The legal and business implications of tracking and analyzing customer data

There’s no going around the usefulness of customer data. It allows for more data-driven decisions, optimised customer journeys, and ultimately it’s an essential part of selling better online.

Customer data, however, can never be discussed without paying special consideration to privacy.

Mathilde Lecomte, expert within IP and data protection , and Josefine Karlsson, expert within data protection, answers together with Franck Smulter at Columbia Road, a consultancy firm within digital sales, in this article the following questions:

  • What do we talk about when we talk about tracking and analytics?

  • What are the legal implications we should take into account when tracking and analysing customer data?

  • What data protection principles should guide the tracking and analytics of customers’ data?

  • How can we manage cookies and consent compliantly in practice?

  • What are the risks companies face when failing to comply with these requirements?

  • What’s coming next in the sphere of data protection?

  • How to get started with what I just learned?

What do we talk about when we talk about tracking and analytics?

In the age of digital sales, data is king. Having personal, behavioural, and demographic data about your customers allows you to make data-driven and customer-centric decisions in your business.

 This is where data tracking comes in. By tracking your customers' activities online, you can better understand them, improve the overall customer journey as well as better understand the impact of your marketing investments. Marketing is typically interested in audience sizes, browsing behaviours, engagement and conversions.

 Aggregated customer data can be used for example for:

  • Retargeting in your marketing channels

  • Bringing business insights to your organisation

  • Doing marketing channel attribution

  • Personalising web and app experiences

  • Optimising conversions across customer journeys

Cookies are the main technical mechanism we use for tracking customers. They are small snippets of data that websites place on a user's device to remember information about their visit and activity. This allows the website to remember the user's preferences, login status, and other information that can improve the user experience and provide targeted advertising. Cookies can also be used to track users' activities on the website, such as what pages the user visits and what links they click on.

There are also non-cookie options for tracking customers, mainly server-side tracking. It is a method of tracking user activity on a website or app where the data is collected and processed on the server instead of on the user's browser through cookies. With rising privacy concerns, more and more companies are moving in this direction. It allows companies to process data more responsibly and prepare for the looming death of third-party cookies.

Tools used for tracking customer data online tend to rely on third-party cookies. Marketing platforms such as Meta, Google, and TikTok, as well as CRM and experience providers like Salesforce, HubSpot, and Adobe, track behaviours, such as form submissions, conversions, and specific events primarily through third-party cookies.

However, as third-party cookies disappear, it will be more difficult for marketing platforms to do attribution, and their algorithms will have a much harder time deciding which user is most likely to convert, potentially undermining their business models. While workarounds are actively being studied, this will likely have a big impact on the digital marketing industry as a whole.

In tandem with tracking goes analytics. Google Analytics is the most popular web analytics tool, but we have seen the emergence of challenges such as Matomo, Piwik PRO, and Snowplow following the decision of several EU countries to view Google Analytics as non-GDPR compliant.

Fondia, what are the legal implications we should take into account when tracking and analysing customer data?

As stated above, cookies can be a very useful tool when they are used for a legitimate purpose, such as performance or analytics. However, cookies and other similar tracking tools have the potential to seriously intrude on Internet users’ privacy by tracing the activities of the users and collecting information stored on their devices.

Given that using cookies sometimes consists in an intrusion of users’ private sphere, their use needs to comply with privacy laws. Privacy laws relating to cookies aim to ensure the protection of fundamental rights and freedoms of the public when they make use of publicly available electronic communication networks. The legal provisions applicable to cookies apply thus to any storage of information on a user’s device as well as any access to information already stored on the device and apply regardless of whether the information stored or accessed contains personal data.

This means that the mere use of cookies or similar tracking tools must be compliant with applicable laws – when the cookies are used to collect information consisting of or containing personal data, the processing of that personal data must, in addition, be compliant with the GDPR.

What data protection principles should guide the tracking and analytics of customers’ data?

One of the main principles of privacy is that you cannot collect more personal data than what is necessary to achieve a specific, predetermined purpose. With this principle in mind, you must ask yourself why you need to process your website’s visitors’ data, which data you need to collect, and how long you need to retain the data. You are not allowed to start processing personal data without first having defined a legitimate purpose. Most of the time, cookies are used for technical, preference, analytical, or marketing purposes.

Another data protection principle is that you also need a lawful basis for subsequently processing the personal data obtained by cookies, which can be different from the consent needed for the use of cookies for storage or access to information that you need to obtain from the user. Most of the time, the subsequent processing will be based on the website owner’s legitimate interest (for instance, in evaluating the performance of its services and systems for their development or in advertising their products), which needs to be assessed beforehand on a case-by-case basis, or the user’s consent. If the lawful basis for the subsequent processing is consent, it can be given at the same moment as the placement of cookies, provided that all the necessary information is provided to visitors of the website.

So, how can we manage cookies and consent compliantly in practice?

Contrary to common belief, the use of cookies itself is not regulated by the GDPR but by the ePrivacy Directive. In fact, the GDPR barely mentions cookies. The subsequent processing of personal data collected through cookies will, however, as seen above, have to be compliant with the GDPR – including having a lawful basis.

The ePrivacy Directive, however, imposes several requirements on the owner of a website or other application who wants to use cookies, including the consent to the use of cookies and whether the cookies are intended to collect personal data or not.

Users must be provided clear and precise information about the use and purpose of the cookies, and they should have the option to refuse to have a cookie placed or access information stored on their terminal equipment. Having the option to say no to cookies means that the user’s consent is needed before any cookies (except cookies that do not need consent) are placed or access information on their device, even if no personal data will be collected. The ePrivacy Directive states that the required consent must correspond to the consent as defined in the GDPR. The GDPR defines consent as a freely given, specific, informed and unambiguous statement or clear affirmative action.

In practice, this means that:

  • Users must receive the required information about the cookies used as soon as they are asked to make their choice about cookies.

  • It must be as easy to refuse cookies as it is to accept them (there should, for instance, be two buttons, “refuse” and “accept”).

  • Users must be informed of their possibility to withdraw their consent to cookies at any time, and it should be as easy as to give it in the first place (for instance, there should be a link to the cookie policy indicating how consent can be withdrawn at the bottom of each page of the website).

  • The consent obtained must be documented and stored.

  • Users must be allowed to access and use the website even if they refuse cookies.

  • Clear and positive action is needed from the user to signal their consent, meaning that a pre-ticked box or stating that continuing scrolling on the page is equivalent to consent is not compliant.

  • Dark patterns should be avoided (For instance, the buttons “accept” and “refuse” should be of the same size, for instance).

  • Finally, it is a good practice to ask users to renew their consent regularly, for instance, every 6 months.

There are two exceptions to the consent requirement: if the cookies are strictly necessary for providing a service explicitly required by the user (e.g., for providing a chatbot only when the user actively clicks to open it or keeping track of items placed in a shopping cart), or in case of cookies solely used for carrying out the transmission of a communication over a network (e.g., a cookie whose sole purpose is identifying one of the servers). The French data protection authority has stated in a recommendation that cookies strictly for performance purposes may not require consent as long as they serve to produce anonymous statistical data only, do not track an individual across several domains, and are not transferred by the website owner to any other recipient.

What are the risks companies face when failing to comply with these requirements?

Depending on the violation, a website owner might be in breach of the national law(s) implementing the ePrivacy Directive and/or of the GDPR, if the use of cookies includes processing of personal data. Examples of violations are non-compliant consent collection, lack of compliant information about the use of cookies, lack of compliant information regarding processing of personal data, lack of lawful basis for the processing of personal data.

Owners of websites which have been found to be in breach of privacy provisions face administrative fines. A recent enforcement case concerns TikTok, to whom a EUR 5 million penalty has been inflicted by the French data protection authority for non-compliant cookie consent in December 2022. The authority found that it was not as simple to refuse cookies as it was to accept them on the website as several clicks were required to refuse all cookies, as opposed to just one to accept them.

The European privacy advocacy group NOYB (founded by Max Schrems) has recently lodged 226 complaints across the European Union against websites allegedly presenting deceptive cookie banners. The European Data Protection Board has launched a special taskforce to coordinate the responses of the national authorities that are responsible for the enforcement of national laws applicable to cookies. The result of the taskforce was published in January 2023 and the cases are still pending.

Also, you need to bear in mind that in case you are deploying cookies provided by a third party on your website, you must be aware of the personal data you are disclosing to those third parties. You may be considered a data controller regarding that personal data and will in that case need a data processing agreement in place with the processor. You are still responsible for obtaining the users’ consent to the use of third party cookies.

What’s coming next in the sphere of data protection?

As the ePrivacy Directive dates from 2002, the European Commission has proposed a new regulation concerning cookies in order to take into account technology evolutions and harmonise the Member States’ national laws who have implemented the ePrivacy Directive in different manners. The new ePrivacy Regulation was supposed to be adopted in 2018, at the same time as the GDPR, but its adoption has been postponed. The new ePrivacy Regulation will have a broader coverage than the ePrivacy Directive and will address, amongst others, browser fingerprinting and create stricter protections for metadata.

The Digital Services Act, a European Union regulation that was adopted in 2022, has created new obligations for online platforms, with an emphasis on very large online platforms having more than 45 million users in the European Union, such as Facebook or Twitter. The Digital Services Act requires, for instance, the platforms to ensure that users have been disclosed certain information when presented with advertisements, including the main parameters used for targeted advertisements based on profiling, such as the main profiling criteria used. The Digital Services Act also requires online platforms to ban advertisements based on profiling when it includes the processing of special categories of personal data and advertisements based on profiling when the user is a minor.

How to get started?

Understanding customer tracking and analytics is crucial to any company looking to provide stellar experiences and sell efficiently online. Yet, equally as important is taking into account your customers’ privacy.

Fondia’s experienced team within data protection will support you in all data protection and privacy related matters. We can provide legal advice on both EU-level legislation like GDPR and ePrivacy and specific national data protection legislation, related, for example, to work life privacy. 

Columbia Road's experts are ready to help you build and implement a compliant and effective strategy for digital sales.