German authorities declared last week that the use of web analytics tools such as Google Analytics is illegal without the consent of the person being tracked. We speak to Marit Hansen, head of data protection in Schleswig-Holstein, about what it means.

The statement from the authorities said web users must be told they are being tracked and given the chance to opt out, and that IP addresses cannot be collected without the user’s permission because they constitute personally identifiable information.

Research spoke to Marit Hansen (pictured), acting head of data protection for Schleswig-Holstein, and a member of the association of regional and federal authorities that issued last week’s ruling, about how the decision came about and what it means for the software companies and publishers.



Research: It’s somewhat surprising to hear that these very common web analytics tools seem to be illegal.

Hansen: They’re certainly not in accordance with the rules set out by law, which in this case means German media law and data protection principles. So it’s up to the people who develop and use these tools to make sure that their products are designed and configured in full compliance with the law. These are not new requirements – these laws have been in place for a number of years.

Research: The analytics tools have also been around for a number of years – why are we only addressing this now?

Hansen: The discussion hasn’t just begun – since November this year the Duesseldorfer Kreis, which is an association of all the German data protection authorities, has been building on, interpreting and refining what is laid out in law. Prior to this there have been discussions with some suppliers, including Google, to try to get them to configure their products in a way that’s compliant with the law, which hasn’t happened. We informed them in August 2008, I believe, that these things were not compliant with the law.

Research: What sort of relationship do the data proteection organisations have with these companies?

Hansen: Google Germany, for example, is based in Hamburg, as is Etracker, and they have been in regular contact with our colleagues in Hamburg for years – in 2006, and also in 2008 and 2009. In some cases some of these tracking firms have got in touch themselves to ask, how do we make sure we’re doing this properly? So there are those who say, we might be doing something wrong, we want to find out – and not just those who wait to be asked about it by the authorities.

Hansen: Also, not everyone from these data protection bodies deals with internet issues every day, so I think it’s good that over the past year we’ve been working with the specialists, and asking the suppliers, how does all this work in detail, is it all down to the IP address, what role do cookies play, where and how is the data managed, and so on.

Research: So there are companies that manage to conduct online tracking in line with the law?

Hansen: That’s right.

Research: What’s the next step? How will the rules be enforced?

Hansen: I expect that Google and others will set out their position, and either say yes, this is how we do it, or propose things they might change and discuss how they might comply, for example with the opt-out requirement. That will eventually be decided in consultation with the authorities.

It would also be possible to use fines against those publishers who are using these tools on a large scale. I don’t believe that any of the authorities are going to do that while we are in a phase like this where it all seems very new to a lot of people. But it’s not ruled out. Another approach that might be adopted is warnings, as you see in some other industries, for companies that are not in compliance.

Of course, we have other areas to focus on, so enforcing this isn’t our top priority, but fines are a possibility, and I think after a certain period of transition we’ll see that happen more. But, as you know, there are thousands of website managers who don’t even know all this yet, so there’s probably going to be an information campaign first of all. We’re very hopeful that companies open themselves up and that the discussion really focuses on the technical mechanisms and the details, and that they ask, how do we make this compliant with the law?