Recherche avancée

Sur d’autres sites (9912)

• Unveiling GA4 Issues : 8 Questions from a Marketer That GA4 Can’t Answer

  8 janvier 2024, par Alex

  It’s hard to believe, but Universal Analytics had a lifespan of 11 years, from its announcement in March 2012. Despite occasional criticism, this service established standards for the entire web analytics industry. Many metrics and reports became benchmarks for a whole generation of marketers. It truly was an era.

  For instance, a lot of marketers got used to starting each workday by inspecting dashboards and standard traffic reports in the Universal Analytics web interface. There were so, so many of those days. They became so accustomed to Universal Analytics that they would enter reports, manipulate numbers, and play with metrics almost on autopilot, without much thought.

  However, six months have passed since the sunset of Universal Analytics – precisely on July 1, 2023, when Google stopped processing requests for resources using the previous version of Google Analytics. The time when data about visitors and their interactions with the website were more clearly structured within the UA paradigm is now in the past. GA4 has brought a plethora of opportunities to marketers, but along with those opportunities came a series of complexities.

  GA4 issues

  Since its initial announcement in 2020, GA4 has been plagued with errors and inconsistencies. It still has poor and sometimes illogical documentation, numerous restrictions, and peculiar interface solutions. But more importantly, the barrier to entry into web analytics has significantly increased.

  If you diligently follow GA4 updates, read the documentation, and possess skills in working with data (SQL and basic statistics), you probably won’t feel any problems – you know how to set up a convenient and efficient environment for your product and marketing data. But what if you’re not that proficient ? That’s when issues arise.

  In this article, we try to address a series of straightforward questions that less experienced users – marketers, project managers, SEO specialists, and others – want answers to. They have no time to delve into the intricacies of GA4 but seek access to the fundamentals crucial for their functionality.

  Previously, in Universal Analytics, they could quickly and conveniently address their issues. Now, the situation has become, to put it mildly, more complex. We’ve identified 8 such questions for which the current version of GA4 either fails to provide answers or implies that answers would require significant enhancements. So, let’s dive into them one by one.

  Question 1 : What are the most popular traffic sources on my website ?

  Seemingly a straightforward question. What does GA4 tell us ? It responds with a question : “Which traffic source parameter are you interested in ?”

  

  Wait, what ?

  People just want to know which resources bring them the most traffic. Is that really an issue ?

  Unfortunately, yes. In GA4, there are not one, not two, but three traffic source parameters :

  1. Session source.
  2. First User Source – the source of the first session for each user.
  3. Just the source – determined at the event or conversion level.

  If you wanted to open a report and draw conclusions quickly, we have bad news for you. Before you start ranking your traffic sources by popularity, you need to do some mental work on which parameter and in what context you will look. And even when you decide, you’ll need to make a choice in the selection of standard reports : work with the User Acquisition Report or Traffic Acquisition.

  Yes, there is a difference between them : the first uses the First User Source parameter, and the second uses the session source. And you need to figure that out too.

  Question 2 : What is my conversion rate ?

  This question concerns everyone, and it should be simple, implying a straightforward answer. But no.

  

  In GA4, there are three conversion metrics (yes, three) :

  1. Session conversion – the percentage of sessions with a conversion.
  2. User conversion – the percentage of users who completed a conversion.
  3. First-time Purchaser Conversion – the share of active users who made their first purchase.

  If the last metric doesn’t interest us much, GA4 users can still choose something from the remaining two. But what’s next ? Which parameters to use for comparison ? Session source or user source ? What if you want to see the conversion rate for a specific event ? And how do you do this in analyses rather than in standard reports ?

  In the end, instead of an answer to a simple question, marketers get a bunch of new questions.

  Question 3. Can I trust user and session metrics ?

  Unfortunately, no. This may boggle the mind of those not well-versed in the mechanics of calculating user and session metrics, but it’s the plain truth : the numbers in GA4 and those in reality may and will differ.

  

  The reason is that GA4 uses the HyperLogLog++ statistical algorithm to count unique values. Without delving into details, it’s a mechanism for approximate estimation of a metric with a certain level of error.

  This error level is quite well-documented. For instance, for the Total Users metric, the error level is 1.63% (for a 95% confidence interval). In simple terms, this means that 100,000 users in the GA4 interface equate to 100,000 1.63% in reality.

  Furthermore – but this is no surprise to anyone – GA4 samples data. This means that with too large a sample size or when using a large number of parameters, the application will assess your metrics based on a partial sample – let’s say 5, 10, or 30% of the entire population.

  It’s a reasonable assumption, but it can (and probably will) surprise marketers – the metrics will deviate from reality. All end-users can do (excluding delving into raw data methodologies) is to take this error level into account in their conclusions.

  Question 4. How do I calculate First Click attribution ?

  You can’t. Unfortunately, as of late, GA4 offers only three attribution models available in the Attribution tab : Last Click, Last Click For Google Ads, and Data Driven. First Click attribution is essential for understanding where and when demand is generated. In the previous version of Google Analytics (and until recently, in the current one), users could quickly apply First Click and other attribution models, compare them, and gain insights. Now, this capability is gone.

  

  Certainly, you can look at the conversion distribution considering the First User Source parameter – this will be some proxy for First Click attribution. However, comparing it with others in the Model Comparison tab won’t be possible. In the context of the GA4 interface, it makes sense to forget about non-standard attribution models.

  Question 5. How do I account for intra-session traffic ?

  Intra-session traffic essentially refers to a change in traffic sources within a session. Imagine a scenario where a user comes to your site organically from Google and, within a minute, comes from an email campaign. In the previous version of Google Analytics, a new session with the traffic source “e-mail” would be created in such a case. But now, the situation has changed.

  A session now only ends in the case of a timeout – say, 30 minutes without interaction. This means a session will always have a source from which it started. If a user changes the source within a session (clicks on an ad, from email campaigns, and so on), you won’t know anything about it until they convert. This is a significant blow to intra-session traffic since their contribution to traffic remains virtually unnoticed. 

  Question 6. How can I account for users who have not consented to the use of third-party cookies ?
  

  You can’t. Google Consent Mode settings imply several options when a user rejects the use of 3rd party cookies. In GA4 and BigQuery, depersonalized cookieless pings will be sent. These pings do not contain specific client_id, session_id, or other custom dimensions. As a result, you won’t be able to consider them as users or link the actions of such users together.

  Question 7. How can I compare data in explorations with the previous year ?

  The maximum data retention period for a free GA4 account is 14 months. This means that if the date range is wider, you can only use standard reports. You won’t be able to compare or view cohorts or funnels for periods more than 14 months ago. This makes the product functionality less rich because various report formats in explorations are very convenient for comparing specific metrics in easily digestible reports.

  

  Of course, you always have the option to connect BigQuery and store raw data without limitations, but this process usually requires the involvement of an advanced analyst. And precisely this option is unavailable to most marketers in small teams.

  Question 8. Is the data for yesterday accurate ?

  Unknown. Google declares that data processing in GA4 takes up to 48 hours. And although this process is faster, most users still have room for frustration. And they can be understood.

  

  What does “data processing takes 24-48 hours” mean ? When will the data in reports be complete ? For yesterday ? Or the day before yesterday ? Or for all days that were more than two days ago ? Unclear. What should marketers tell their managers when they were asked if all the data is in this report ? Well, probably all of it… or maybe not… Let’s wait for 48 hours…

  Undoubtedly, computational resources and time are needed for data preprocessing and aggregation. It’s okay that data for today will not be up-to-date. And probably not for yesterday either. But people just want to know when they can trust their data. Are they asking for too much : just a note that this report contains all the data sent and processed by Google Analytics ?

  What should you do ?

  Credit should be given to the Google team – they have done a lot to enable users to answer these questions in one form or another. For example, you can use data streaming in BigQuery and work with raw data. The entry threshold for this functionality has been significantly lowered. In fact, if you are dissatisfied with the GA4 interface, you can organize your export to BigQuery and create your own reports without (almost) any restrictions.

  Another strong option is the widespread launch of GTM Server Side. This allows you to quite freely modify the event model and essentially enrich each hit with various parameters, doing this in a first-party context. This, of course, reduces the harmful impact of most of the limitations described in this text.

  But this is not a solution.

  The users in question – marketers, managers, developers – they do not want or do not have the time for a deep dive into the issue. And they want simple answers to simple (it seemed) questions. And for now, unfortunately, GA4 is more of a professional tool for analysts than a convenient instrument for generating insights for not very advanced users.

  Why is this such a serious issue ?

  The thing is – and this is crucial – over the past 10 years, Google has managed to create a sort of GA-bubble for marketers. Many of them have become so accustomed to Google Analytics that when faced with another issue, they don’t venture to explore alternative solutions but attempt to solve it on their own. And almost always, this turns out to be expensive and inconvenient.

  However, with the latest updates to GA4, it is becoming increasingly evident that this application is struggling to address even the most basic questions from users. And these questions are not fantastically complex. Much of what was described in this article is not an unsolvable mystery and is successfully addressed by other analytics services.

  Let’s try to answer some of the questions described from the perspective of Matomo.

  Question 1 : What are the most popular traffic sources ? [Solved]

  In the Acquisition panel, you will find at least three easily identifiable reports – for traffic channels (All Channels), sources (Websites), and campaigns (Campaigns). 

  

  With these, you can quickly and easily answer the question about the most popular traffic sources, and if needed, delve into more detailed information, such as landing pages.

  Question 2 : What is my conversion rate ? [Solved]

  Under Goals in Matomo, you’ll easily find the overall conversion rate for your site. Below that you’ll have access to the conversion rate of each goal you’ve set in your Matomo instance.

  

  Question 3 : Can I trust user and session metrics ? [Solved]

  Yes. With Matomo, you’re guaranteed 100% accurate data. Matomo does not apply sampling, does not employ specific statistical algorithms, or any analogs of threshold values. Yes, it is possible, and it’s perfectly normal. If you see a metric in the visits or users field, it accurately represents reality by 100%.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  Question 4 : How do I calculate First Click attribution ? [Solved]
  
  You can do this in the same section where the other 5 attribution models, available in Matomo, are calculated – in the Multi Attribution section.

  

  You can choose a specific conversion and, in a few clicks, calculate and compare up to 3 marketing attribution models. This means you don’t have to spend several days digging through documentation trying to understand how a particular model is calculated. Have a question – get an answer.

  Question 5 : How do I account for intra-session traffic ? [Solved]

  Matomo creates a new visit when a user changes a campaign. This means that you will accurately capture all relevant traffic if it is adequately tagged. No campaigns will be lost within a visit, as they will have a new utm_campaign parameter.

  This is a crucial point because when the Referrer changes, a new visit is not created, but the key lies in something else – accounting for all available traffic becomes your responsibility and depends on how you tag it.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  Question 6 : How can I account for users who have not consented to the use of third-party cookies ? [Solved]

  Google Analytics requires users to accept a cookie consent banner with “analytics_storage=granted” to track them. If users reject cookie consent banners, however, then Google Analytics can’t track these visitors at all. They simply won’t show up in your traffic reports. 

  Matomo doesn’t require cookie consent banners (apart from in the United Kingdom and Germany) and can therefore continue to track visitors even after they have rejected a cookie consent screen. This is achieved through a config_id variable (the user identifier equivalent which is updating once a day). 

  

  This means that virtually all of your website traffic will be tracked regardless of whether users accept a cookie consent banner or not.

  Question 7 : How can I compare data in explorations with the previous year ? [Solved]
  

  There is no limitation on data retention for your aggregated reports in Matomo. The essence of Matomo experience lies in the reporting data, and consequently, retaining reports indefinitely is a viable option. So you can compare data for any timeframe. 7

  

• My SBC Collection

  31 décembre 2023, par Multimedia Mike — General

  Like many computer nerds in the last decade, I have accumulated more than a few single-board computers, or “SBCs”, which are small computers based around a system-on-a-chip (SoC) that nearly always features an ARM CPU at its core. Surprisingly few of these units are Raspberry Pi units, though that brand has come to exemplify and dominate the product category.

  Also, as is the case for many computer nerds, most of these SBCs lay fallow for years at a time. Equipped with an inexpensive lightbox that I procured in the last year, I decided I could at least create glamour shots of various units and catalog them in a blog post.

  While Raspberry Pi still enjoys the most mindshare far and away, and while I do have a few Raspberry Pi units in my inventory, I have always been a bigger fan of the ODROID brand, which works with convenient importers around the world (in the USA, I can vouch for Ameridroid, to whom I’ve forked over a fair amount of cash for these computing toys).

  As mentioned, Raspberry Pi undisputedly has the most mindshare of all these SBC brands and I often wonder why… and then I immediately remind myself that it has the biggest ecosystem, and has a variety of turnkey projects and applications (such as Pi-hole and PiVPN) that promise a lower barrier to entry — as well as a slightly lower price point — than some of these other options. ODROID had a decent ecosystem for awhile, especially considering the monthly ODROID Magazine, though that ceased publication in July 2020. The Raspberry Pi and its variants were famously difficult to come by due to the global chip shortage from 2021-2023. Meanwhile, I had no trouble procuring these boards during the same timeframe.

  So let’s delve into the collection…
  

  Cubieboard
  The Raspberry Pi came out in 2012 and by 2013 I was somewhat coveting one to hack on. Finally ! An accessible ARM platform to play with. I had heard of the BeagleBoard for years but never tried to get my hands on one. I was thinking about taking the plunge on a new Raspberry Pi, but a colleague told me I should skip that and go with this new hotness called the Cubieboard, based on an Allwinner SoC. The big value-add that this board had vs. a Raspberry Pi was that it had a SATA adapter. Although now that it has been a decade, it only now occurs to me to quander whether it was true SATA or a USB-to-SATA bridge. Looking it up now, I’m led to believe that the SoC supported the functionality natively.

  Anyway, I did get it up and running but never did much with it, thus setting the tone for future SBC endeavors. No photos because I gave it to another tech enthusiast years ago, whose SBC collection dwarfs my own.

  ODROID-XU4
  I can’t recall exactly when or how I first encountered the ODROID brand. I probably read about it on some enthusiast page or another circa 2014 and decided to try one out. I eventually acquired a total of 3 of these ODROID-XU4 units, each with a different case, 1 with a fan and 2 passively-cooled :

  

  Collection of ODROID-XU4 SBCs

  This is based on the Samsung Exynos 5422 SoC, the same series as was used in their Note 3 phone released in 2013. It has been a fun chip to play with. The XU4 was also my first introduction to the eMMC storage solution that is commonly supported on the ODROID SBCs (alongside micro-SD). eMMC offers many benefits over SD in terms of read/write speed as well as well as longevity/write cycles. That’s getting less relevant these days, however, as more and more SBCs are being released with direct NVMe SSD support.

  I had initially wanted to make a retro-gaming device built on this platform (see the handheld section later for more meditations on that). In support of this common hobbyist goal, there is this nifty case XU4 case which apes the aesthetic of the Nintendo N64 :

  

  ODROID-XU4 N64-style case

  It even has a cool programmable LCD screen. Maybe one day I’ll find a use for it.

  For awhile, one of these XU4 units (likely the noisy, fan-cooled one) was contributing results to the FFmpeg FATE system.

  While it features gigabit ethernet and a USB3 port, I once tried to see if I could get 2 Gbps throughput with the unit using a USB3-gigabit dongle. I had curious results in that the total amount of traffic throughput could never exceed 1 Gbps across both interfaces. I.e., if 1 interface was dealing with 1 Gbps and the other interface tried to run at 1 Gbps, they would both only run at 500 Mbps. That remains a mystery to me since I don’t see that limitation with Intel chips.

  Still, the XU4 has been useful for a variety of projects and prototyping over the years.

  ODROID-HC2 NAS
  I find that a lot of my fellow nerds massively overengineer their homelab NAS setups. I’ll explore this in a future post. For my part, people tend to find my homelab NAS solution slightly underengineered. This is the ODROID-HC2 (the “HC” stands for “Home Cloud”) :

  

  ODROID-HC2 NAS

  It has the same guts as the ODROID-XU4 except no video output and the USB3 function is leveraged for a SATA bridge. This allows you to plug a SATA hard drive directly into the unit :

  

  ODROID-HC2 NAS uncovered

  Believe it or not, this has been my home NAS solution for something like 6 or 7 years now– I don’t clearly remember when I purchased it and put it into service.

  But isn’t this sort of irresponsible ? What about a failure of the main drive ? That’s why I have an external drive connected for backing up the most important data via rsync :

  

  ODROID-HC2 NAS backup enclosure

  The power consumption can’t be beat– Profiling for a few weeks of average usage worked out to 4.5 kWh for the ODROID-HC2… per month.

  ODROID-C2
  I was on a kick of ordering more SBCs at one point. This is the ODROID-C2, equipped with a 64-bit Amlogic SoC :

  

  ODROID-C2

  I had this on the FATE farm for awhile, performing 64-bit ARM builds (vs. the XU4’s 32-bit builds). As memory serves, it was unreliable and would occasionally freeze up.

  Here is a view of the eMMC storage through the bottom of the translucent case :

  

  Bottom of ODROID-C2 with view of eMMC storage

  ODROID-N2+
  Out of all my ODROID SBCs, this is the unit that I long to “get back to” the most– the ODROID-N2+ :

  

  ODROID-N2+

  Very capable unit that makes a great little desktop. I have some projects I want to develop using it so that it will force me to have a focused development environment.

  Raspberry Pi
  Eventually, I did break down and get a Raspberry Pi. I had a specific purpose in mind and, much to my surprise, I have stuck to it :

  

  Original Raspberry Pi

  I was using one of the ODROID-XU4 units as a VPN gateway. Eventually, I wanted to convert the XU4 to something else and I decided to run the VPN gateway as an appliance on the simplest device I could. So I procured this complete hand-me-down unit from eBay and went to work. This was also the first time I discovered the DietPi distribution and this box has been in service running Wireguard via PiVPN for many years.

  I also have a Raspberry Pi 3B+ kicking around somewhere. I used it as a Steam Link device for awhile.

  SOPINE + Baseboard
  Also procured when I was on this “let’s buy random SBCs” kick. The Pine64 SOPINE is actually a compute module that comes in the form factor of a memory module.

  

  Pine64 SOPINE Compute Module

  Back to using Allwinner SoCs. In order to make this thing useful, you need to place it in something. It’s possible to get a mini-ITX form factor board that can accommodate 7 of these modules. Before going to that extreme, there is this much simpler baseboard which can also use eMMC for storage.

  

  Baseboard with SOPINE, eMMC, and heat sinks

  I really need to find an appropriate case for this one as it currently performs its duty while sitting on an anti-static bag.

  NanoPi NEO3
  I enjoy running the DietPi distribution on many of these SBCs (as it’s developed not just for Raspberry Pi). I have also found their website to be a useful resource for discovering new SBCs. That’s how I found the NanoPi series and zeroed in on this NEO3 unit, sporting a Rockchip SoC, and photographed here with some American currency in order to illustrate its relative size :

  

  NanoPi NEO3

  I often forget about this computer because it’s off in another room, just quietly performing its assigned duty.

  MangoPi MQ-Pro
  So far, I’ve heard of these fruits prepending the Greek letter pi for naming small computing products :

  • Raspberry – the O.G.
  • Banana – seems to be popular for hobbyist router/switches
  • Orange
  • Atomic
  • Nano
  • Mango

  Okay, so the AtomicPi and NanoPi names don’t really make sense considering the fruit convention.

  Anyway, the newest entry is the MangoPi. These showed up on Ameridroid a few months ago. There are 2 variants : the MQ-Pro and the MQ-Quad. I picked one and rolled with it.

  

  MangoPi MQ-Pro pieces arrive

  When it arrived, I unpacked it, assembled the pieces, downloaded a distro, tossed that on a micro-SD card, connected a monitor and keyboard to it via its USB-C port, got the distro up and running, configured the wireless networking with a static IP address and installed sshd, and it was ready to go as a headless server for an edge application.

  

  MangoPi MQ-Pro components, ready for assembly

  The unit came with no instructions that I can recall. After I got it set up, I remember thinking, “What is wrong with me ? Why is it that I just know how to do all of this without any documentation ?”

  

  MangoPi MQ-Pro in first test

  Only after I got it up and running and poked around a bit did I realize that this SBC doesn’t have an ARM SoC– it’s a RISC-V SoC. It uses the Allwinner D1, so it looks like I came full circle back to Allwinner.

  

  MangoPi MQ-Pro with more US coinage for scale

  So I now have my first piece of RISC-V hobbyist kit, although I learned recently from Kostya that it’s not that great for multimedia.

  Handheld Gaming Units
  The folks at Hardkernel have also produced a series of handheld retro-gaming devices called ODROID-GO. The first one resembled the original Nintendo Game Boy, came as a kit to be assembled, and emulated 5 classic consoles. It also had some hackability to it. Quite a cool little device, and inexpensive too. I have since passed it along to another gaming enthusiast.

  Later came the ODROID-GO Advance, also a kit, but emulating more devices. I was extremely eager to get my hands on this since it could emulate SNES in addition to NES. It also features a headphone jack, unlike the earlier model. True to form, after I received mine, it took me about 13 months before I got around to assembling it. After that, the biggest challenge I had was trying to find an appropriate case for it.

  

  ODROID-GO Advance with case and headphones

  Even though it may try to copy the general aesthetic and form factor of the Game Boy Advance, cases for the GBA don’t fit this correctly.

  Further, Hardkernel have also released the ODROID-GO Super and Ultra models that do more and more. The Advance, Super, and Ultra models have powerful SoCs and feature much more hackability than the first ODROID-GO model.

  I know that the guts of the Advance have been used in other products as well. The same is likely true for the Super and Ultra.

  Ultimately, the ODROID-GO Advance was just another project I assembled and then set aside since I like the idea of playing old games much more than actually doing it. Plus, the fact has finally crystalized in my mind over the past few years that I have never enjoyed handheld gaming and likely will never enjoy handheld gaming, even after I started wearing glasses. Not that I’m averse to old Game Boy / Color / Advance games, but if I’m going to play them, I’d rather emulate them on a large display.

  The Future
  In some of my weaker moments, I consider ordering up certain Banana Pi products (like the Banana Pi BPI-R2) with a case and doing my own router tricks using some open source router/firewall solution. And then I remind myself that my existing prosumer-type home router is doing just fine. But maybe one day…

  The post My SBC Collection first appeared on Breaking Eggs And Making Omelettes.

• Understanding Data Processing Agreements and How They Affect GDPR Compliance

  9 octobre 2023, par Erin — GDPR

  The General Data Protection Regulation (GDPR) impacts international organisations that conduct business or handle personal data in the European Union (EU), and they must know how to stay compliant.

  One way of ensuring GDPR compliance is through implementing a data processing agreement (DPA). Most businesses overlook DPAs when considering ways of maintaining user data security. So, what exactly is a DPA’s role in ensuring GDPR compliance ?

  In this article, we’ll discuss DPAs, their advantages, which data protection laws require them and the clauses that make up a DPA. We’ll also discuss the consequences of non-compliance and how you can maintain GDPR compliance using Matomo.

  What is a data processing agreement ?

  A data processing agreement, data protection agreement or data processing addendum is a contractual agreement between a data controller (a company) and a data processor (a third-party service provider.) It defines each party’s rights and obligations regarding data protection.

  A DPA also defines the responsibilities of the controller and the processor and sets out the terms they’ll use for data processing. For instance, when MHP/Team SI sought the services of Matomo (a data processor) to get reliable and compliant web analytics, a DPA helped to outline their responsibilities and liabilities.

  A DPA is one of the basic requirements for GDPR compliance. The GDPR is an EU regulation concerning personal data protection and security. The GDPR is binding on any company that actively collects data from EU residents or citizens, regardless of their location.

  As a business, you need to know what goes into a DPA to identify possible liabilities that may arise if you don’t comply with European data protection laws. For example, having a recurrent security incident can lead to data breaches as you process customer personal data.

  The average data breach cost for 2023 is $4.45 million. This amount includes regulatory fines, containment costs and business losses. As such, a DPA can help you assess the organisational security measures of your data processing methods and define the protocol for reporting a data breach.

  Why is a DPA essential for your business ?

  If your company processes personal data from your customers, such as contact details, you need a DPA to ensure compliance with data security laws like GDPR. You’ll also need a DPA to hire a third party to process your data, e.g., through web analytics or cloud storage.

  But what are the benefits of having a DPA in place ?

  

  A key benefit of signing a DPA is it outlines business terms with a third-party data processor and guarantees compliance with the relevant data privacy laws. A DPA also helps to create an accountability framework between you and your data processor by establishing contractual obligations.

  Additionally, a DPA helps to minimise the risk of unauthorised access to sensitive data. A DPA defines organisational measures that help protect the rights of individuals and safeguard personal data against unauthorised disclosure. Overall, before choosing a data processor, having a DPA ensures that they are capable, compliant and qualified.

  More than 120 countries have already adopted some form of international data protection laws to protect their citizens and their data better. Hence, knowing which laws require a DPA and how you can better ensure compliance is important.

  Which data protection laws require a DPA ?

  Regulatory bodies enact data protection laws to grant consumers greater control over their data and how businesses use it. These laws ensure transparency in data processing and compliance for businesses.

  

  The following are some of the relevant data privacy laws that require you to have a DPA :

  • UK GDPR
  • Brazil LGPD
  • EU GDPR
  • Dubai PDPA
  • Colorado CPA
  • California CCPA/CPRA
  • Virginia VCDPA
  • Connecticut DPA
  • South African POPIA
  • Thailand PDPA

  Companies that don’t adhere to these data protection obligations usually face liabilities such as fines and penalties. With a DPA, you can set clear expectations regarding data processing between you and your customers.

  Review and update any DPAs with third-party processors to ensure compliance with GDPR and the laws we mentioned above. Additionally, confirm that all the relevant clauses are present for compliance with relevant data privacy laws. 

  So, what key data processing clauses should you have in your DPA ? Let’s take a closer look in the next section.

  Key clauses in a data processing agreement

  GDPR provides some general recommendations for what you should state in a DPA.

  

  Here are the elements you should include :

  Data processing specifications

  Your DPA should address the specific business purposes for data processing, the duration of processing and the categories of data under processing. It should also clearly state the party responsible for maintaining GDPR compliance and who the data subjects are, including their location and nationality.

  Your DPA should also address the data processor and controller’s responsibilities concerning data deletion and contract termination.

  Role of processor

  Your DPA should clearly state what your data processor is responsible for and liable for. Some key responsibilities include record keeping, reporting breaches and maintaining data security.

  Other roles of your data processor include providing you with audit opportunities and cooperating with data protection authorities during inquiries. If you decide to end your contract, the data processor is responsible for deleting or returning data, depending on your agreement.

  Role of controller

  Your DPA should inform the responsibilities of the data controller, which typically include issuing processing instructions to the data processor and directing them on how to handle data processing.

  Your DPA should let you define the lawful data processes the data processor should follow and how you’ll uphold the data protection rights of individuals’ sensitive data.

  Organisational and technical specifications

  Your DPA should define specifications such as how third-party processors encrypt, access and test personal data. It should also include specifications on how the data processor and controller will maintain ongoing data security through various factors such as :

  • State of the technology : Do ‌third-party processors have reliable technology, and can they ensure data security within their systems ?
  • Costs of implementation : Does the data controller’s budget allow them to seek third-party services from industry-leading providers who can guarantee a certain level of security ?
  • Variances in users’ personal freedom : Are there privacy policies and opt-out forms for users to express how they want companies to use their sensitive data ?

  Moreover, your DPA should define how you and your data processor will ensure the confidentiality, availability and integrity of data processing services and systems.

  What are the penalties for DPA GDPR non-compliance ?

  Regulators use GDPR’s stiff fines to encourage data controllers and third-party processors to follow‌ best data security practices. One way of maintaining compliance is through drafting up a DPA with your data processor.

  The DPA should clearly outline the necessary legal requirements and include all the relevant clauses mentioned above. Understand what goes into this agreement since data protection authorities can hold your business accountable for a breach — even if a processor’s error caused it.

  Data protection authorities can issue penalties now that the GDPR is in place. For example, according to Article 83 of the GDPR, penalties for data or privacy breaches or non-compliance can amount to up to €20 million or 4% of your annual revenue.

  There are two tiers of fines : tier one and tier two. Violations related to data processors typically attract fines on the tier-one level. Tier one fines can cost your business €10 million or 2% of your company’s global revenue.

  Tier-two fines result from infringement of the right to forget and the right to privacy of your consumer. Tier-two fines can cost your business up to €20 million or 4% of your company’s global revenue.

  GDPR fines make non-compliance an expensive mistake for businesses of all sizes. As such, signing a DPA with any party that acts as a data processor for your business can help you remain GDPR-compliant.

  How a DPA can help your business remain GDPR compliant

  A DPA can help your business define and adhere to lawful data processes.

  

  So, in what other ways can a DPA help you to remain compliant with GDPR ? Let’s take a look !

  1. Assess data processor’s compliance

  Having a DPA helps ensure that the data processor you are working with is GDPR-compliant. You should check if they have a DPA and confirm the processor’s terms of service and legal basis.

  For example, if you want an alternative to Google Analytics that’s GDPR compliant, then you can opt for Matomo. Matomo features a DPA, which you can agree to when you sign up for web analytics services or later.

  2. Establish lawful data processes

  A DPA can also help you review your data processes to ensure they’re GDPR compliant. For example, by defining lawful data processes, you better understand personally identifiable information (PII) and how it relates to data privacy.

  Further, you can allow users to opt out of sharing their data. As such, Matomo can help you to enable Do Not Track preferences on your website.

  

  With this feature, users are given the option to opt in or out of tracking via a toggle in their respective browsers.

  Indeed, establishing lawful data processes helps you define the specific business purposes for collecting and processing personal data. By doing so, you get to notify your users why you need their data and get their consent to process it by including a GDPR-compliant privacy policy on your website.

  3. Anonymise your data

  Global privacy laws like GDPR and ePrivacy mandate companies to display cookie banners or seek consent before tracking visitors’ data. You can either include a cookie consent banner on your site or stop tracking cookies to follow the applicable regulations.

  Further, you can enable cookie-less tracking or easily let users opt out. For example, you can use Matomo without a cookie consent banner, exempting it from many countries’ privacy rules.

  Additionally, through a DPA, you can define organisational measures that define how you’ll anonymise all your users’ data. Matomo can help you anonymise IP addresses, and we recommend that you at least anonymise the last two bytes.

  

  As one of the few web analytics tools you can use to collect data without tracking consent, Matomo also has the French Data Protection Authority (CNIL) approval.

  4. Assess the processor’s bandwidth

  Having a DPA can help you implement data retention policies that show clear retention periods. Such policies are useful when ending a contract with a third-party service provider and determining how they should handle your data.

  A DPA also helps you ensure the processor has the necessary technology to store personal data securely. You can conduct an audit to understand possible vulnerabilities and your data processor’s technological capacity.

  5. Obtain legal counsel

  When drafting a DPA, it’s important to get a consultation on what is needed to ensure complete compliance. Obtaining legal counsel points you in the right direction so you don’t make any mistakes that may lead to non-compliance.

  Conclusion

  Businesses that process users’ data are subject to several DPA contract requirements under GDPR. One of the most important is having DPAs with every third-party provider that helps them perform data processing.

  It’s important to stay updated on GDPR requirements for compliance. As such, Matomo can help you maintain lawful data processes. Matomo gives you complete control over your data and complies with GDPR requirements.

  To get started with Matomo, you can sign up for a 21-day free trial. No credit card required.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.