to share their data or not. Now, it’s all in your hands. You can either quit tracking (ha!) or use quality consent management software to resolve these issues and address your customers’ needs.

Final thoughts

Device fingerprinting combined with tracking is a complex but effective strategy. It lets you identify unique users to provide them with content that matches their preferences. But you must be aware of the privacy issues related to it. Once you gain an understanding of all the changes on the legal landscape, you need to find a vendor whose software performs within the GDPR framework and offers you reliable tools that respect your users’ rights and freedoms.

We know that in this post we have addressed only a few key issues, so if you have some questions or need guidance, don’t hesitate to get in touch.


The post Device Fingerprint Tracking in the Post-GDPR Era appeared first on Piwik PRO.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview