Recherche avancée

Sur d’autres sites (2458)

• GA360 vs GA4 : Key Differences and Challenges

  20 mai 2024, par Erin

  While the standard Universal Analytics (UA) was sunset for free users in July 2023, Google Analytics 360 (GA360) users could postpone the switch to GA4 for another 12 months. But time is running out. As July is rapidly approaching, GA360 customers need to prepare for the switch to Google Analytics 4 (GA4) or another solution. 

  This comparison post will help you understand the differences between GA360 vs. GA4. We’ll dive beneath the surface, examining each solution’s privacy implications and their usability, features, new metrics and measurement methods.

  What is Google Analytics 4 (Standard) ?

  GA4 is the latest version of Google Analytics, succeeding Universal Analytics. It was designed to address privacy issues with Universal Analytics, which made compliance with privacy regulations like GDPR difficult.

  It completely replaced Universal Analytics for free users in July 2023. GA4 Standard features many differences from the original UA, including :

  • Tracking and analysis are now events-based.
  • Insights are primarily powered by machine learning. (There are fewer reports and manual analysis tools).
  • Many users find the user interface to be too complex compared to Universal Analytics.

  The new tracking, reports and metrics already make GA4 feel like a completely different web analytics platform. The user interface itself also includes notable changes in navigation and implementation. These changes make the transition hard for experienced analysts and digital marketers alike. 

  For a more in-depth look at the differences, read our comparison of Google Analytics 4 and Universal Analytics.

  What is Google Analytics 360

  Google Analytics 360 is a paid version of Google Analytics, mostly aimed at enterprises that need to analyse a large amount of data.

  It significantly increases standard limits on data collection, sampling and processing. It also improves data granularity with more custom events and dimensions.

  Transitioning from Universal Analytics 360 to GA4 360

  You may still use the Universal Analytics tag and interface if you’ve been a Google Analytics 360 customer for multiple years. However, access to Universal Analytics 360 will be discontinued on July 1, 2024. Unlike the initial UA sunset (free version), you won’t be able to access the interface or your data after that, so it will be deleted.

  That means you will have to adapt to the new GA4 user interface, reports and metrics before the sunset or find an alternative solution.

  What is the difference between GA4 360 and free GA4 ?

  The key differences between GA4 360 and free GA4 are higher data limits, enterprise support, uptime guarantees and more robust administrative controls.

  

  GA4 offers most of the same features across the paid and free versions, but there are certain limits on data sampling, data processing and integrations. With the free version, you also can’t define as detailed events using event parameters as you can with GA4 360.

  Higher data collection, accuracy, storage and processing limits

  The biggest difference that GA4 360 brings to the table is more oomph in data collection, accuracy and analysis.

  You can collect more specific data (with 100 event parameters instead of 25 for custom metrics). GA4 360 lets you divide users using more custom dimensions based on events or user characteristics. Instead of 50 per property, you get up to 125 per property.

  And with up to 400 custom audiences, 360 is better for companies that heavily segment their users. More audiences, events and metrics per property mean more detailed insights.

  Sampling limits are also of a completely different scale. The max sample size in GA4 360 is 100x the free version of GA4, with up to 1 billion events per query. This makes analysis a lot more accurate for high-volume users. A slice of 10 million events is hardly representative if you have 200 million monthly events.

  Finally, GA4 360 lets you store all of that data for longer (up to 50 months vs up to 14 months). While new privacy regulations demand that you store user data only for the shortest time possible, website analytics data is often used for year-over-year analysis.

  Enterprise-grade support and uptime guarantees

  Because GA360 users are generally enterprises, Google offers service-level agreements for uptime and technical support response times.

  • Tracking : 99.9% uptime guarantee
  • Reporting : 99% uptime guarantee
  • Data processing : within 4 hours at a 98% uptime guarantee

  The free version of GA4 includes no such guarantees and limited access to professional support in the first place.

  Integrations

  GA4 360 increases limits for BigQuery and Google Ads Manager exports.

  

  The standard limits in the free version are 1 million events per day to BigQuery. In GA4 360, this is increased to billions of events per day. You also get up to 400 audiences for Search Ads 360 instead of the 100 limit in standard GA4.

  Roll-up analytics for agencies and enterprises

  If you manage a wide range of digital properties, checking each one separately isn’t very effective. You can export the data into a tool like Looker Studio (formerly Google Data Studio), but this requires extra work.

  With GA360, you can create “roll-up properties” to analyse data from multiple properties in the same space. It’s the best way to analyse larger trends and patterns across sites and apps.

  Administration and user access controls

  Beyond roll-up reporting, the other unique “advanced features” found in GA360 are related to administration and user access controls.

  

  First, GA360 lets you create custom user roles, giving different access levels to different properties. Sub-properties and roll-up properties are also useful tools for data governance purposes. They make it easier to limit access for specific analysts to the area they’re directly working on.

  You can also design custom reports for specific roles and employees based on their access levels.

  Pricing 

  While GA4 is free, Google Analytics 360 is priced based on your traffic volume. 

  With the introduction of GA4, Google implemented a revised pricing model. For GA4 360, pricing typically begins at USD $50,000/year which covers up to 25 million events per month. Beyond this limit, costs increase based on data usage, scaling accordingly.

  What’s not different : the interface, metrics, reports and basic features

  GA4 360 is the same analytics tool as the free version of GA4, with higher usage limits and a few enterprise features. You get more advanced tracking capabilities and more accurate analysis in the same GA4 packaging.

  If you already use and love GA4 but need to process more data, that’s great news. But if you’re using UA 360 and are hesitant to switch to the new interface, not so much. 

  Making the transition from UA to GA4 isn’t easy. Transferring the data means you need to figure out how to work with the API or use Google BigQuery.

  Plus, you have to deal with new metrics, reports and a new interface. For example, you don’t get to keep your custom funnel reports. You need to use “funnel explorations.”

  Going from UA to GA4 can feel like starting from scratch in a completely new web analytics tool.

  Which version of Google Analytics 4 is right for you ?

  Standard GA4 is a cost-effective web analytics option, but it’s not without its problems :

  • If you’re used to the UA interface, it feels clunky and difficult to analyse.
  • Data sampling is prevalent in the free version, leading to inaccuracies that can negatively affect decision-making and performance.

  And that’s just scratching the surface of common GA4 issues.

  Google Analytics 4 360 is a more reliable web analytics solution for enterprises. However, it suffers from many issues that made the GA4 transition painful for many free UA users last year.

  • You need to rebuild reports and adjust to the new complex interface.
  • To transfer historical data, you must use spreadsheets, the API, or BigQuery.

  You will still lose some of the data due to changes to the metrics and reporting.

  What if neither option is right for you ? Key considerations for choosing a Google Analytics alternative

  Despite what Google would like you to think, GA4 isn’t the only option for website analytics in 2024 — far from it. For companies that are used to UA 360, the right alternative can offer unique benefits to your company.

  Privacy regulations and future-proofing your analytics and marketing

  Although less flagrant than UA, GA4 is still in murky waters regarding compliance with GDPR and other privacy regulations. 

  And the issue isn’t just that you can get fined (which is bad enough). As part of a ruling, you may be ordered to change your analytics platform and protocol, which can completely disrupt your marketing workflow.

  When most marketing teams rely on web analytics to judge the ROI of their campaigns, this can be catastrophic. You may even have to pause campaigns as your team makes the adjustments.

  Avoid this risk completely by going with a privacy-friendly alternative.

  Features beyond basic web analytics

  To understand your users, you need to look at more than just events and conversions.

  That’s why some web analytics solutions have built-in behavioural analytics tools. Features like heatmaps (a visual pattern of popular clicks, scrolling and cursor movement) can help you understand how users interact with specific pages.

  

  Matomo allows you to consolidate behavioural analytics and regular web analytics into a single platform. You don’t need separate tools and subscriptions for heatmaps, session recordings, from analytics, media analytics and A/B testing. You can do all of this with Matomo.

  With insights about visits, sales, conversions, and usability in the same place, it’s a lot easier to improve your website.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  Usability and familiar metrics

  The move to event tracking means new metrics, reports and tools. So, if you’re used to Universal Analytics, it can be tricky to transition to GA4. 

  But there’s no need to start from zero, learning to work with a brand-new interface. Many competing web analytics platforms offer familiar reports and metrics — ones your team has gotten used to. This will help you speed up the time to value with a shorter learning curve.

  Why Matomo is a better option than GA4 360 for UA 360 users

  Matomo offers privacy-friendly tracking, built from the ground up to comply with regulations — including IP anonymisation and DoNotTrack settings. You also get 100% ownership of the data, which means we will never use your data for our own profit (unlike Google and other data giants).

  This is a big deal, as breaking GDPR rules can lead to fines of up to 4% of your annual revenue. At the same time, you’ll also future-proof your marketing workflow by choosing a web analytics provider built with privacy regulations in mind.

  Plus, for legacy UA 360 users, the Matomo interface will also feel a lot more intuitive and familiar. Matomo also provides marketing attribution models you know, like first click, which GA4 has removed.

  Finally, you can access various behavioural analytics tools in a single platform — heatmaps, session recordings, form analytics, A/B testing and more. That means you don’t need to pay for separate solutions for conversion rate optimisation efforts.

  And the transition is smooth. Matomo lets you import Universal Analytics data and offers ready-made Google Ads integration and Looker Studio Connector.

  Join over 1 million websites that choose Matomo as their web analytics solution. Try it free for a 21-days. No credit card required.

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I accept the terms and conditions and data processing agreement (DPA)

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  
  

  Start improving your websites now

  

• What Is Data Misuse & How to Prevent It ? (With Examples)

  13 mai 2024, par Erin

  Your data is everywhere. Every time you sign up for an email list, log in to Facebook or download a free app onto your smartphone, your data is being taken.

  This can scare customers and users who fear their data will be misused.

  While data can be a powerful asset for your business, it’s important you manage it well, or you could be in over your head.

  In this guide, we break down what data misuse is, what the different types are, some examples of major data misuse and how you can prevent it so you can grow your brand sustainably.

  What is data misuse ?

  Data is a good thing.

  It helps analysts and marketers understand their customers better so they can serve them relevant information, products and services to improve their lives.

  But it can quickly become a bad thing for both the customers and business owners when it’s mishandled and misused.

  

  Data misuse is when a business uses data outside of the agreed-upon terms. When companies collect data, they need to legally communicate how that data is being used. 

  Who or what determines when data is being misused ?

  Several bodies :

  • User agreements
  • Data privacy laws
  • Corporate policies
  • Industry regulations

  There are certain laws and regulations around how you can collect and use data. Failure to comply with these guidelines and rules can result in several consequences, including legal action.

  Keep reading to discover the different types of data misuse and how to prevent it.

  3 types of data misuse

  There are a few different types of data misuse.

  If you fail to understand them, you could face penalties, legal trouble and a poor brand reputation.

  

  1. Commingling

  When you collect data, you need to ensure you’re using it for the right purpose. Commingling is when an organisation collects data from a specific audience for a specific reason but then uses the data for another purpose.

  One example of commingling is if a company shares sensitive customer data with another company. In many cases, sister companies will share data even if the terms of the data collection didn’t include that clause.

  Another example is if someone collects data for academic purposes like research but then uses the data later on for marketing purposes to drive business growth in a for-profit company.

  In either case, the company went wrong by not being clear on what the data would be used for. You must communicate with your audience exactly how the data will be used.

  2. Personal benefit

  The second common way data is misused in the workplace is through “personal benefit.” This is when someone with access to data abuses it for their own gain.

  The most common example of personal benefit data muse is when an employee misuses internal data.

  While this may sound like each instance of data misuse is caused by malicious intent, that’s not always the case. Data misuse can still exist even if an employee didn’t have any harmful intent behind their actions. 

  One of the most common examples is when an employee mistakenly moves data from a company device to personal devices for easier access.

  3. Ambiguity

  As mentioned above, when discussing commingling, a company must only use data how they say they will use it when they collect it.

  A company can misuse data when they’re unclear on how the data is used. Ambiguity is when a company fails to disclose how user data is being collected and used.

  This means communicating poorly on how the data will be used can be wrong and lead to misuse.

  One of the most common ways this happens is when a company doesn’t know how to use the data, so they can’t give a specific reason. However, this is still considered misuse, as companies need to disclose exactly how they will use the data they collect from their customers.

  Laws on data misuse you need to follow

  Data misuse can lead to poor reputations and penalties from big tech companies. For example, if you step outside social media platforms’ guidelines, you could be suspended, banned or shadowbanned.

  But what’s even more important is certain types of data misuse could mean you’re breaking laws worldwide. Here are some laws on data misuse you need to follow to avoid legal trouble :

  General Data Protection Regulation (GDPR)

  The GDPR, or General Data Protection Regulation, is a law within the European Union (EU) that went into effect in 2018.

  The GDPR was implemented to set a standard and improve data protection in Europe. It was also established to increase accountability and transparency for data breaches within businesses and organisations.

  The purpose of the GDPR is to protect residents within the European Union.

  The penalties for breaking GDPR laws are fines up to 20 million Euros or 4% of global revenues (whatever the higher amount is).

  The GDPR doesn’t just affect companies in Europe. You can break the GDPR’s laws regardless of where your organisation is located worldwide. As long as your company collects, processes or uses the personal data of any EU resident, you’re subject to the GDPR’s rules.

  If you want to track user data to grow your business, you need to ensure you’re following international data laws. Tools like Matomo—the world’s leading privacy-friendly web analytics solution—can help you achieve GDPR compliance and maintain it.

  With Matomo, you can confidently enhance your website’s performance, knowing that you’re adhering to data protection laws. 

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  California Consumer Privacy Act (CCPA)

  The California Consumer Privacy Act (CCPA) is another important data law companies worldwide must follow.

  Like GDPR, the CCPA is a data privacy law established to protect residents of a certain region — in this case, residents of California in the United States.

  The CCPA was implemented in 2020, and businesses worldwide can be penalised for breaking the regulations. For example, if you’re found violating the CCPA, you could be fined $7,500 for each intentional violation.

  If you have unintentional violations, you could still be fined, but at a lesser fee of $2,500.

  The Gramm-Leach-Bliley Act (GLBA)

  If your business is located within the United States, then you’re subject to a federal law implemented in 1999 called The Gramm-Leach-Bliley Act (GLB Act or GLBA).

  The GLBA is also known as the Financial Modernization Act of 1999. Its purpose is to control the way American financial institutions handle consumer data. 

  In the GLBA, there are three sections :

  1. The Financial Privacy Rule : regulates the collection and disclosure of private financial data.
  2. Safeguards Rule : Financial institutions must establish security programs to protect financial data.
  3. Pretexting Provisions : Prohibits accessing private data using false pretences.

  The GLBA also requires financial institutions in the U.S. to give their customers written privacy policy communications that explain their data-sharing practices.

  4 examples of data misuse in real life

  If you want to see what data misuse looks like in real life, look no further.

  Big tech is central to some of the biggest data misuses and scandals.

  

  Here are a few examples of data misuse in real life you should take note of to avoid a similar scenario :

  1. Facebook election interference

  One of history’s most famous examples of data misuse is the Facebook and Cambridge Analytica scandal in 2018.

  During the 2018 U.S. midterm elections, Cambridge Analytica, a political consulting firm, acquired personal data from Facebook users that was said to have been collected for academic research.

  Instead, Cambridge Analytica used data from roughly 87 million Facebook users. 

  This is a prime example of commingling.

  The result ? Cambridge Analytica was left bankrupt and dissolved, and Facebook was fined $5 billion by the Federal Trade Commission (FTC).

  2. Uber “God View” tracking

  Another big tech company, Uber, was caught misusing data a decade ago. 

  Why ?

  Uber implemented a new feature for its employees in 2014 called “God View.”

  The tool enabled Uber employees to track riders using their app. The problem was that they were watching them without the users’ permission. “God View” lets Uber spy on their riders to see their movements and locations.

  The FTC ended up slapping them with a major lawsuit, and as part of their settlement agreement, Uber agreed to have an outside firm audit their privacy practices between 2014 and 2034.

  

  3. Twitter targeted ads overstep

  In 2019, Twitter was found guilty of allowing advertisers to access its users’ personal data to improve advertisement targeting.

  Advertisers were given access to user email addresses and phone numbers without explicit permission from the users. The result was that Twitter ad buyers could use this contact information to cross-reference with Twitter’s data to serve ads to them.

  Twitter stated that the data leak was an internal error. 

  4. Google location tracking

  In 2020, Google was found guilty of not explicitly disclosing how it’s using its users’ personal data, which is an example of ambiguity.

  The result ?

  The French data protection authority fined Google $57 million.

  8 ways to prevent data misuse in your company

  Now that you know the dangers of data misuse and its associated penalties, it’s time to understand how you can prevent it in your company.

  

  Here are eight ways you can prevent data misuse :

  1. Track data with an ethical web analytics solution

  You can’t get by in today’s business world without tracking data. The question is whether you’re tracking it safely or not.

  If you want to ensure you aren’t getting into legal trouble with data misuse, then you need to use an ethical web analytics solution like Matomo.

  With it, you can track and improve your website performance while remaining GDPR-compliant and respecting user privacy. Unlike other web analytics solutions that monetise your data and auction it off to advertisers, with Matomo, you own your data.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  2. Don’t share data with big tech

  As the data misuse examples above show, big tech companies often violate data privacy laws.

  And while most of these companies, like Google, appear to be convenient, they’re often inconvenient (and much worse), especially regarding data leaks, privacy breaches and the sale of your data to advertisers.

  Have you ever heard the phrase : “You are the product ?” When it comes to big tech, chances are if you’re getting it for free, you (and your data) are the products they’re selling.

  The best way to stop sharing data with big tech is to stop using platforms like Google. For more ideas on different Google product alternatives, check out this list of Google alternatives.

  3. Identity verification 

  Data misuse typically isn’t a company-wide ploy. Often, it’s the lack of security structure and systems within your company. 

  An important place to start is to ensure proper identity verification for anyone with access to your data.

  4. Access management

  After establishing identity verification, you should ensure you have proper access management set up. For example, you should only give specific access to specific roles in your company to prevent data misuse.

  5. Activity logs and monitoring

  One way to track data misuse or breaches is by setting up activity logs to ensure you can see who is accessing certain types of data and when they’re accessing it.

  You should ensure you have a team dedicated to continuously monitoring these logs to catch anything quickly.

  6. Behaviour alerts 

  While manually monitoring data is important, it’s also good to set up automatic alerts if there is unusual activity around your data centres. You should set up behaviour alerts and notifications in case threats or compromising events occur.

  7. Onboarding, training, education

  One way to ensure quality data management is to keep your employees up to speed on data security. You should ensure data security is a part of your employee onboarding. Also, you should have regular training and education to keep people informed on protecting company and customer data.

  8. Create data protocols and processes 

  To ensure long-term data security, you should establish data protocols and processes. 

  To protect your user data, set up rules and systems within your organisation that people can reference and follow continuously to prevent data misuse.

  Leverage data ethically with Matomo

  Data is everything in business.

  But it’s not something to be taken lightly. Mishandling user data can break customer trust, lead to penalties from organisations and even create legal trouble and massive fines.

  You should only use privacy-first tools to ensure you’re handling data responsibly.

  Matomo is a privacy-friendly web analytics tool that collects, stores and tracks data across your website without breaking privacy laws.

  With over 1 million websites using Matomo, you can track and improve website performance with :

  • Accurate data (no data sampling)
  • Privacy-friendly and compliant with privacy regulations like GDPR, CCPA and more
  • Advanced features like heatmaps, session recordings, A/B testing and more

  Try Matomo free for 21-days. No credit card required.

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I accept the terms and conditions and data processing agreement (DPA)

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  
  

  Start improving your websites now

  

• A Guide to GDPR Sensitive Personal Data

  13 mai 2024, par Erin

  The General Data Protection Regulation (GDPR) is one of the world’s most stringent data protection laws. It provides a legal framework for collection and processing of the personal data of EU individuals.

  The GDPR distinguishes between “special categories of personal data” (also referred to as “sensitive”) and other personal data and imposes stricter requirements on collection and processing of sensitive data. Understanding these differences will help your company comply with the requirements and avoid heavy penalties.

  In this article, we’ll explain what personal data is considered “sensitive” according to the GDPR. We’ll also examine how a web analytics solution like Matomo can help you maintain compliance.

  What is sensitive personal data ?

  The following categories of data are treated as sensitive :

  1. 1. Personal data revealing :
        • Racial or ethnic origin ;
        • Political opinions ;
        • Religious or philosophical beliefs ;
        • Trade union membership ;
     2. Genetic and biometric data ;
     3. Data concerning a person’s :
        • Health ; or
        • Sex life or sexual orientation.

  

  Sensitive vs. non-sensitive personal data : What’s the difference ?

  While both categories include information about an individual, sensitive data is seen as more private, or requiring a greater protection. 

  Sensitive data often carries a higher degree of risk and harm to the data subject, if the data is exposed. For example, a data breach exposing health records could lead to discrimination for the individuals involved. An insurance company could use the information to increase premiums or deny coverage. 

  In contrast, personal data like name or gender is considered less sensitive because it doesn’t carry the same degree of harm as sensitive data. 

  Unauthorised access to someone’s name alone is less likely to harm them or infringe on their fundamental rights and freedoms than an unauthorised access to their health records or biometric data. Note that financial information (e.g. credit card details) does not fall into the special categories of data.

  

  Legality of processing

  Under the GDPR, both sensitive and nonsensitive personal data are protected. However, the rules and conditions for processing sensitive data are more stringent.

  Article 6 deals with processing of non-sensitive data and it states that processing is lawful if one of the six lawful bases for processing applies. 

  In contrast, Art. 9 of the GDPR states that processing of sensitive data is prohibited as a rule, but provides ten exceptions. 

  It is important to note that the lawful bases in Art. 6 are not the same as exceptions in Art. 9. For example, while performance of a contract or legitimate interest of the controller are a lawful basis for processing non-sensitive personal data, they are not included as an exception in Art. 9. What follows is that controllers are not permitted to process sensitive data on the basis of contract or legitimate interest. 

  The exceptions where processing of sensitive personal data is permitted (subject to additional requirements) are : 

  • Explicit consent : The individual has given explicit consent to processing their sensitive personal data for specified purpose(s), except where an EU member state prohibits such consent. See below for more information about explicit consent. 
  • Employment, social security or social protection : Processing sensitive data is necessary to perform tasks under employment, social security or social protection law.
  • Vital interests : Processing sensitive data is necessary to protect the interests of a data subject or if the individual is physically or legally incapable of consenting. 
  • Non-for-profit bodies : Foundations, associations or nonprofits with a political, philosophical, religious or trade union aim may process the sensitive data of their members or those they are in regular contact with, in connection with their purposes (and no disclosure of the data is permitted outside the organisation, without the data subject’s consent).
  • Made public : In some cases, it may be permissible to process the sensitive data of a data subject if the individual has already made it public and accessible. 
  • Legal claims : Processing sensitive data is necessary to establish, exercise or defend legal claims, including legal or in court proceedings.
  • Public interest : Processing is necessary for reasons of substantial public interest, like preventing unlawful acts or protecting the public.
  • Health or social care : Processing special category data is necessary for : preventative or occupational medicine, providing health and social care, medical diagnosis or managing healthcare systems.
  • Public health : It is permissible to process sensitive data for public health reasons, like protecting against cross-border threats to health or ensuring the safety of medicinal products or medical devices. 
  • Archiving, research and statistics : You may process sensitive data if it’s done for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  In addition, you must adhere to all data handling requirements set by the GDPR.

  Important : Note that for any data sent that you are processing, you always need to identify a lawful basis under Art. 6. In addition, if the data sent contains sensitive data, you must comply with Art. 9.

  Explicit consent

  While consent is a valid lawful basis for processing non-sensitive personal data, controllers are permitted to process sensitive data only with an “explicit consent” of the data subject.

  The GDPR does not define “explicit” consent, but it is accepted that it must meet all Art. 7 conditions for consent, at a higher threshold. To be “explicit” a consent requires a clear statement (oral or written) of the data subject. Consent inferred from the data subject’s actions does not meet the threshold. 

  The controller must retain records of the explicit consent and provide appropriate consent withdrawal method to allow the data subject to exercise their rights.

  Examples of compliant and non-compliant sensitive data processing

  Here are examples of when you can and can’t process sensitive data :

  • When you can process sensitive data : A doctor logs sensitive data about a patient, including their name, symptoms and medicine prescribed. The hospital can process this data to provide appropriate medical care to their patients. An IoT device and software manufacturer processes their customers’ health data based on explicit consent of each customer. 
  • When you can’t process sensitive data : One example is when you don’t have explicit consent from a data subject. Another is when there’s no lawful basis for processing it or you are collecting personal data you simply do not need. For example, you don’t need your customer’s ethnic origin to fulfil an online order.

  Other implications of processing sensitive data

  If you process sensitive data, especially on a large scale, GDPR imposes additional requirements, such as having Data Privacy Impact Assessments, appointing Data Protection Officers and EU Representatives, if you are a controller based outside the EU.

  Penalties for GDPR non-compliance

  Mishandling sensitive data (or processing it when you’re not allowed to) can result in huge penalties. There are two tiers of GDPR fines :

  • €10 million or 2% of a company’s annual revenue for less severe infringements
  • €20 million or 4% of a company’s annual revenue for more severe infringements

  In the first half of 2023 alone, fines imposed in the EU due to GDPR violations exceeded €1.6 billion, up from €73 million in 2019.

  Examples of high-profile violations in the last few years include :

  • Amazon : The Luxembourg National Commission fined the retail giant with a massive $887 million fine in 2021 for not processing personal data per the GDPR. 
  • Google : The National Data Protection Commission (CNIL) fined Google €50 million for not getting proper consent to display personalised ads.
  • H&M : The Hamburg Commissioner for Data Protection and Freedom of Information hit the multinational clothing company with a €35.3 million fine in 2020 for unlawfully gathering and storing employees’ data in its service centre.

  One of the criteria that affects the severity of a fine is “data category” — the type of personal data being processed. Companies need to take extra precautions with sensitive data, or they risk receiving more severe penalties.

  What’s more, GDPR violations can negatively affect your brand’s reputation and cause you to lose business opportunities from consumers concerned about your data practices. 76% of consumers indicated they wouldn’t buy from companies they don’t trust with their personal data.

  Organisations should lay out their data practices in simple terms and make this information easily accessible so customers know how their data is being handled.

  Get started with GDPR-compliant web analytics

  The GDPR offers a framework for securing and protecting personal data. But it also distinguishes between sensitive and non-sensitive data. Understanding these differences and applying the lawful basis for processing this data type will help ensure compliance.

  Looking for a GDPR-compliant web analytics solution ?

  At Matomo, we take data privacy seriously. 

  Our platform ensures 100% data ownership, putting you in complete control of your data. Unlike other web analytics solutions, your data remains solely yours and isn’t sold or auctioned off to advertisers. 

  Additionally, with Matomo, you can be confident in the accuracy of the insights you receive, as we provide reliable, unsampled data.

  Matomo also fully complies with GDPR and other data privacy laws like CCPA, LGPD and more.

  Start your 21-day free trial today ; no credit card required. 

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I accept the terms and conditions and data processing agreement (DPA)

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  
  

  Start improving your websites now