Understanding the role of anonymization and pseudo-anonymization in GDPR compliance – Snowplow

If you visit the European Union homepage for GDPR, one of the first things you’ll notice is a timer (assuming you read this before enforcement begins). Clearly displayed down to the second, at any given time you can check to see how much time you have left. Considering all of the complexities that come with compliance, problems that must be solved at the technological, procedural, and governance levels, there are many of us who will need to use as much of the remaining days and hours as possible to prepare our organizations for this new set of data protection regulations.

This is a companion discussion topic for the original entry at https://snowplowanalytics.com/blog/2018/03/02/understanding-the-role-of-anonymization-and-pseudo-anonymization-in-gdpr/

Hi. If I were to setup Snowplow for fully anonymous funnel tracking and never combined it with other data or sold the data, would I be correct in my understanding that no consent to track would be required and we could track all actions from all visitors from ad impressions through to conversions?

What about cookies that identify only what variation of a split-test page a user saw. That is non-identifying, correct? So, no consent is required?

Thank you!

Hi John, that’s a really good question. Unfortunately, I’m not a lawyer so I can’t say either way for sure. GDPR is complex in that manner: certain data types might not be able to identify a user on their own, but in the broader context of your user data may end up being considered PII. Cookies, for example, that only signify what variation of a split-test a user saw might not be considered personal data in isolation, but in some settings that extra piece can be enough to turn anonymous data into something that points to a specific individual. That’s an extreme example (and kind of improbable) but the point is that it can happen.

Even though you’re not combining your anonymous funnel tracking data with anything like user ID’s, email addresses, etc, you’re still collecting data on your users. Again, I can’t say what’s legally permissible, but based on my understanding of GDPR I really can’t advocate for any type of data collection that’s not disclosed. Keep in mind, this is my personal opinion.

If you’re concerned about needing certain types of data for your business to function, and that people will opt out if given the option to consent, it will probably help to become familiar with the lawful bases for data processing (I wrote about that a bit in this post). Most web-based businesses will probably collect and process data under the auspices of #1, data collected with consent of the users, or #6, data collected for legitimate interest.

Your two examples (which are both awesome, by the way!) sound like they would fall under #6, that you’re collecting data for legitimate interests. While this is the most flexible lawful basis for processing, it also requires the most work from your end to ensure that you’re being compliant.

From the Information Commissioner’s Office in the UK:

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests

In short, GDPR is complicated and understanding consent is hard.