Choose another country or region to see content specific to your location.

Datenschutz auf dem Vormarsch: Teil 1 – Einführung und Risikoanalyse


Since GDPR came into effect in 2018 in Europe, more and more countries have followed suit. The shift toward consumer data protection across the globe has resulted in CCPA, LGPD, and POPI, among others. According to DLA Piper, the following are already in effect or will be in effect shortly:
GDPR enforces the need for consent management platforms
As such regulations spread worldwide, sooner or later, each and every business will be forced to adhere to data privacy regulations. This will impact anyone who runs a website, too.

Data collection prior to GDPR

Prior to the introduction of the GDPR, data collection was completely hassle-free and did not require user consent.
GDPR creates data gaps
The user opened a web page in a browser on their device, and as soon as the website was downloaded, various scripts (so-called tags) sent data to the corresponding systems – regardless of whether these were web analytics systems or marketing automation platforms. Even the mere inclusion of certain technologies triggered data collection by third parties (e.g., Google Maps or YouTube).

(Some) Requirements to fulfill GDPR

Let’s briefly examine some of the requirements to fulfill GDPR regarding data collection on websites.
compass Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse Consent on a free-will basis User must be able to provide consent freely, and it must be possible to access the website without consent (i.e., access to view those services. It is not technically necessary to provide the service).
info Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse Making informed decisions All relevant information (i.e., purpose of processing, processor, etc.) must be available at the point of giving consent.
granular Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse Granularity The purpose of the data collection must be explained granularly; general consent is not valid.
Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse Explicitness Consent must be given explicitly, e.g., by clicking or tapping; implicit consent is not considered valid.
clock Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse Consent prior to data collection Technologies not covered by legitimate interest should only be loaded if consent was given.
stop Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse (Easy) Opt-out Refusing to consent or revoking a given consent must be as easy as giving consent.
database Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse Documented consent The website owner must be able to prove that the user’s consent was given and that the consent meets the requirements for valid consent.

How data needs to be collected since GDPR came into effect

GDPR revolutionized the way user behavior data is collected on websites. Such data, which ultimately also serves profiling purposes, may only be collected with the explicit consent of the user. This consent must be voluntary, must be based on informed consent, and must be possible for each technology used. Such requirements created a necessity for consent management systems because, after all, it must be meticulously noted for each user exactly which technology the consent was given for. Thus the idea of the Consent Management Platform, or CMP, was born, which is dedicated to precisely these tasks.
Data Privacy on the rise data collection according to GDPR Datenschutz auf dem Vormarsch: Teil 1 - Einführung und RisikoanalyseAs per GDPR requirements, the user should also be given the opportunity to explicitly consent to the collection of data. This was, and is, mainly achieved with the help of consent banners, which are displayed by the consent management platform (CMP) when the user visits the website for the first time. A CMP ensures that only when the user gives consent to data collection, is the data collected accordingly and passed on to the respective platform.

Data protection regulations cause data gaps

The requirement for explicit consent causes problems when it comes to new customers that were acquired by means of a campaign. Since data per se may only be collected after the user has given consent, information regarding campaigns may be lost when the user is referred to the landing page for the first time and is asked to give consent to data collection. Depending on the campaign, channel, and technology used with regard to consent management, data relating to this user will only be collected from the second interaction on the landing page or with the website. In addition, every user has the right to refuse data collection and profiling on websites. The principle also applies that the user should be able to determine very granularly which technologies are allowed to collect data and which are not. This also applies to other existing and future regulations.
Data Privacy on the rise users explicit decision Datenschutz auf dem Vormarsch: Teil 1 - Einführung und Risikoanalyse
There is, therefore, a significant danger that a data gap can, and will, occur in numerous places.

Well, the remainder are the new 100%..!

After the GDPR was introduced and came into force in Europe, website owners had different experiences regarding data collection with Google Analytics (as well as other technologies). Decreases in data collection of 10% to even 90% could be observed – depending on the website and industry. This repeatedly raised questions about the validity of the remaining data. It was also repeatedly speculated that very specific “customer groups” might want to avoid tracking. One of the most abstruse claims, however, was that there were certain users, who in the past had been responsible for high ecommerce sales numbers, who would now deliberately avoid data collection with Google Analytics in order to falsify the revenue statistics. Of course, a data protection regulation of this magnitude poses a challenge to marketers and website operators. Ultimately, both can only hope that as many website users as possible give their consent to data collection. Nevertheless, a change in mindset is now necessary in order to be able to continue to evaluate and interpret the remaining numbers with confidence. Therefore, as of the introduction of a CMP, the collected data and figures represent the new 100%. A further challenge offered by a marketer’s new worldview is that it makes little sense to compare the data collected with the historical data from this point on. Here at e-CENS, we work to overcome these challenges and will continue to lead the conversation as to how we can best navigate the new Web2 realities.


Next in the series, we consider how a CMP works…
Picture of Holger Tempel

Holger Tempel

Holger is among the first Google Analytics partners worldwide since early 2005. Holger is considered one of the leading experts on digital analytics and is a renowned trainer who can simplify complex ideas into real-world practical examples with actionable insights.

Related resources