EUGDPR Home Page
The EUGDPR regulation begins enforcement among software providers starting May 25, 2018.
ConversionRuler is committed to supporting and providing tools to enable our customers to adhere to the EUGDPR regulations.
To read more about the regulations, please review the Official EUGDPR website.
Review the Market Ruler EUGDPR Privacy Statement, suitable for inclusion in your site's privacy statement.
Contents
Market Ruler and EUGDPR
How EUGDPR regulations will affect analytics providers is to be seen, but the law itself is largely targeted at those providers who have a presence in the European Union (specifically Social Media providers) and would be subject to sanctions for non-compliance.
Market Ruler, LLC is based in the United States; and we do wish to support the law in the most comprehensive way possible.
The ConversionRuler data we collect ultimately belongs to our customers; we currently do not harvest, manipulate, collate, or publish it in any way.
Unfortunately, the burden on each individual analytics provider is fairly great. Requiring each analytics provider to receive opt-in consent when visiting a web page would ultimately make the user experience terrible; as well it would require more intensive compute resources if providers were to deliver one type of tracking for EU visitors and another type of tracking for non-EU visitors.
From a technical perspective, the only "personally identifiable" information ConversionRuler collects by default (aside from form or action data which you may submit to us) is the IP address, which, oddly, must be disclosed first to any website before consent to use it is granted.
The determination of the IP address as personal data is still being settled in the European courts and has only be determined to be personal data when paired with actual personal data such as an email address or full name.
So we push this burden onto each individual website and assume that your site will only track personal data using ConversionRuler Tracking Snippets in adherence with the EU regulations and requiring consent from all parties who visit your site before tracking personal data using ConversionRuler.
Personally-identifiable Data
The EUGDPR is focused on what is known as Personally Identifiable Data, that is, data which can identify an individual. Unfortunately, the law is still not clear on whether they consider IP addresses as personally-identifiable (see this news article on WhiteCase.com from December 2016. What that court case does identify, however, is that IP addresses in conjunction with personally-identifiable data (such as name, email addresses and phone numbers) is considered personally identifiable.
That said, ConversionRuler's focus for EUGDPR data will be on:
Understanding the EUGDPR
The EUGDPR law, explained section-by-section, with how Market Ruler supports or is planning to support the new law.
Lawful basis of processing
- What it means: Sites need to have a legal reason to use visitor data: Via consent (see next section), notification, performance of a contract, or legitimate interests (e.g. visitor is a customer).
- How Market Ruler supports this aspect of the law: We do not support the determination of the lawful basis for processing, but leave this to customers to do prior to sending personal data to Market Ruler's systems. There are many tools which can be used to gather consent. Our code supports installation and opt-in-only versions which only track visitors who have granted consent to be tracked.
- Status: Implementation is left to individual customers.
Consent
- What it means: As outlined above, a lawful basis to process personal data is with the visitor's consent. In order for a visitor to grant consent, they must be notified and told what they are consenting to; and consent must be, by default, opt-out. In addition, consent must be granular such that a visitor can consent to receive emails, but not phone calls.
- Businesses must log evidence of what notice was given, what was consented to, and when consent was given.
- How Market Ruler supports this aspect of the law: Given the determination of the lawful basis above, ConversionRuler supports tracking only after consent is given and can also support the third-party logging of the consent using a special action once consent is given.
- Status: Currently available by following our guides.
Withdrawal of consent
- What it means: Visitors should be able to withdraw their consent at any time. Withdrawing consent needs to be as easy as giving consent.
- How Market Ruler supports this aspect of the law: ConversionRuler suggests that individual providers link to ConversionRuler EUGDPR Management pages for their sites to enable visitors to withdraw consent and optionally anonymize or remove their personal data. These links will be available from the site's Snippet Installation page if the EUGDPR Setting is configured for your tracking site.
- Status: MarketRuler Privacy Application enables visitors to request deletion of their data or opt-out of all future tracking.
Using Cookies
- What it means: Visitors need to be given notice that cookies are used to track them, in their native language. Consent is also required here.
- How Market Ruler supports this aspect of the law: Business providers should optionally load the Tracking Snippets until consent has been given. See the implementation guide.
- Status: Currently available by following our guides.
Right of access
- What it means: Visitors have the right to request what personally identifiable data is stored in business databases.
- How Market Ruler supports this aspect of the law: ConversionRuler suggests that individual providers link to ConversionRuler EUGDPR Management pages which will allow for the download of data in both human and machine-readable formats.
- Status: MarketRuler Privacy Application enables visitors to review and retrieve all data associated with their browser.
Right of deletion
- What it means: Visitors have the right to request the deletion of their data from records stored in business databases. In most cases, requests must be responded to within 30 days. The right to deletion is not absolute and can depend on many factors.
- How Market Ruler supports this aspect of the law: ConversionRuler suggests that individual providers link to ConversionRuler EUGDPR Management pages which will allow for requests for data deletion or conversion of the data to non-personally identifiable data (e.g. Anonymization)
- Status: MarketRuler Privacy Application enables visitors to request deletion of their data.
Right of modification
- What it means: Visitors have the right to request the modification or correction of their data stored in business databases.
- How Market Ruler supports this aspect of the law: ConversionRuler currently supports the searching and modification of Action Data via the Browse Actions aspect of the management tool.
- Status: Currently supported.
Security Requirements
- What it means: The GDPR requires a variety of data protection safeguards, from encryption of personal data when stored in databases, as well as access controls to data, and data anonymization.
- How Market Ruler supports this aspect of the law: For EU website which are already adhering the the GDPR laws - ConversionRuler already transmits user information securely to our server using best security practices.
- In addition, ConversionRuler will be enhancing our security measures and the security of our data tracking as well as the security of our administrative interface.
- These changes will be made in the coming year.
- Status: Currently supported.
Supporting the EUGDPR via Anonymization
Businesses may opt to skip support for the EUGDPR by:
- Only tracking using ConversionRuler when consent is given by (or other lawful basis exists for) visitors
- Anonymizing data prior to sending to ConversionRuler
If these steps are taken, then no personally-identifiable data is ever sent to ConversionRuler and therefore, no issues arise with access, deletion, or other records.