FEATURE3 December 2009

The new rules of web analytics in Germany


German authorities declared last week that the use of web analytics tools such as Google Analytics is illegal without the consent of the person being tracked. We speak to Marit Hansen, head of data protection in Schleswig-Holstein, about what it means.

The statement from the authorities said web users must be told they are being tracked and given the chance to opt out, and that IP addresses cannot be collected without the user’s permission because they constitute personally identifiable information.

Research spoke to Marit Hansen (pictured), acting head of data protection for Schleswig-Holstein, and a member of the association of regional and federal authorities that issued last week’s ruling, about how the decision came about and what it means for the software companies and publishers.

Research: It’s somewhat surprising to hear that these very common web analytics tools seem to be illegal.

Hansen: They’re certainly not in accordance with the rules set out by law, which in this case means German media law and data protection principles. So it’s up to the people who develop and use these tools to make sure that their products are designed and configured in full compliance with the law. These are not new requirements – these laws have been in place for a number of years.

Research: The analytics tools have also been around for a number of years – why are we only addressing this now?

Hansen: The discussion hasn’t just begun – since November this year the Duesseldorfer Kreis, which is an association of all the German data protection authorities, has been building on, interpreting and refining what is laid out in law. Prior to this there have been discussions with some suppliers, including Google, to try to get them to configure their products in a way that’s compliant with the law, which hasn’t happened. We informed them in August 2008, I believe, that these things were not compliant with the law.

Research: What sort of relationship do the data proteection organisations have with these companies?

Hansen: Google Germany, for example, is based in Hamburg, as is Etracker, and they have been in regular contact with our colleagues in Hamburg for years – in 2006, and also in 2008 and 2009. In some cases some of these tracking firms have got in touch themselves to ask, how do we make sure we’re doing this properly? So there are those who say, we might be doing something wrong, we want to find out – and not just those who wait to be asked about it by the authorities.

Hansen: Also, not everyone from these data protection bodies deals with internet issues every day, so I think it’s good that over the past year we’ve been working with the specialists, and asking the suppliers, how does all this work in detail, is it all down to the IP address, what role do cookies play, where and how is the data managed, and so on.

Research: So there are companies that manage to conduct online tracking in line with the law?

Hansen: That’s right.

Research: What’s the next step? How will the rules be enforced?

Hansen: I expect that Google and others will set out their position, and either say yes, this is how we do it, or propose things they might change and discuss how they might comply, for example with the opt-out requirement. That will eventually be decided in consultation with the authorities.

It would also be possible to use fines against those publishers who are using these tools on a large scale. I don’t believe that any of the authorities are going to do that while we are in a phase like this where it all seems very new to a lot of people. But it’s not ruled out. Another approach that might be adopted is warnings, as you see in some other industries, for companies that are not in compliance.

Of course, we have other areas to focus on, so enforcing this isn’t our top priority, but fines are a possibility, and I think after a certain period of transition we’ll see that happen more. But, as you know, there are thousands of website managers who don’t even know all this yet, so there’s probably going to be an information campaign first of all. We’re very hopeful that companies open themselves up and that the discussion really focuses on the technical mechanisms and the details, and that they ask, how do we make this compliant with the law?


15 years ago

I see the same old "reversed logic" still seems to be the mode the advertisers prefer BUT that does NOT comply with the Law! How can any Web User be asked to OPT_OUT BEFORE they have agreed to be OPTED_IN? :( Asking permission from Web Users to OPT_IN is NO more more difficult that asking the Web User to OPT_OUT, this is a case of GOOD WEBSITE DESIGN! I now automatically BLOCK EVERYTHING & only grant permission to those who properly ask!

Like Report

15 years ago

I find it somewhat Ironic that a story that says web tracking is against the law in Germany is using two web tracking scripts of its own. Google Analytics AddThis The whole tracking thing is getting crazy with some sites hosting several trackers. Well done Germany

Like Report

15 years ago

Use a script blocker. Firefox add-in. Thankfully this page does not use google analytics..

Like Report

15 years ago

Are you kidding? I think that the Germans have gone a bit overboard with their data protection act. This is big Government sticking their nose in to other's business. That only breeds higher costs for the end user. Web site owners who use tools like these, use them to determine the demographics of their users. This in turn lowers advertising costs. Lower costs to the business equates to lower costs to the end user...

Like Report