Privacy & Compliance Overview
Understanding the global privacy landscape and its impact on analytics implementation.
The Privacy Landscape
Major Regulations
| Regulation | Region | Key Requirements | Effective | |------------|--------|------------------|-----------| | GDPR | European Union | Consent, data rights, DPO | May 2018 | | CCPA/CPRA | California | Opt-out, data deletion | Jan 2020/2023 | | ePrivacy | EU | Cookie consent | Pending | | LGPD | Brazil | Similar to GDPR | Sep 2020 | | POPIA | South Africa | Consent, data protection | Jul 2020 | | PDPA | Singapore | Consent, data transfer | Jan 2013 |
Impact on Analytics
Privacy regulations fundamentally change how we collect and process data:
Traditional Tracking Privacy-First Tracking
───────────────────── ─────────────────────
Collect everything → Minimal data collection
Third-party cookies → First-party data
Implicit consent → Explicit consent
Unlimited retention → Purpose-limited retention
Vendor freedom → Data processor agreements
Consent Framework
Types of Consent
| Type | Description | When Required | |------|-------------|---------------| | Necessary | Essential for site function | Never (exempt) | | Analytics | Performance/behavior tracking | Most jurisdictions | | Marketing | Advertising and retargeting | All jurisdictions | | Personalization | Content customization | Varies |
Consent Requirements by Region
| Region | Standard | Marketing | Analytics | |--------|----------|-----------|-----------| | EU/EEA | Opt-in | Required | Required | | UK | Opt-in | Required | Required | | California | Opt-out | Right to opt-out | Notification | | Canada | Opt-in | Required | Implied OK | | Rest of World | Varies | Check local laws | Check local laws |
Data Subject Rights
Under GDPR and similar regulations, users have:
Right to Access
Users can request all data you hold about them.
Implementation:
- Maintain data inventories
- Build export functionality
- Respond within 30 days
Right to Deletion
Users can request erasure of their data.
Implementation:
- Delete from all systems
- Notify third parties
- Maintain deletion logs
Right to Portability
Users can request data in machine-readable format.
Implementation:
- JSON/CSV export capability
- Include all personal data
- Standardized format
Right to Object
Users can object to certain processing.
Implementation:
- Easy opt-out mechanism
- Honor objections promptly
- Document all requests
Analytics Privacy Framework
Privacy-First Architecture
┌─────────────────────────────────────────────────────────┐
│ Consent Layer │
│ (CMP: Cookiebot, OneTrust) │
├─────────────────────────────────────────────────────────┤
│ │
│ User Consent: None │ Analytics │ Marketing │
│ ───────────────────────────────────────────────────── │
│ • Basic pageviews │ • GA4 w/o │ • Full │
│ • No cookies │ user ID │ tracking │
│ • Aggregated stats │ • Limited │ • Retargeting │
│ │ cookies │ • Attribution │
│ │
└─────────────────────────────────────────────────────────┘
Data Minimization Principles
- Collect only what's needed - Define clear purposes
- Anonymize when possible - Remove identifiers
- Limit retention - Set expiration dates
- Restrict access - Need-to-know basis
- Document everything - Maintain processing records
Google Consent Mode
What It Is
Google Consent Mode allows Google tags to adapt based on user consent:
| Consent State | Behavior | |---------------|----------| | Granted | Full functionality | | Denied | Cookieless pings, no persistent storage |
Key Parameters
| Parameter | Purpose | |-----------|---------| | ad_storage | Google Ads cookies | | analytics_storage | GA4 cookies | | ad_user_data | User data for ads | | ad_personalization | Personalized ads |
Implementation Overview
// Set default consent (before GTM loads)
gtag('consent', 'default', {
'ad_storage': 'denied',
'analytics_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied',
'wait_for_update': 500
});
// Update after user grants consent
gtag('consent', 'update', {
'ad_storage': 'granted',
'analytics_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted'
});
Compliance Checklist
Website Requirements
- [ ] Privacy policy published and accessible
- [ ] Cookie banner/CMP implemented
- [ ] Consent before non-essential tracking
- [ ] Easy consent withdrawal mechanism
- [ ] Data processing records maintained
Analytics Setup
- [ ] Consent Mode implemented
- [ ] IP anonymization enabled
- [ ] Data retention configured
- [ ] PII filters in place
- [ ] User deletion capability
Documentation
- [ ] Data processing register
- [ ] Vendor data processing agreements
- [ ] Privacy impact assessments
- [ ] Consent records retained
Vendor Responsibilities
Data Processor Agreements
Required with all analytics/marketing vendors:
| Vendor | DPA Location | |--------|--------------| | Google | Google DPA | | Meta | Facebook Terms | | Adobe | Adobe DPA | | HubSpot | HubSpot DPA |
Key DPA Elements
- Data processing scope
- Security measures
- Sub-processor list
- Data transfer mechanisms
- Audit rights
Risk Assessment
Compliance Risk Matrix
| Risk | Likelihood | Impact | Priority | |------|------------|--------|----------| | Missing consent | High | Very High | Critical | | Unauthorized tracking | Medium | High | High | | Data breach | Low | Very High | High | | Rights request failure | Medium | Medium | Medium |
Penalties
| Regulation | Maximum Fine | |------------|--------------| | GDPR | €20M or 4% global revenue | | CCPA | $7,500 per intentional violation | | LGPD | 2% of revenue (max R$50M) |
Next: Consent Mode v2