Recherche avancée

Sur d’autres sites (5141)

• What is Multi-Touch Attribution ? (And How To Get Started)

  2 février 2023, par Erin — Analytics Tips

  Good marketing thrives on data. Or more precisely — its interpretation. Using modern analytics software, we can determine which marketing actions steer prospects towards the desired action (a conversion event). 

  An attribution model in marketing is a set of rules that determine how various marketing tactics and channels impact the visitor’s progress towards a conversion. 

  Yet, as customer journeys become more complicated and involve multiple “touches”, standard marketing reports no longer tell the full picture. 

  That’s when multi-touch attribution analysis comes to the fore. 

  What is Multi-Touch Attribution ?

  Multi-touch attribution (also known as multi-channel attribution or cross-channel attribution) measures the impact of all touchpoints on the consumer journey on conversion. 

  Unlike single-touch reporting, multi-touch attribution models give credit to each marketing element — a social media ad, an on-site banner, an email link click, etc. By seeing impacts from every touchpoint and channel, marketers can avoid false assumptions or subpar budget allocations.

  To better understand the concept, let’s interpret the same customer journey using a standard single-touch report vs a multi-touch attribution model. 

  Picture this : Jammie is shopping around for a privacy-centred web analytics solution. She saw a recommendation on Twitter and ended up on the Matomo website. After browsing a few product pages and checking comparisons with other web analytics tools, she signs up for a webinar. One week after attending, Jammie is convinced that Matomo is the right tool for her business and goes directly to the Matomo website a starts a free trial. 

  • A standard single-touch report would attribute 100% of the conversion to direct traffic, which doesn’t give an accurate view of the multiple touchpoints that led Jammie to start a free trial. 
  • A multi-channel attribution report would showcase all the channels involved in the free trial conversion — social media, website content, the webinar, and then the direct traffic source.

  In other words : Multi-touch attribution helps you understand how prospects move through the sales funnel and which elements tinder them towards the desired outcome. 

  Types of Attribution Models

  As marketers, we know that multiple factors play into a conversion — channel type, timing, user’s stage on the buyer journey and so on. Various attribution models exist to reflect this variability. 

  

  First Interaction attribution model (otherwise known as first touch) gives all credit for the conversion to the first channel (for example — a referral link) and doesn’t report on all the other interactions a user had with your company (e.g., clicked a newsletter link, engaged with a landing page, or browsed the blog campaign).

  First-touch helps optimise the top of your funnel and establish which channels bring the best leads. However, it doesn’t offer any insight into other factors that persuaded a user to convert. 

  Last Interaction attribution model (also known as last touch) allocates 100% credit to the last channel before conversion — be it direct traffic, paid ad, or an internal product page.

  The data is useful for optimising the bottom-of-the-funnel (BoFU) elements. But you have no visibility into assisted conversions — interactions a user had prior to conversion. 

  Last Non-Direct attribution model model excludes direct traffic and assigns 100% credit for a conversion to the last channel a user interacted with before converting. For instance, a social media post will receive 100% of credit if a shopper buys a product three days later. 

  This model is more telling about the other channels, involved in the sales process. Yet, you’re seeing only one step backwards, which may not be sufficient for companies with longer sales cycles.

  Linear attribution model distributes an equal credit for a conversion between all tracked touchpoints.

  For instance, with a four touchpoint conversion (e.g., an organic visit, then a direct visit, then a social visit, then a visit and conversion from an ad campaign) each touchpoint would receive 25% credit for that single conversion.

  This is the simplest multi-channel attribution modelling technique many tools support. The nuance is that linear models don’t reflect the true impact of various events. After all, a paid ad that introduced your brand to the shopper and a time-sensitive discount code at the checkout page probably did more than the blog content a shopper browsed in between. 

  Position Based attribution model allocates a 40% credit to the first and the last touchpoints and then spreads the remaining 20% across the touchpoints between the first and last. 

  This attribution model comes in handy for optimising conversions across the top and the bottom of the funnel. But it doesn’t provide much insight into the middle, which can skew your decision-making. For instance, you may overlook cases when a shopper landed via a social media post, then was re-engaged via email, and proceeded to checkout after an organic visit. Without email marketing, that sale may not have happened.

  Time decay attribution model adjusts the credit, based on the timing of the interactions. Touchpoints that preceded the conversion get the highest score, while the first ones get less weight (e.g., 5%-5%-10%-15%-25%-30%).

  This multi-channel attribution model works great for tracking the bottom of the funnel, but it underestimates the impact of brand awareness campaigns or assisted conversions at mid-stage. 

  Why Use Multi-Touch Attribution Modelling

  Multi-touch attribution provides you with the full picture of your funnel. With accurate data across all touchpoints, you can employ targeted conversion rate optimisation (CRO) strategies to maximise the impact of each campaign. 

  Most marketers and analysts prefer using multi-touch attribution modelling — and for some good reasons.

  Issues multi-touch attribution solves 

  • Funnel visibility. Understand which tactics play an important role at the top, middle and bottom of your funnel, instead of second-guessing what’s working or not. 
  • Budget allocations. Spend money on channels and tactics that bring a positive return on investment (ROI). 
  • Assisted conversions. Learn how different elements and touchpoints cumulatively contribute to the ultimate goal — a conversion event — to optimise accordingly. 
  • Channel segmentation. Determine which assets drive the most qualified and engaged leads to replicate them at scale.
  • Campaign benchmarking. Compare how different marketing activities from affiliate marketing to social media perform against the same metrics.

  How To Get Started With Multi-Touch Attribution 

  To make multi-touch attribution part of your analytics setup, follow the next steps :

  1. Define Your Marketing Objectives 

  Multi-touch attribution helps you better understand what led people to convert on your site. But to capture that, you need to first map the standard purchase journeys, which include a series of touchpoints — instances, when a prospect forms an opinion about your business.

  Touchpoints include :

  • On-site interactions (e.g., reading a blog post, browsing product pages, using an on-site calculator, etc.)
  • Off-site interactions (e.g., reading a review, clicking a social media link, interacting with an ad, etc.)

  Combined these interactions make up your sales funnel — a designated path you’ve set up to lead people toward the desired action (aka a conversion). 

  Depending on your business model, you can count any of the following as a conversion :

  • Purchase 
  • Account registration 
  • Free trial request 
  • Contact form submission 
  • Online reservation 
  • Demo call request 
  • Newsletter subscription

  So your first task is to create a set of conversion objectives for your business and add them as Goals or Conversions in your web analytics solution. Then brainstorm how various touchpoints contribute to these objectives. 

  Web analytics tools with multi-channel attribution, like Matomo, allow you to obtain an extra dimension of data on touchpoints via Tracked Events. Using Event Tracking, you can analyse how many people started doing a desired action (e.g., typing details into the form) but never completed the task. This way you can quickly identify “leaking” touchpoints in your funnel and fix them. 

  2. Select an Attribution Model 

  Multi-attribution models have inherent tradeoffs. Linear attribution model doesn’t always represent the role and importance of each channel. Position-based attribution model emphasises the role of the last and first channel while diminishing the importance of assisted conversions. Time-decay model, on the contrary, downplays the role awareness-related campaigns played.

  To select the right attribution model for your business consider your objectives. Is it more important for you to understand your best top of funnel channels to optimise customer acquisition costs (CAC) ? Or would you rather maximise your on-site conversion rates ? 

  Your industry and the average cycle length should also guide your choice. Position-based models can work best for eCommerce and SaaS businesses where both CAC and on-site conversion rates play an important role. Manufacturing companies or educational services providers, on the contrary, will benefit more from a time-decay model as it better represents the lengthy sales cycles. 

  3. Collect and Organise Data From All Touchpoints 

  Multi-touch attribution models are based on available funnel data. So to get started, you will need to determine which data sources you have and how to best leverage them for attribution modelling. 

  Types of data you should collect : 

  • General web analytics data : Insights on visitors’ on-site actions — visited pages, clicked links, form submissions and more.
  • Goals (Conversions) : Reports on successful conversions across different types of assets. 
  • Behavioural user data : Some tools also offer advanced features such as heatmaps, session recording and A/B tests. These too provide ample data into user behaviours, which you can use to map and optimise various touchpoints.

  You can also implement extra tracking, for instance for contact form submissions, live chat contacts or email marketing campaigns to identify repeat users in your system. Just remember to stay on the good side of data protection laws and respect your visitors’ privacy. 

  Separately, you can obtain top-of-the-funnel data by analysing referral traffic sources (channel, campaign type, used keyword, etc). A Tag Manager comes in handy as it allows you to zoom in on particular assets (e.g., a newsletter, an affiliate, a social campaign, etc). 

  Combined, these data points can be parsed by an app, supporting multi-touch attribution (or a custom algorithm) and reported back to you as specific findings. 

  Sounds easy, right ? Well, the devil is in the details. Getting ample, accurate data for multi-touch attribution modelling isn’t easy. 

  Marketing analytics has an accuracy problem, mainly for two reasons :

  • Cookie consent banner rejection 
  • Data sampling application

  Please note that we are not able to provide legal advice, so it’s important that you consult with your own DPO to ensure compliance with all relevant laws and regulations.

  If you’re collecting web analytics in the EU, you know that showing a cookie consent banner is a GDPR must-do. But many consumers don’t often rush to accept cookie consent banners. The average consent rate for cookies in 2021 stood at 54% in Italy, 45% in France, and 44% in Germany. The consent rates are likely lower in 2023, as Google was forced to roll out a “reject all” button for cookie tracking in Europe, while privacy organisations lodge complaints against individual businesses for deceptive banners. 

  For marketers, cookie rejection means substantial gaps in analytics data. The good news is that you can fill in those gaps by using a privacy-centred web analytics tool like Matomo. 

  Matomo takes extra safeguards to protect user privacy and supports fully cookieless tracking. Because of that, Matomo is legally exempt from tracking consent in France. Plus, you can configure to use our analytics tool without consent banners in other markets outside of Germany and the UK. This way you get to retain the data you need for audience modelling without breaching any privacy regulations. 

  Data sampling application partially stems from the above. When a web analytics or multi-channel attribution tool cannot secure first-hand data, the “guessing game” begins. Google Analytics, as well as other tools, often rely on synthetic AI-generated data to fill in the reporting gaps. Respectively, your multi-attribution model doesn’t depict the real state of affairs. Instead, it shows AI-produced guesstimates of what transpired whenever not enough real-world evidence is available.

  4. Evaluate and Select an Attribution Tool 

  Google Analytics (GA) offers several multi-touch attribution models for free (linear, time-decay and position-based). The disadvantage of GA multi-touch attribution is its lower accuracy due to cookie rejection and data sampling application.

  At the same time, you cannot create custom credit allocations for the proposed models, unless you have the paid version of GA, Google Analytics 360. This version of GA comes with a custom Attribution Modeling Tool (AMT). The price tag, however, starts at USD $50,000 per year. 

  Matomo Cloud offers multi-channel conversion attribution as a feature and it is available as a plug-in on the marketplace for Matomo On-Premise. We support linear, position-based, first-interaction, last-interaction, last non-direct and time-decay modelling, based fully on first-hand data. You also get more precise insights because cookie consent isn’t an issue with us. 

  Most multi-channel attribution tools, like Google Analytics and Matomo, provide out-of-the-box multi-touch attribution models. But other tools, like Matomo On-Premise, also provide full access to raw data so you can develop your own multi-touch attribution models and do custom attribution analysis. The ability to create custom attribution analysis is particularly beneficial for data analysts or organisations with complex and unique buyer journeys. 

  Conclusion

  Ultimately, multi-channel attribution gives marketers greater visibility into the customer journey. By analysing multiple touchpoints, you can establish how various marketing efforts contribute to conversions. Then use this information to inform your promotional strategy, budget allocations and CRO efforts. 

  The key to benefiting the most from multi-touch attribution is accurate data. If your analytics solution isn’t telling you the full story, your multi-touch model won’t either. 

  Collect accurate visitor data for multi-touch attribution modelling with Matomo. Start your free 21-day trial now. 

• Four Trends Shaping the Future of Analytics in Banking

  27 novembre 2024, par Daniel Crough — Banking and Financial Services

  While retail banking revenues have been growing in recent years, trends like rising financial crimes and capital required for generative AI and ML tech pose significant risks and increase operating costs across the financial industry, according to McKinsey’s State of Retail Banking report.

   

  Today’s financial institutions are focused on harnessing AI and advanced analytics to make their data work for them. To be up to the task, analytics solutions must allow banks to give consumers the convenient, personalised experiences they want while respecting their privacy.

   

  In this article, we’ll explore some of the big trends shaping the future of analytics in banking and finance. We’ll also look at how banks use data and technology to cut costs and personalise customer experiences.
  
  So, let’s get into it.

  

  This doesn’t just represent a security risk, it also impacts the usability for both customers and employees. Does any of the following sound familiar ?

  • Only specific senior employees know how to navigate the software to generate custom reports or use its more advanced features.
  • Customer complaints about your site’s usability or online banking experience are routine.
  • Onboarding employees takes much longer than necessary because of convoluted systems.
  • Teams and departments experience ‘data siloing,’ meaning that not everyone can access the data they need.

  These are warning signs that IT systems are ready for a review. Anyone thinking, “If it’s not broken, why fix it ?” should consider that legacy systems can also present data security risks. As more countries introduce regulations to protect customer privacy, staying ahead of the curve is increasingly important to avoid penalties and litigation.

  And regulations aren’t the only trends impacting the future of financial institutions’ IT and analytics.

  4 trends shaping the future of analytics in banking

  New regulations and new technology have changed the landscape of analytics in banking.

  New privacy regulations impact banks globally

  The first major international example was the advent of GDPR, which went into effect in the EU in 2018. But a lot has happened since. New privacy regulations and restrictions around AI continue to roll out.

  • The European Artificial Intelligence Act (EU AI Act), which was held up as the world’s first comprehensive legislation on AI, took effect on 31 July 2024.
  • In Europe’s federated data initiative, Gaia-X’s planned cloud infrastructure will provide for more secure, transparent, and trustworthy data storage and processing.
  • The revised Payment Services Directive (PSD2) makes payments more secure and strengthens protections for European businesses and consumers, aiming to create a more integrated and efficient payments market.

  But even businesses that don’t have customers in Europe aren’t safe. Consumer privacy is a hot-button issue globally.

  For example, the California Consumer Privacy Act (CCPA), which took effect in January, impacts the financial services industry more than any other. Case in point, 34% of CCPA-related cases filed in 2022 were related to the financial sector.

  California’s privacy regulations were the first in the US, but other states are following closely behind. On 1 July 2024, new privacy laws went into effect in Florida, Oregon, and Texas, giving people more control over their data.

  

  One typical issue for companies in the banking industry is that their privacy measures regarding user data collected from their website are much less lax than those in their online banking system.

  It’s better to proactively invest in a privacy-centric analytics platform before you get tangled up in a lawsuit and have to pay a fine (and are forced to change your system anyway). 

  And regulatory compliance isn’t the only bonus of an ethical analytics solution. The right alternative can unlock key customer insights that can help you improve the user experience.

  The demand for personalised banking services

  At the same time, consumers are expecting a more and more streamlined personal experience from financial institutions. 86% of bank employees say personalisation is a clear priority for the company. But 63% described resources as limited or only available after demonstrating clear business cases.

  McKinsey’s The data and analytics edge in corporate and commercial banking points out how advanced analytics are empowering frontline bank employees to give customers more personalised experiences at every stage :

  • Pre-meeting/meeting prep : Using advanced analytics to assess customer potential, recommend products, and identify prospects who are most likely to convert
  • Meetings/negotiation : Applying advanced models to support price negotiations, what-if scenarios and price multiple products simultaneously
  • Post-meeting/tracking : Using advanced models to identify behaviours that lead to high performance and improve forecast accuracy and sales execution

  Today’s banks must deliver the personalisation that drives customer satisfaction and engagement to outperform their competitors.

  The rise of AI and its role in banking

  With AI and machine learning technologies becoming more powerful and accessible, financial institutions around the world are already reaping the rewards.

  McKinsey estimates that AI in banking could add $200 to 340 billion annually across the global banking sector through productivity gains.

  • Credit card fraud prevention : Algorithms analyse usage to flag and block fraudulent transactions.
  • More accurate forecasting : AI-based tools can analyse a broader spectrum of data points and forecast more accurately.
  • Better risk assessment and modelling : More advanced analytics and predictive models help avoid extending credit to high-risk customers.
  • Predictive analytics : Help spot clients most likely to churn 
  • Gen-AI assistants : Instantly analyse customer profiles and apply predictive models to suggest the next best actions.

  Considering these market trends, let’s discuss how you can move your bank into the future.

  Using analytics to minimise risk and establish a competitive edge 

  With the right approach, you can leverage analytics and AI to help future-proof your bank against changing customer expectations, increased fraud, and new regulations.

  Use machine learning to prevent fraud

  Every year, more consumers are victims of credit and debit card fraud. Debit card skimming cases nearly doubled in the US in 2023. The last thing you want as a bank is to put your customer in a situation where a criminal has spent their money.

  This not only leads to a horrible customer experience but also creates a lot of internal work and additional costs.Thankfully, machine learning can help identify suspicious activity and stop transactions before they go through. For example, Mastercard’s fraud prevention model has improved fraud detection rates by 20–300%.

  

  Implementing a solution like this (or partnering with credit card companies who use it) may be a way to reduce risk and improve customer trust.

  Foresee and avoid future issues with AI-powered risk management

  Regardless of what type of financial products organisations offer, AI can be an enormous tool. Here are just a few ways in which it can mitigate financial risk in the future :

  • Predictive analytics can evaluate risk exposure and allow for more informed decisions about whether to approve commercial loan applications.
  • With better credit risk modelling, banks can avoid extending personal loans to customers most likely to default.
  • Investment banks (or individual traders or financial analysts) can use AI- and ML-based systems to monitor market and trading activity more effectively.

  Those are just a few examples that barely scratch the surface. Many other AI-based applications and analytics use cases exist across all industries and market segments.

  Protect customer privacy while still getting detailed analytics

  New regulations and increasing consumer privacy concerns don’t mean banks and financial institutions should forego website analytics altogether. Its insights into performance and customer behaviour are simply too valuable. And without customer interaction data, you’ll only know something’s wrong if someone complains.

  Fortunately, it doesn’t have to be one or the other. The right financial analytics solution can give you the data and insights needed without compromising privacy while complying with regulations like GDPR and CCPA.

  That way, you can track usage patterns and improve site performance and content quality based on accurate data — without compromising privacy. Reliable, precise analytics are crucial for any bank that’s serious about user experience.

  Use A/B testing and other tools to improve digital customer experiences

  Personalised digital experiences can be key differentiators in banking and finance when done well. But there’s stiff competition. In 2023, 40% of bank customers rated their bank’s online and mobile experience as excellent. 

  Improving digital experiences for users while respecting their privacy means going above and beyond a basic web analytics tool like Google Analytics. Invest in a platform with features like A/B tests and user session analysis for deeper insights into user behaviour.

  

  Behavioural analytics are crucial to understanding customer interactions. By identifying points of friction and drop-off points, you can make digital experiences smoother and more engaging.

  Matomo offers all this and is a great GDPR-compliant alternative to Google Analytics for banks and financial institutions. 

  Of course, this can be challenging. This is why taking an ethical and privacy-centric approach to analytics can be a key competitive edge for banks. Prioritising data security and privacy will attract other like-minded, ethically conscious consumers and boost customer loyalty.

  Get privacy-friendly web analytics suitable for banking & finance with Matomo

  Improving digital experiences for today’s customers requires a solid web analytics platform that prioritises data privacy and accurate analytics. And choosing the wrong one could even mean ending up in legal trouble or scrambling to reconstruct your entire analytics setup.

  Matomo provides privacy-friendly analytics with 100% data accuracy (no sampling), advanced privacy controls and the ability to run A/B tests and user session analysis within the same platform (limiting risk and minimising costs). 

  It’s easy to get started with Matomo. Users can access clear, easy-to-understand metrics and plenty of pre-made reports that deliver valuable insights from day one. Form usage reports can help banks and fintechs identify potential issues with broken links or technical glitches and reveal clues on improving UX in the short term.

  Over one million websites, including some of the world’s top banks and financial institutions, use Matomo for their analytics.

  Start your 21-day free trial to see why, or book a demo with one of our analytics experts.

• GDPR Compliance and Personal Data : The Ultimate Guide

  22 septembre 2023, par Erin — GDPR

  According to the International Data Corporation (IDC), the world generated 109 zettabytes of data in 2022 alone, and that number is on track to nearly triple to 291 zettabytes in 2027. For scale, that’s one trillion gigs or one followed by 21 zeros in bytes.

  A major portion of that data is generated online, and the conditions for securing that digital data can have major real-world consequences. For example, online identifiers that fall into the wrong hands can be used nefariously for cybercrime, identity theft or unwanted targeting. Users also want control over how their actions are tracked online and transparency into how their information is used.

  Therefore, regional and international regulations are necessary to set the terms for respecting users’ privacy and control over personal information. Perhaps the most widely known of these laws is the European Union’s General Data Protection Regulation (GDPR).

  What is personal data under GDPR ?

  Under the General Data Protection Regulation (GDPR), “personal data” refers to information linked to an identifiable natural person. An “identifiable natural person” is someone directly or indirectly recognisable via individually specific descriptors such as physical, genetic, economic, cultural, employment and social details.

  It’s important to note that under GDPR, the definition of personal data is very broad, and it encompasses both information that is commonly considered personal (e.g., names and addresses) and more technical or specialised data (e.g., IP addresses or device IDs) that can be used to identify individuals indirectly.

  Organisations that handle personal data must adhere to strict rules and principles regarding the processing and protection of this data to ensure individuals’ privacy rights are respected and upheld.

  Personal data can include, but is not limited to, the following :

  1. Basic Identity Information : This includes a person’s name, government-issued ID number, social address, phone number, email address or other similar identifiers.
  2. Biographical Information : Details such as date of birth, place of birth, nationality and gender.
  3. Contact Information : Information that allows communication with the individual, such as phone numbers, email addresses or mailing addresses.
  4. Financial Information : Data related to a person’s finances, including credit card numbers, bank account numbers, income records or financial transactions.
  5. Health and Medical Information : Information about a person’s health, medical history or healthcare treatments.
  6. Location Data : Data that can pinpoint a person’s geographical location, such as GPS coordinates or information derived from mobile devices.
  7. Online Identifiers : Information like IP addresses, cookies or other online tracking mechanisms that can be used to identify or track individuals online.
  8. Biometric Data : Unique physical or behavioural characteristics used for identification, such as fingerprints, facial recognition data or voiceprints.

  Sensitive Data

  Sensitive data is a special category of personal data prohibited from processing unless specific conditions are met, including users giving explicit consent. The data must also be necessary to fulfil one or more of a limited set of allowed purposes, such as reasons related to employment, social protections or legal claims.

  Sensitive information includes details about a person’s racial or ethnic origin, sexual orientation, political opinions, religion, trade union membership, biometric data or genetic data.

  What are the 7 main principles of GDPR ?

  The 7 principles of GDPR guide companies in how to properly handle personal data gathered from their users.

  

  The seven principles of GDPR are :

  1. Lawfulness, fairness and transparency

  Lawfulness means having legal grounds for data processing, such as consent, legitimate interests, contract and legal obligation. If you can achieve your objective without processing personal data, the basis is no longer lawful.

  Fairness means you’re processing data reasonably and in line with users’ best interests, and they wouldn’t be shocked if they find out what you’re using it for.

  Transparency means being open regarding when you’re processing user data, what you’re using it for and who you’re collecting it from.

  To get started with this, use our guide on creating a GDPR-compliant privacy policy.

  2. Purpose limitation

  You should only process user data for the original purposes you communicated to users when requesting their explicit consent. If you aim to undertake a new purpose, it must be compatible with the original stated purpose. Otherwise, you’ll need to ask for consent again.

  3. Data minimisation

  You should only collect as much data as you need to accomplish compliant objectives and nothing more, especially not other personally identifiable information (PII).

  Matomo provides several features for extensive data minimisation, including the ability to anonymize IP addresses.

  Data minimisation is well-liked by users. Around 70% of people have taken active steps towards protecting their identity online, so they’ll likely appreciate any principles that help them in this effort.

  

  4. Accuracy

  The user data you process should be accurate and up-to-date where necessary. You should have reasonable systems to catch inaccurate data and correct or delete it. If there are mistakes that you need to store, then you need to label them clearly as mistakes to keep them from being processed as accurate.

  5. Storage limitation

  This principle requires you to eliminate data you’re no longer using for the original purposes. You must implement time limits, after which you’ll delete or anonymize any user data on record. Matomo allows you to configure your system such that logs are automatically deleted after some time.

  6. Integrity and confidentiality

  This requires that data processors have security measures in place to protect data from threats such as hackers, loss and damage. As an open-source web analytics solution, Matomo enables you to verify its security first-hand.

  7. Accountability

  Accountability means you’re responsible for what you do with the data you collect. It’s your duty to maintain compliance and document everything for audits. Matomo tracks a lot of the data you’d need for this, including activity, task and application logs.

  Who does GDPR apply to ?

  The GDPR applies to any company that processes the personal data of EU citizens and residents (regardless of the location of the company). 

  If this is the first time you’ve heard about this, don’t worry ! Matomo provides tools that allow you to determine exactly what kinds of data you’re collecting and how they must be handled for full compliance. 

  Best practices for processing personal data under GDPR

  Companies subject to the GDPR need to be aware of several key principles and best practices to ensure they process personal data in a lawful and responsible manner.

  Here are some essential practices to implement :

  1. Lawful basis for processing : Organisations must have a lawful basis for processing personal data. Common lawful bases include the necessity of processing for compliance with a legal obligation, the performance of a contract, the protection of vital interests and tasks carried out in the public interest. Your organisation’s legitimate interests for processing must not override the individual’s legal rights. 
  2. Data minimisation : Collect and process only the personal data that is necessary for the specific purpose for which it was collected. Matomo’s anonymisation capabilities help you avoid collecting excessive or irrelevant data.
  3. Transparency : Provide clear and concise information to individuals about how their data will be processed. Privacy statements should be clear and accessible to users to allow them to easily understand how their data is used.
  4. Consent : If you are relying on consent as a lawful basis, make sure you design your privacy statements and consent forms to be usable. This lets you ensure that consent is freely given, specific, informed and unambiguous. Also, individuals must be able to withdraw their consent at any time.
  5. Data subject rights : You must have mechanisms in place to uphold the data subject’s individual rights, such as the rights to access, erase, rectify errors and restrict processing. Establish internal processes for handling such requests.
  6. Data protection impact assessments (DPIAs) : Conduct DPIAs for high-risk processing activities, especially when introducing new technologies or processing sensitive data.
  7. Security measures : You must implement appropriate technical security measures to maintain the safety of personal data. This can include ‌security tools such as encryption, firewalls and limited access controls, as well as organisational practices like regular security assessments. 
  8. Data breach response : Develop and maintain a data breach response plan. Notify relevant authorities and affected individuals of data breaches within the required timeframe.
  9. International data transfers : If transferring personal data outside the EU, ensure that appropriate safeguards are in place and consider GDPR provisions. These provisions allow data transfers from the EU to non-EU countries in three main ways :
     1. When the destination country has been deemed by the European Commission to have adequate data protection, making it similar to transferring data within the EU.
     2. Through the use of safeguards like binding corporate rules, approved contractual clauses or adherence to codes of conduct.
     3. In specific situations when none of the above apply, such as when an individual explicitly consents to the transfer after being informed of the associated risks.
  10. Data protection officers (DPOs) : Appoint a data protection officer if required by GDPR. DPOs are responsible for overseeing data protection compliance within the organisation.
  11. Privacy by design and default : Integrate data protection into the design of systems and processes. Default settings should prioritise user privacy, as is the case with something like Matomo’s first-party cookies.
  12. Documentation : Maintain records of data processing activities, including data protection policies, procedures and agreements. Matomo logs and backs up web server access, activity and more, providing a solid audit trail.
  13. Employee training : Employees who handle personal data must be properly trained to uphold data protection principles and GDPR compliance best practices. 
  14. Third-party contracts : If sharing data with third parties, have data processing agreements in place that outline the responsibilities and obligations of each party regarding data protection.
  15. Regular audits and assessments : Conduct periodic audits and assessments of data processing activities to ensure ongoing compliance. As mentioned previously, Matomo tracks and saves several key statistics and metrics that you’d need for a successful audit.
  16. Accountability : Demonstrate accountability by documenting and regularly reviewing compliance efforts. Be prepared to provide evidence of compliance to data protection authorities.
  17. Data protection impact on data analytics and marketing : Understand how GDPR impacts data analytics and marketing activities, including obtaining valid consent for marketing communications.

  Organisations should be on the lookout for GDPR updates, as the regulations may evolve over time. When in doubt, consult legal and privacy professionals to ensure compliance, as non-compliance could potentially result in significant fines, damage to reputation and legal consequences.

  What constitutes a GDPR breach ?

  Security incidents that compromise the confidentiality, integrity and/or availability of personal data are considered a breach under GDPR. This means a breach is not limited to leaks ; if you accidentally lose or delete personal data, its availability is compromised, which is technically considered a breach.

  What are the penalty fines for GDPR non-compliance ?

  The penalty fines for GDPR non-compliance are up to €20 million or up to 4% of the company’s revenue from the previous fiscal year, whichever is higher. This makes it so that small companies can also get fined, no matter how low-profile the breach is.

  In 2022, for instance, a company found to have mishandled user data was fined €2,000, and the webmaster responsible was personally fined €150.

  Is Matomo GDPR compliant ?

  Matomo is fully GDPR compliant and can ensure you achieve compliance, too. Here’s how :

  • Data anonymization and IP anonymization
  • GDPR Manager that helps you identify gaps in your compliance and address them effectively
  • Users can opt-out of all tracking
  • First-party cookies by default
  • Users can view the data collected
  • Capabilities to delete visitor data when requested
  • You own your data and it is not used for any other purposes (like advertising)
  • Visitor logs and profiles can be disabled
  • Data is stored in the EU (Matomo Cloud) or in any country of your choice (Matomo On-Premise)

  Is there a GDPR in the US ?

  There is no GDPR-equivalent law that covers the US as a whole. That said, US-based companies processing data from persons in the EU still need to adhere to GDPR principles.

  While there isn’t a federal data protection law, several states have enacted their own. One notable example is the California Consumer Privacy Act (CCPA), which Matomo is fully compliant with.

  Ready for GDPR-compliant analytics ?

  The GDPR lays out a set of regulations and penalties that govern the collection and processing of personal data from EU citizens and residents. A breach under GDPR attracts a fine of either up to €20 million or 4% of the company’s revenue, and the penalty applies to companies of all sizes.

  Matomo is fully GDPR compliant and provides several features and advanced privacy settings to ensure you ‌are as well, without sacrificing the resources you need for effective analytics. If you’re ready to get started, sign up for a 21-day free trial of Matomo — no credit card required.

  Disclaimer
  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.