CNIL confirms Server-Side Tracking

We could hardly believe it when we at JENTIS read the two new articles from the French data protection authority CNIL. A whisper went through the office “Are they writing about us?” – of course not, not yet. The French data protection authority had published two groundbreaking articles on 07 June 2022.

The first of the two articles, published exclusively in French, answers 14 frequently asked questions about the use or prohibition of Google Analytics. The second article outlines a way to use Google Analytics in a 100% GDPR-compliant manner. It is the first time that a data protection authority in Europe has come to the same conclusion that prompted the founders of JENTIS back in 2016 to work on a new technology that online marketers now know as server side tracking.

Simply changing the tool settings is not enough

The first article answers a very exciting question with a new term: the proxy server
QUESTION: “Are there sufficient additional safeguards to continue using the Google Analytics tool on its own?”
ANSWER: “None of the additional safeguards submitted to the CNIL in the context of the request would prevent or render ineffective the access of US intelligence services to the personal data of European users when using the Google tool alone. However, it is possible to envisage a solution that would allow a proxy server (or ” proxy “) to be included in order to avoid any direct contact between the Internet user’s terminal device and the servers of the measurement tool. It is necessary to ensure that this server meets a number of criteria in order to conclude that this additional measure is in line with what the EDPS envisaged in its recommendations of June 18, 2021.”

The answer from CNIL is clearer than ever before: the authority unsurprisingly confirms the notices it had already issued previously this year. None of the measures offered by Google itself can be sufficient to provide guarantees that would ensure the same level of data protection at Google as would be expected within the EU. A possible way out is, as the French authority calls it, a proxy solution. A separate article has been written on this approach, which we will examine in more detail below.

One possible solution: proxying

CNIL: “In light of the criteria above, one possible solution is to use a proxy server (or ” proxy”) to avoid any direct contact between the Internet user’s terminal equipment and the servers of the measurement tool (i.e. Google in this case). However, it is necessary to ensure that this server meets a number of criteria in order to conclude that this additional measure is in line with what the EDPS envisaged in its recommendations of June 18, 2021. Such a mechanism would indeed comply with the use of pseudonymisation prior to the export of data.”
Three points are striking here:

• The CNIL consistently refers to the recommendations of the European Data Protection Board. This is therefore not a French interpretation but a coordinated European approach.
• “… Pseudonymisation before the data export …” Thus, 2 facts were stated once again. 1) Pseudonymisation is sufficient to establish an appropriate level of data protection and 2) Pseudonymisation must take place before the data export.
• “… that this server meets a number of criteria …” – These are precisely the criteria we have been putting through their paces at JENTIS over the last few days.

We will go through them step by step in the following section:

Criterion 1: The lack of transmission of the IP address to the servers of the measurement tool.

The missing transmission of the IP address to the servers of the measurement tool.
This measure is implemented by default at JENTIS. Visitors’ IP addresses are shortened in the European legal area in such a way that it is no longer possible for Google to assign them to an end-user.

Criterion 2: Replacing the user ID with the proxy server

All IDs that Google could use for personal identification can be pseudonymised at JENTIS. This means that the original IDs are still stored at JENTIS, but are not passed on to external parties such as Google. Instead of the original IDs, new IDs are randomly generated that comply with all formal requirements.

This graphic is intended to illustrate the interruption of the ID cycle. While the young lady in front of the laptop with the ID “AB12” could still be identified, Google can no longer trace the ID “XY45” generated by JENTIS back to the person. JENTIS also ensures that the user always receives the same ID so that all data arrives at Google Analytics as desired. This means that all analyses can be carried out as usual without any loss of quality. (Therefore, this is a pseudonymisation and not an anonymisation).

Criterion 3:The deletion of the referring site information (or referrer).

Personal data may already be in the referrer. The referrer is the URL of the previous page, in the case of Google, for example, a search page. This referrer can be changed at JENTIS so that the referrer only allows conclusions to be drawn about the marketing channel, but no longer contains any personal data.

Criterion 4: The deletion of all parameters contained in the collected URLs.

We all know the Google ClickID (gclid). This is the ID that is passed on to the shop in the URL as a parameter if the user clicks on an Adwords ad. This and similar IDs can be consistently filtered or pseudonymised by JENTIS.

Criterion 5: The re-processing of information that may be involved in the generation of a fingerprint.

Fingerprinting is a technology that JENTIS has rejected from the beginning. Thus, it is only logical that JENTIS can screen out all the information that could allow Google to draw conclusions about the user based on his meta information.
JENTIS goes even one step further here, because the timestamp can also be used for such fingerprinting. Therefore, JENTIS has created a new procedure called “smart time framing”. Hits are collected from a certain number of users until they are forwarded to Google in such a timely manner that Google can no longer use the timestamp to infer the user.

Criterion 6: The absence of any collection of identifiers between sites (cross-site) or deterministic.

Own IDs, e.g. from the CRM, which are transferred to JENTIS (e.g. for raw data analysis or for other European tools), can of course be pseudonymised as well before the transfer to Google.

Criterion 7: Deletion of all other data that may lead to re-identification.

Every data point that is collected must first be checked to see if it can lead to an identification of the person. JENTIS offers the possibility to mark such variables as PII. This makes it easy to keep track and make the right settings in your tag manager.

Criterion 8: The terms and conditions for proxy hosting must be appropriate too.

At JENTIS, you are spoilt for choice when it comes to cloud providers. We are particularly proud that we have been able to offer a 100% intra-European cloud since last year: Exoscale, a 100% subsidiary of Austrian Telekom, guarantees full DSGVO compliance for data storage and transit.
Of course, the server location is also decisive here, which at JENTIS is always within the EU. But the correct server location alone is not enough. The question is: Who operates the server? Because if the company operating the server is bound by the relevant US laws, it is irrelevant where the server is located. US authorities can and will demand access to the data.

Profitability

Our development team was particularly amused by a paragraph in the article about economic efficiencies. This reflects the hard work, sweat and many, many person-years that have already gone into JENTIS since 2016:

“Implementing the measures described below can be costly and complex and does not always meet the operational needs of professionals. To avoid these difficulties, professionals can also use a solution that does not transfer personal data outside the European Union.”
Such a solution can only be operated economically as a product. Apart from the development effort, which is enormous in and of itself, the operation of such a system is also a challenge and not feasible for most companies. For example, none of us wants to wait until Monday morning if the tracking fails on Saturday morning. An emergency team of technicians is therefore only one of the requirements for operating such a tracking system.

With JENTIS, a mature and fully managed product is on the market, where the customer does not have to worry about the infrastructure, operation or servicing. Thanks to continuous development, one can be sure of always having cutting edge tracking technology.

Are you curious? Then simply take a look at our guided product demos. There, the motto is: Just sit back and let everything be explained to you at your leisure. Register for the demo now!

BOOK A TIMESLOT

Last but not least, here are the two links to the original articles of the French data protection authority CNIL. At the moment, they are only available in French. Simply use the browser translation options.

https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/questions-reponses-sur-les-mises-en-demeure-de-la-cnil-concernant-lutilisation-de-google-analytics
https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/google-analytics-et-transferts-de-donnees-comment-mettre-son-outil-de-mesure-daudience-en-conformite