GDPR Practical Guide - AT Internet

How can you ensure compliance with the General Data Protection Regulation (GDPR) when using AT Internet solutions?

Following a quick introduction, which will cover key definitions and scope of application, this practical guide will help you with processes related to the following 5 themes:

  1. Responsibilities between you and AT Internet
  2. Information for your users
  3. Managing consent
  4. Your users’ rights
  5. Your users’ preferences

In each chapter, we’ll highlight GDPR principles and then indicate their consequences on the AT Internet solution, and the actions to take in these cases.

This practical guide will evolve over time based on developments in the Privacy and GDPR sphere. Please don’t hesitate to share your specific questions with us (via the ‘Help’ button at the bottom-right) so that we can keep this guide updated.

 

Introduction

 

The GDPR is neither a revolution nor a ‘Big Bang’.

Since 1978 and the ‘Loi informatique et libertés’ (revised), France has had a legal framework for the protection of personal data, with rules that apply to the Internet landscape as well. The GDPR is meant to create consistency at the European level and reinforce/create certain user rights.

 

The GDPR defines the following:

  • data controller = you, AT Internet customer
  • data processor = us, AT Internet
  • data subjects = users of your sites and mobile apps
  • personal data is any information relating to an identified or identifiable natural person
  • processing is any operation or set of operations... performed on personal data or sets of personal data… such as collection… consultation, use, disclosure by transmission, dissemination…

See definitions in article 4.

 

The GDPR applies to:

  • The processing of personal data, whether automated or not, which form part of a filing system (article 2.: material scope)
  • Processing carried out in the context of the activities of a controller or a processor in the EU, and/or processing related to EU residents (article 3.: territorial scope)

As AT Internet is established in the EU territory and, additionally, we collect information related to EU residents, the GDPR does indeed apply to our processing activities.

 

1. Responsibilities between you and AT Internet

 

The redistribution and clarification of responsibilities regarding the processing of personal data are a key point of the GDPR.

 

What the GDPR says

 

Article 28 says: "Processing by a processor shall be governed by a contract or other legal act... that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller."

 

How it affects AT Internet

 

The Data Processing Agreement

With the goal of enabling compliance with regards to article 28, AT Internet will provide you with a Data Processing Agreement, or DPA.

AT Internet’s DPA defines the following:

  • types and categories of data collected, as well as data subjects
  • the nature, purposes and duration of processing, as well as the conditions of their lawfulness
  • a point of contact to discuss privacy-related issues, data security and the GDPR
  • our responsibilities and yours


Action:

Ask for your DPA (Germany or United Kingdom) to our Support Centre (via the ‘Help’ button at the bottom-right), provide it to your legal department for approval, and return it to us (signed) at dpo@atinternet.com.
By signing the DPA or at least beginning the process as soon as possible, you demonstrate compliance.

 

Interactions with other vendors

Within the framework of your digital analytics activities with AT Internet, you may find yourself working with other vendors, such as:

  • other measurement tools (A/B testing, for example)
  • web agencies
  • integrators
  • ...

 

Action:

For all these vendors, verify whether the GDPR potentially applies to any processing (see the introduction) and proceed, if necessary, with the definition of responsibilities (in the same way as for AT Internet).

 

2. Information for your users

 

Demonstrating transparency on the processing of personal data is a fundamental principle of the GDPR.
In the world of website and app publishers who collect personal data, data controllers must make a certain amount of information available to their users to specify how information is collected and used.

 

What the GDPR says

 

Article 5 says: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject"

Article 13 and article 14 detail which types of information must be provided, notably including explanations about the purpose of processing, the duration of data conservation, etc.

This information must be easily accessible and expressed in a clear manner.

 

How it affects AT Internet

 

Article 8 of our Data Processing Agreement (DPA) specifies the obligations of informing users in order to ensure the requirements of GDPR Articles 13 and 14 cited above.

 

You must share the following information with users regarding your use of AT Internet as an audience measurement solution, and do so via an information page ("privacy centre"):

  • Purpose of processing

As data controller, you must be able to explain the purpose of your using an audience measurement solution to your users.

Article 5.2 of our DPA provides a definition of AT Internet’s solution’s processing’s purpose.

  • Type of data collected

AT Internet provides a list of dimensions and metrics detailing which navigational information is collected from Internet users via our solution.

As this is an exhaustive list, we advise you to highlight (in your explanations to users) the information which is most relevant to your particular usage of the solution.  

  • Cookies and mobile IDs

This information can supplement the information given about the types of data collected, in the way that it specifies how collection is done.

AT Internet provides a list of cookies used in the framework of our solution for web.
Regarding identifiers used in the context of mobile apps, you’ll find information on the different mobile IDs available in our tagging guide for iOS and Android.

  • Data transfers

If your processing involves a transfer of data outside the European Union, and additionally to a country that is not recognised by the EU as providing a sufficient level of security, you must inform your users and ensure an adequate level of security (refer to articles 13, 14 and chapter V of the GDPR).

See "Data protection around the world" from the CNIL (France’s data protection authority).

2018-04-11_10h29_45.png

Regarding AT Internet, and as stipulated in article 20 of our DPA, we commit to ensuring that all data is processed and stored in the European Union.

  • Duration of conservation

By default, "raw data" is conserved for 6 months, and "processed data" is conserved for the duration of the contract between you and us.
Should you wish to specify a certain data conservation duration, please send your request to the Support Centre (via the ‘Help’ button at the bottom-right).

However, please be sure to make the distinction with the conservation of data collected during the cookie lifetime, whose duration is mandatorily set to 13 months in France.
A 13-month cookie means that we will not be able to recognise a user on a website beyond this timeframe.

  • Subject access rights

You must be able to respond to Internet users regarding the exercising of their rights, across all the personal data you collect.  

In "Part 4. Your users’ rights" below, we address the means of applying these rights as they pertain to data collected by our solution.

In regards to what information must be given about these rights, you must specify their existence and provide a reminder of the legal context: loi informatique et liberté (on Information Technology, Data Files and Civil Liberties) and starting May 25, 2018, and indicate your points of contact for handling requests.

  • Managing consent and data subject preferences

The means of gathering consent within the framework of our digital analytics solution are specified below in Part 3. Managing consent.

You must provide information about the different options available to an Internet user who wishes to withdraw consent on the processing of his/her personal data.

Regarding digital analytics, the main options are:

  1. Opt-out (enable an ‘exclusion cookie’ to be placed which signals that the user does not want to be tracked)
    On your informational page, you can offer this possibility by sending your users to AT Internet’s opt-out page.
  2. Browser settings (avoid the placement of a ‘web cookie’)
    Your information page should not simply direct users to different browser settings to manage opt-out. While you can indicate this in the general information you provide to users about cookie management, you must also provide an opt-out solution specific to your site. As explained above, and as concerns your web analytics solution, we have made our opt-out page available. Please note that if you are using first-party cookies, complementary methods will enable you to offer a completely exhaustive opt-out. Please contact our Support Centre for additional details.
  3. Location sharing (disable collection of GPS data on mobile apps)
    If your application allows GPS data to be collected, you must inform your users and provide a means for them to disable this service.

 

For more information on this topic:

  • Point 3. Managing consent indicates the practical means of managing consent within the framework of our solution (accounting for opt-out and browser settings)
  • Point 5. Your users’ preferences exposes a range of different options available to users for specifying their preferences (including opt-out, browser settings, and location sharing)

 

Action:

Update (or create) your informational page, generally called "Personal Data" or "Privacy and Cookies", on your sites as well as in the settings and information about your mobile applications, to create a real "privacy centre" that lists all key information regarding your users’ personal data.

This "privacy centre" must be quickly and easily accessible so that users may update their consent preferences.

 

3. Managing consent

 

What the GDPR says

 

Article 6 of the GDPR says: "Processing shall be lawful only if... the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

Article 7 then specifies that: "The data subject shall have the right to withdraw his or her consent at any time. ... Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent."

We also suggest you review article 8 for specificities involving consent for children.

 

How it affects AT Internet

 

Within the framework of digital analytics, all information related to a visitor is considered as personal data.

In tangible terms, managing consent for standard AT Internet analytics data (refer to the "principal purposes" defined in the DPA described in section 1.) is done by placing a cookie (or not placing it) for the “web” side (see "For websites" below) and via transmitting the mobile ID (or not transmitting it) for the “mobile app” side (see "For mobile apps" below).

We exclusively use the values transmitted via the cookie or the mobile ID to create the Unique Visitor ID, notably available in Data Query and which enables you to link navigational data to an individual.

 

Important: Until the ePrivacy component of the GDPR comes into force, please note that each recommendation from each national authority should be taken into account for managing the placement of cookies.

You can consult this list of European national data protection authorities.

 

For all other personal data transmitted to AT Internet, such as identified visitors or site and page variables, for example (refer to the “ancillary purposes” defined in the DPA described in section 1.), specific consent may be necessary.

 

For websites

 

In addition to the fact that users can completely block cookies at the browser level (see each browser's settings), AT Internet offers a method to not place any cookie before user consent is obtained (see disableCookie) and a method to ensure opt-out.

Please note that in the case of 1st party opt-out, certain browsers (ex.: Safari) require a particular configuration.

Remember that you must provide your users with the possibility of withdrawing their consent at any moment in a simple way.

 

Note: compliance upgrade actions can have consequences on your analytics data, notably potential duplication and potential loss of sources for a portion of your traffic (visits and visitors excluded, then included, in your navigational data after consent/direct traffic on the second visit included).

Please don’t hesitate to contact our Support Centre (via the ‘Help’ button at the bottom-right) for more specific information or additional help with these compliance upgrade configurations.

 

Example of cookie banner and consent management on https://ico.org.uk:

2018-05-16_14h41_01.png

 

Example of cookie banner and consent management on www.cnil.fr/en/home:

2018-05-16_14h43_43.png

2018-05-16_14h44_37.png

 

 

 

2018-05-16_14h44_50.png

 

 

For mobile apps

 

In the case of mobile applications, it’s important to remember that it’s you (the customer) who chooses (via the product/project manager and/or developers) which ID will be used to track your users when you implement our SDK in your application.

The CNIL (French data protection authority) defines mobile app publishers’ obligations.

 

The context of mobile apps means you can (in theory) retrieve the information necessary regarding consent, via app download and installation, from your user ahead of the first screen load.

In France, upon activating the application, you must therefore:

  • Retrieve any potential "Limited Ad Tracking" configuration in the telephone settings
  • Request user consent to use the mobile ID for tracking his/her navigation (see the example below)

Depending on the telephone’s configuration and/or whether you gather consent from your user, you may disable user tracking:

Please note that you must provide your users the possibility to withdraw their consent at any time, in a simple way.

Please don’t hesitate to contact our Support Centre (via the ‘Help’ button at the bottom-right) for more specific information or additional help with these compliance upgrade configurations.  

 

 

Action:

For websites:

  • Display a clear and sufficiently detailed informational banner explaining how you use cookies, and also directly offer 2 alternatives to either accept or refuse cookies (please refer to the example of the CNIL website above)
  • Give your users the possibility to withdraw their consent at any moment, in a simple way

For mobile apps:

  • Display a clear and sufficiently detailed informational screen, upon application launch, for example, which explains how you use the user ID, and also directly offer 2 alternatives to either accept or refuse this usage (please refer to the example above)
  • Give your users the possibility to withdraw their consent at any moment, in a simple way

 

4. Your users’ rights

 

The GDPR reinforces data subjects’ rights regarding their personal data and imposes more transparency on how their preferences regarding consent to data collection are taken into account.

 

What the GDPR says

 

Data subjects’ rights are addressed in the following articles:

 

How it affects AT Internet

 

Article 9 of our DPA specifies responsibilities when data subjects exercise their rights.
This chapter’s objective is to provide you with information about our processes and indicate which steps to take should an Internet user contact you directly to exercise his/her rights.

 

From an analytics point of view, the means of handling these rights are as follows:

  • Right to access and erasure: see the table below
  • Right to limitation of processing and right to object: these rights pertain to the options given to Internet users to limit tracking of their navigation
  • Right to rectification and right to portability: we consider that these possibilities are not applicable.

 

Managing the right to access and the right to erasure within the AT Internet framework:

 

Website
1st and 3rd party cookies

Mobile app

Identification of the Internet user

To access personal data collected from a website, the Internet user must be able to provide his/her cookie ID.

1st party cookie: The user must access the cookie files for each of the sites on which he/she wishes to exercise these rights, and then send us the list of corresponding IDs.
Even if this is possible in theory, it would seem difficult to execute, practically speaking.
Nonetheless, these steps will be explained to the user.

3rd party cookie: The user must retrieve and send us the AT Internet cookie ID (steps to do so will be explained to the user)

To access personal data collected from a mobile app, the Internet user must be able to provide his/her mobile ID.

The app developer/project manager shall determine the mobile ID to use.
The different available options are detailed in our tagging guides for iOS and Android.

For the user, only some of these IDs are available: the IDFA for iOS, and AndroidID + AdvertisingID for Android.
Even if this is possible in theory, it would seem difficult to execute, practically speaking.
Nonetheless, these steps will be explained to the user.

Querying the database

With these IDs, we will be able to replay the algorithm allowing us to generate his/her Unique Visitor ID.

For the right to access, we will provide a .csv file containing the user’s available personal data.

For the right to erasure, we will apply an irreversible anonymisation of his/her data.

Limitations

The available information will therefore be limited to data related to the cookie IDs and mobile IDs that the user is able to provide us, and will also depend on the availability of this data based on the duration for which raw data is conserved (see article 1 of our DPA).

 

Notes:

  • Should an Internet user contact AT Internet directly to exercise his/her rights pertaining to data collected by our solution, and this user does not target his/her request to specific websites in particular, we will handle the request without having to involve our clients.  
  • In the case of identified visitors: Internet users should contact you directly as you are the owner of his/her identified visitor ID.
    Our reporting API allow you to directly answer to the Internet user request.
    You can access to a predefined Template to extract a CSV. file with some identified visitor information on 1 month by clicking here.
    You need to map the #VisitorID# and #SiteID# part with the right value and repeat the call on the wished period and sites.

Please don’t hesitate to contact our Support Centre (via the ‘Help’ button at the bottom-right) for more specific information or additional help with this extract operation.

Action:

Send the request for access and/or erasure to dpo@atinternet.com no later than five (5) business days following its receipt (see article 9 in our DPA).

 

5. Your users’ preferences

 

This section covers the different options available to users to specify their choices regarding the collection and usage of their personal data. For the practical steps to take regarding the AT Internet solution, please see section 3. Managing consent).

 

An overview of the different tools and their scope of application:

  • Opt-out of audience measurement - Websites

Principles: Opting out of audience measurement involves using an "opt-out cookie" (or "exclusion cookie") instead of the normally used audience measurement cookie.
This cookie is anonymised in that it does not contain any ID particular to the Internet user.  Thanks to this cookie, the Internet’s navigational data cannot be analysed by the audience measurement body. While information is indeed transmitted, as the cookie is anonymous, this information does not enable the Internet user to be identified. Within the framework of the AT Internet solution, this data includes a global variable that measures the number of visitors who have chosen to opt out. It is up to the Internet user to specify his/her choice to use an opt-out cookie, rather than an audience measurement cookie.

How to specify your choice: The audience measurement cookie owners are responsible for providing a webpage on which Internet users can easily specify their choices (generally via a tick box). Generally speaking, this opt-out option should be available from your privacy information page.

Scope of application: The Internet user’s choice is taken into account only on the device and browser on which the choice has been specified.

  • Opt-out of audience measurement – Mobile apps

Principles: As with websites, solutions exist allowing mobile app users to specify their preference to not be counted in audience measurement.  

How to specify your choice: From the phone’s general settings, each user can select the option “Limited Ad Tracking” and/or reset his/her advertising ID.

Limitations: This action only affects applications which use "advertising IDs" to recognise visitors (IDFA-type IDs for iOS, ad Advertising ID for Android). In addition, each app publisher can configure Privacy management in the app settings and make an opt-out solution available. In this case, the user will need to open these settings to specify his/her choice.

Scope of application: The Internet user’s choice is taken into account only on the device on which the settings were entered.

  • Do Not Track

Principles: Do Not Track is a feature available in browsers. Once this feature has been enabled, it includes an indication in the http header sent by the browser that the user does not want his/her navigation to be tracked. It is up to the Internet user to specify his/her desire to use this feature. For the moment, there is no legal obligation regarding organisations that collect navigational information to account for this information.

How to specify your choice: Most browsers provide this feature which is available in the options/settings/configuration under the name "Do Not Track".

Scope of application: Mobile apps are not affected, as they do not involve use of a browser. The Internet user’s choice is taken into account only on the device and browser on which the settings were entered.

  • Tracking Protection

Principles: This feature is available in the Firefox browser and allows users to block certain trackers based on a list maintained by the company Disconnect (more details can be found here). It is up to the Internet user to specify his/her desire to use this feature.

How to specify your choice: This feature is available in the “Privacy & Security” options in the Firefox browser.

Scope of application: Mobile apps are not affected, as they do not involve use of a browser. For the moment, only the Firefox browser provides this feature, but Internet users can visit the Disconnect site to apply this list to his/her navigation. The Internet user’s choice is taken into account only on the device and browser on which the choice has been specified.

Note: As of March 2018, AT Internet is present in the Disconnect list under the following domain names: atinternet.com, xiti.com. This means that when the Tracking Protection feature is enabled, AT Internet does not collect data for Internet users who visit websites which use atinternet.com or xiti.com as collection domain names. As a workaround to this issue, we provide a solution to collect data under your own domain name (more details can be found here).

  • Refusing cookie placement / cookie deletion

Principles: At the browser level, an Internet user may delete cookies that have already been placed on his/her device, and he/she may also configure the browser to block cookies (no longer allow them to be placed). Cookie non-placement makes it impossible to identify visitors via this means. It is up to the Internet user to configure his/her choices.

How to specify your choice: This configuration of settings is available at the browser level in the options/configuration/settings.

Scope of application: Mobile apps are not affected, as they do not involve use of a browser. The Internet user’s choice is taken into account only on the device and browser on which the choice has been specified.

  • Private browsing windows in browsers

Principles: Each browser offers the possibility to browse in "private" mode, and the manner can vary depending on the browser: FirefoxOpera, Edge, Chrome, Safari.

How to specify your choice: From your browser’s general menu, click the direct link enabling you to open a private browsing session.

Scope of application: Mobile apps are not affected, as they do not involve use of a browser. The Internet user’s choice is taken into account only on the device and browser on which the choice has been specified, and only for the duration of the session.

  • Limit Ad Tracking

Principle: Limit Ad Tracking and resetting the advertising ID are features made available by operating systems on mobile devices (iOS / Android). These features affect the device IDs that are used for targeted ad operations. By disabling this tracking and resetting the ID, information is no longer sent to advertising bodies. Regarding web analytics, these IDs can be used in the framework of visitor recognition. Users who have configured Limit Ad Tracking will have a de facto "opt out" for apps which use the advertising ID for visitor recognition.

How to specify your choice:
Android (Google settings / enable the options “Opt out of Ads Personalization” and “Reset advertising ID”),
iOS (Privacy settings / access the “Advertising” option / enable "Limit Ad Tracking" and “Reset Advertising Identifier”).

Scope of application:  Only affects mobile apps. The Internet user’s choice is taken into account only on the device on which this choice has been specified (refer to section 3. Managing consent for more specifics regarding AT Internet).

  • Refusing geolocalisation

Principle: Certain mobile aps can save the user’s geographic location in real time using GPS coordinates. The user may choose to not send this information.

How to specify your choice:
Android  (in the general settings),

iOS  (for each application, in the general iOS settings, with two choices: never send the location, or only when the application is active).

Scope of application: Only affects mobile apps. The Internet user’s choice is taken into account only on the device and browser on which this choice has been specified.

  • Adblockers

Principle: On certain browsers, it’s possible to load modules for blocking ads (ex: Adblock Plus). These modules work on the principle of domain name blockage lists. Some of these lists may contain domain names related to web analytics data collection solutions such as AT Internet. In this context, data collection can therefore be affected for users who have activated these ad blocker modules.

How to specify your choice: The main browsers give access to a list of modules that can be downloaded via the browser menu.

Scope of application: The Internet user’s choice is taken into account only on the device and browser on which the choice has been specified, and only for the duration of the session.
As a workaround to this issue, we provide a solution to collect data under your own domain name (more details can be found here). 

Have more questions? Submit a request