Sur d’autres sites (8871)

• Server-side tracking vs client-side tracking : What you need to know

  3 juillet, par Joe

  Server-side tracking vs client-side tracking : What you need to know

  Today, consumers are more aware of their online privacy rights, leading to an extensive use of ad blockers and stricter cookie policies. Organisations are facing some noteworthy challenges with this trend, including :

  • Limited data collection, which makes it harder to understand user behaviour and deliver personalised ads that resonate with customers
  • Rising compliance costs as businesses adapt to new regulations, straining resources and budgets.
  • Growing customer scepticism in data practices, affecting brand reputation.
  • Maintaining transparency and fostering trust with customers through clear communication about data practices.

  Server-side tracking can help resolve these problems. This article will cover server-side tracking, how it works, implementation methods and its benefits.

  What is server-side tracking ? 

  Server-side tracking refers to a method where user data is collected directly by a server rather than through a user’s browser.

  The key advantage of server-side tracking is that data collection, processing, and storage occur directly on the website’s server.

  For example, when a visitor interacts with any website, the server captures that activity through the backend system, allowing for greater data control and security. 

  Client-side tracking vs. server-side tracking 

  There are two methods to collect user data : client-side and server-side. 

  Let’s understand their differences. 

  Client-side tracking : Convenience with caveats

  Client-side tracking embeds JavaScript tags, pixels or other scripts directly into a website’s code. When a user interacts with the site, these tags fire, collecting data from their browser. This information might include page views, button clicks, form submissions and other user actions. 

  The collected data is then sent directly to third-party analytics platforms like Google Analytics or Adobe Analytics, or internal teams can also analyse it.

  This method is relatively easy to implement. That’s because marketers can often deploy these tags without needing extensive developer support, enabling quick adjustments and A/B testing. 

  However, there are some challenges. 

  Ad blockers and browser privacy settings, such as Intelligent Tracking Prevention (ITP), restrict the ability of third-party tags to collect data. 

  This results in data gaps and inaccuracies skewing analytics reports and potentially leading to misguided business decisions. 

  Reliance on numerous JavaScript tags can also negatively impact website performance, slowing down page load times and affecting user experience. This is especially true on mobile devices where processing power and network speeds are often limited.

  

  Now, let’s see how server-side tracking changes this.

  Server-side tracking : Control and reliability

  Server-side tracking shifts the burden of data collection from the user’s browser to a server controlled by the business. 

  Instead of relying on JavaScript tags firing directly from the user’s device, user interactions are first sent to the business’s own server. Here, the data can be processed, enriched, and analysed. 

  This method provides numerous advantages, including enhanced control over data integrity, improved privacy, and more, which we discuss in the next section.

  Benefits of server-side tracking 

  Server-side tracking offers a compelling alternative to traditional client-side methods, providing numerous business advantages. Let’s take a look at them.

  Improved data accuracy

  This method reduces inaccuracies caused by ad blockers or cookie restrictions by bypassing browser limitations. As a result, the data collected is more reliable, leading to better analytics and marketing attribution.

  Data minimisation

  Data minimisation is a fundamental principle in data protection. It emphasises that organisations should collect only data that is strictly needed for a specific purpose. 

  In server-side tracking, this translates into collecting just the essential data points and discarding anything extra before the data is sent to analytics platforms. It helps organisations avoid accumulating excessive personal information, reducing the risk of data breaches and misuse.

  For example, consider a scenario where a user purchases a product on an e-commerce website. 

  With client-side tracking scripts, the system might inadvertently collect a range of data, including the user’s IP address, browser type, operating system and even details about other websites they have visited. 

  However, for conversions, the organisation only needs to know the purchase amount, product IDs, user IDS, and timestamps. 

  Server-side tracking filters unnecessary information. This reduces the privacy impact and simplifies data analysis and storage.

  Cross-device tracking capabilities

  Server-side tracking provides a unified view of customer behaviour regardless of the device they use, allowing for more personalised and targeted marketing campaigns. 

  In-depth event tracking

  Server-side tracking helps businesses track events that occur outside their websites, such as payment confirmations. Companies gain insights into the entire customer journey, from initial interaction to final purchase, optimising every touchpoint. 

  Enhanced privacy compliance

  With increasing regulations like GDPR and CCPA, businesses can better manage user consent and data handling practices through server-side solutions. 

  Server-side setups make honouring user consent easier. If a user opts out, server-side logic can exclude their data from all outgoing analytics calls in one central place. 

  

  Server-side methods reassure users and regulators that data is collected and secured with minimal risk. 

  In sectors like government and banking, this level of control is often a non-negotiable part of their duty of care. 

  Extended cookie lifetime

  Traditional website tracking faces growing obstacles as modern browsers prioritise user privacy. Initiatives like Safari’s ITP block third-party cookies and also constrain the use of first-party cookies. 

  Other browsers, such as Firefox and Brave, are implementing similar methods, while Chrome is beginning to phase out third-party cookies. Retargeting and cross-site analytics, which rely on these cookies, encounter significant challenges.

  Server-side tracking overcomes this by allowing businesses to collect data over a longer duration. 

  When a website’s server directly sets a cookie, that cookie often lasts longer than cookies created by JavaScript code running inside the browser. This lets websites get around some of the limits browsers put on tracking and allows them to remember a visitor when they return to the site later, which gives better customer insights. Plus, server-side tracking typically classifies cookies as first-party data, which is less susceptible to blocking by browsers and ad blockers.

  Server-side tracking : Responsibilities and considerations

  While server-side tracking delivers powerful capabilities, remember that it also brings increased responsibility. Companies must remain vigilant in upholding privacy regulations and user consent. It’s up to the organisation to make sure the server follows user consent, for example, not sending data if someone has opted out.

  Server-side setups introduce technical complexity, which can potentially lead to data errors that are more difficult to identify and resolve. Therefore, monitoring processes and quality assurance practices are essential for data integrity. 

  How does server-side tracking work ? 

  When a user interacts with a website (e.g., clicking a button), this action triggers an event. The event could be anything from a page view to a form submission.

  The backend system captures relevant details such as the event type, user ID and timestamp. This information helps in understanding user behaviour and creating meaningful analytics.

  The captured data is processed directly on the organisation’s server, allowing for immediate validation. For example, organisations can add additional context or filter out irrelevant information.

  Instead of sending data to third-party endpoints, the organisation stores everything in its own database or data warehouse. This ensures full control over data privacy and security.

  Organisations can perform their own analysis using tools like SQL or Python. To visualise data, custom dashboards and reports can be created using self-hosted analytics tools. This way, businesses can present complex data in a clear and actionable manner.

  How to implement server-side tracking ?

  Server-side tracking can work in four common ways, each offering a different blend of control, flexibility and complexity.

  1. Server-side tag management

  In this method, organisations use platforms like Google Tag Manager Server-Side to manage tracking tags on the server, often using containers to isolate and manage different tagging environments. 

  

  (Image Source) 

  This approach offers a balance between control and ease of use. It allows for the deployment and management of tags without modifying the application code, which is particularly useful for marketers who want to adjust tracking configurations quickly.

  2. Direct server-to-server tracking via APIs

  This method involves sharing information between two servers without affecting the user’s browser or device. 

  A unique identifier is generated and stored on a server when a user interacts with an ad or webpage. 

  If a user takes some action, like making a purchase, the unique identifier is sent from the advertiser’s server directly to the platform’s server (Google or Facebook) via an API. 

  It requires more development effort but is ideal for organisations needing fine-grained data control.

  3. Using analytics platforms with built-in server SDKs

  Another way is to employ analytics platforms like Matomo that provide SDKs for various programming languages to instrument the server-side code. 

  This eases integration with the platform’s analytics features and is a good choice for organisations primarily using a single analytics platform and want to use its server-side capabilities.

  4. Hybrid approaches

  Finally, organisations can also combine client- and server-side tracking to capture different data types and maximise accuracy. 

  This method involves client-side scripts for specific interactions (like UI events) and server-side tracking for more sensitive or critical data (like transactions). 

  While these are general approaches, dedicated analytics platforms can also be helpful. Matomo, for example, facilitates server-side tracking through two specific methods.

  Using server logs

  Matomo can import existing web server logs, such as Apache or Nginx, that capture each request. Every page view or resource load becomes a data point. 

  Matomo’s log processing script reads log files, importing millions of hits. This removes the need to add code to the site, making it suitable for basic page analytics (like the URL) without client-side scripts, particularly on security-sensitive sites.

  Using the Matomo tracking API (Server-side SDKs)

  This method integrates application code with calls to Matomo’s API. For example, when a user performs a specific action, the server sends a request to Matomo.php, the tracking endpoint, which includes details like the user ID and action. 

  Matomo offers SDKs in PHP, Java C#, and community SDKs to simplify these calls. These allow tracking of not just page views but custom events such as downloads and transactions from the backend, functioning similarly to Google’s Measurement Protocol but sending data to the Matomo instance. 

  Data privacy, regulations and Matomo

  As privacy concerns grow and regulations like GDPR and CCPA become more stringent, businesses must adopt data collection methods that respect user consent and data protection rights. 

  Server-side tracking allows organisations to collect first-party data directly from their servers, which is generally considered more compliant with privacy regulations.

  Matomo is a popular open-source web analytics platform that is committed to privacy. It gives organisations 100% data ownership and control, and no data is sent to third parties by default.

  

  (Image Source) 

  Matomo is a full-featured analytics platform with dashboards and segmentation comparable to Google Analytics. It can self-host and provides DoNotTrack settings and the ability to anonymise IP addresses.

  Governments and organisations requiring data sovereignty, such as the EU Commission and the Swiss government, choose Matomo for web analytics due to its strong compliance posture.

  Balancing data collection and user privacy

  Ad blockers and other restrictions prevent data from being accurate. Server-side tracking helps get data on the server and makes it more reliable while respecting user privacy. Matomo supports server-side tracking, and over one million websites use Matomo to optimise their data strategies. 

  Get started today by trying Matomo for free for 21 days, no credit card required.

• What Is Data Misuse & How to Prevent It ? (With Examples)

  13 mai 2024, par Erin

  Your data is everywhere. Every time you sign up for an email list, log in to Facebook or download a free app onto your smartphone, your data is being taken.

  This can scare customers and users who fear their data will be misused.

  While data can be a powerful asset for your business, it’s important you manage it well, or you could be in over your head.

  In this guide, we break down what data misuse is, what the different types are, some examples of major data misuse and how you can prevent it so you can grow your brand sustainably.

  What is data misuse ?

  Data is a good thing.

  It helps analysts and marketers understand their customers better so they can serve them relevant information, products and services to improve their lives.

  But it can quickly become a bad thing for both the customers and business owners when it’s mishandled and misused.

  

  Data misuse is when a business uses data outside of the agreed-upon terms. When companies collect data, they need to legally communicate how that data is being used. 

  Who or what determines when data is being misused ?

  Several bodies :

  • User agreements
  • Data privacy laws
  • Corporate policies
  • Industry regulations

  There are certain laws and regulations around how you can collect and use data. Failure to comply with these guidelines and rules can result in several consequences, including legal action.

  Keep reading to discover the different types of data misuse and how to prevent it.

  3 types of data misuse

  There are a few different types of data misuse.

  If you fail to understand them, you could face penalties, legal trouble and a poor brand reputation.

  

  1. Commingling

  When you collect data, you need to ensure you’re using it for the right purpose. Commingling is when an organisation collects data from a specific audience for a specific reason but then uses the data for another purpose.

  One example of commingling is if a company shares sensitive customer data with another company. In many cases, sister companies will share data even if the terms of the data collection didn’t include that clause.

  Another example is if someone collects data for academic purposes like research but then uses the data later on for marketing purposes to drive business growth in a for-profit company.

  In either case, the company went wrong by not being clear on what the data would be used for. You must communicate with your audience exactly how the data will be used.

  2. Personal benefit

  The second common way data is misused in the workplace is through “personal benefit.” This is when someone with access to data abuses it for their own gain.

  The most common example of personal benefit data muse is when an employee misuses internal data.

  While this may sound like each instance of data misuse is caused by malicious intent, that’s not always the case. Data misuse can still exist even if an employee didn’t have any harmful intent behind their actions. 

  One of the most common examples is when an employee mistakenly moves data from a company device to personal devices for easier access.

  3. Ambiguity

  As mentioned above, when discussing commingling, a company must only use data how they say they will use it when they collect it.

  A company can misuse data when they’re unclear on how the data is used. Ambiguity is when a company fails to disclose how user data is being collected and used.

  This means communicating poorly on how the data will be used can be wrong and lead to misuse.

  One of the most common ways this happens is when a company doesn’t know how to use the data, so they can’t give a specific reason. However, this is still considered misuse, as companies need to disclose exactly how they will use the data they collect from their customers.

  Laws on data misuse you need to follow

  Data misuse can lead to poor reputations and penalties from big tech companies. For example, if you step outside social media platforms’ guidelines, you could be suspended, banned or shadowbanned.

  But what’s even more important is certain types of data misuse could mean you’re breaking laws worldwide. Here are some laws on data misuse you need to follow to avoid legal trouble :

  General Data Protection Regulation (GDPR)

  The GDPR, or General Data Protection Regulation, is a law within the European Union (EU) that went into effect in 2018.

  The GDPR was implemented to set a standard and improve data protection in Europe. It was also established to increase accountability and transparency for data breaches within businesses and organisations.

  The purpose of the GDPR is to protect residents within the European Union.

  The penalties for breaking GDPR laws are fines up to 20 million Euros or 4% of global revenues (whatever the higher amount is).

  The GDPR doesn’t just affect companies in Europe. You can break the GDPR’s laws regardless of where your organisation is located worldwide. As long as your company collects, processes or uses the personal data of any EU resident, you’re subject to the GDPR’s rules.

  If you want to track user data to grow your business, you need to ensure you’re following international data laws. Tools like Matomo—the world’s leading privacy-friendly web analytics solution—can help you achieve GDPR compliance and maintain it.

  With Matomo, you can confidently enhance your website’s performance, knowing that you’re adhering to data protection laws. 

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  California Consumer Privacy Act (CCPA)

  The California Consumer Privacy Act (CCPA) is another important data law companies worldwide must follow.

  Like GDPR, the CCPA is a data privacy law established to protect residents of a certain region — in this case, residents of California in the United States.

  The CCPA was implemented in 2020, and businesses worldwide can be penalised for breaking the regulations. For example, if you’re found violating the CCPA, you could be fined $7,500 for each intentional violation.

  If you have unintentional violations, you could still be fined, but at a lesser fee of $2,500.

  The Gramm-Leach-Bliley Act (GLBA)

  If your business is located within the United States, then you’re subject to a federal law implemented in 1999 called The Gramm-Leach-Bliley Act (GLB Act or GLBA).

  The GLBA is also known as the Financial Modernization Act of 1999. Its purpose is to control the way American financial institutions handle consumer data. 

  In the GLBA, there are three sections :

  1. The Financial Privacy Rule : regulates the collection and disclosure of private financial data.
  2. Safeguards Rule : Financial institutions must establish security programs to protect financial data.
  3. Pretexting Provisions : Prohibits accessing private data using false pretences.

  The GLBA also requires financial institutions in the U.S. to give their customers written privacy policy communications that explain their data-sharing practices.

  4 examples of data misuse in real life

  If you want to see what data misuse looks like in real life, look no further.

  Big tech is central to some of the biggest data misuses and scandals.

  

  Here are a few examples of data misuse in real life you should take note of to avoid a similar scenario :

  1. Facebook election interference

  One of history’s most famous examples of data misuse is the Facebook and Cambridge Analytica scandal in 2018.

  During the 2018 U.S. midterm elections, Cambridge Analytica, a political consulting firm, acquired personal data from Facebook users that was said to have been collected for academic research.

  Instead, Cambridge Analytica used data from roughly 87 million Facebook users. 

  This is a prime example of commingling.

  The result ? Cambridge Analytica was left bankrupt and dissolved, and Facebook was fined $5 billion by the Federal Trade Commission (FTC).

  2. Uber “God View” tracking

  Another big tech company, Uber, was caught misusing data a decade ago. 

  Why ?

  Uber implemented a new feature for its employees in 2014 called “God View.”

  The tool enabled Uber employees to track riders using their app. The problem was that they were watching them without the users’ permission. “God View” lets Uber spy on their riders to see their movements and locations.

  The FTC ended up slapping them with a major lawsuit, and as part of their settlement agreement, Uber agreed to have an outside firm audit their privacy practices between 2014 and 2034.

  

  3. Twitter targeted ads overstep

  In 2019, Twitter was found guilty of allowing advertisers to access its users’ personal data to improve advertisement targeting.

  Advertisers were given access to user email addresses and phone numbers without explicit permission from the users. The result was that Twitter ad buyers could use this contact information to cross-reference with Twitter’s data to serve ads to them.

  Twitter stated that the data leak was an internal error. 

  4. Google location tracking

  In 2020, Google was found guilty of not explicitly disclosing how it’s using its users’ personal data, which is an example of ambiguity.

  The result ?

  The French data protection authority fined Google $57 million.

  8 ways to prevent data misuse in your company

  Now that you know the dangers of data misuse and its associated penalties, it’s time to understand how you can prevent it in your company.

  

  Here are eight ways you can prevent data misuse :

  1. Track data with an ethical web analytics solution

  You can’t get by in today’s business world without tracking data. The question is whether you’re tracking it safely or not.

  If you want to ensure you aren’t getting into legal trouble with data misuse, then you need to use an ethical web analytics solution like Matomo.

  With it, you can track and improve your website performance while remaining GDPR-compliant and respecting user privacy. Unlike other web analytics solutions that monetise your data and auction it off to advertisers, with Matomo, you own your data.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  2. Don’t share data with big tech

  As the data misuse examples above show, big tech companies often violate data privacy laws.

  And while most of these companies, like Google, appear to be convenient, they’re often inconvenient (and much worse), especially regarding data leaks, privacy breaches and the sale of your data to advertisers.

  Have you ever heard the phrase : “You are the product ?” When it comes to big tech, chances are if you’re getting it for free, you (and your data) are the products they’re selling.

  The best way to stop sharing data with big tech is to stop using platforms like Google. For more ideas on different Google product alternatives, check out this list of Google alternatives.

  3. Identity verification 

  Data misuse typically isn’t a company-wide ploy. Often, it’s the lack of security structure and systems within your company. 

  An important place to start is to ensure proper identity verification for anyone with access to your data.

  4. Access management

  After establishing identity verification, you should ensure you have proper access management set up. For example, you should only give specific access to specific roles in your company to prevent data misuse.

  5. Activity logs and monitoring

  One way to track data misuse or breaches is by setting up activity logs to ensure you can see who is accessing certain types of data and when they’re accessing it.

  You should ensure you have a team dedicated to continuously monitoring these logs to catch anything quickly.

  6. Behaviour alerts 

  While manually monitoring data is important, it’s also good to set up automatic alerts if there is unusual activity around your data centres. You should set up behaviour alerts and notifications in case threats or compromising events occur.

  7. Onboarding, training, education

  One way to ensure quality data management is to keep your employees up to speed on data security. You should ensure data security is a part of your employee onboarding. Also, you should have regular training and education to keep people informed on protecting company and customer data.

  8. Create data protocols and processes 

  To ensure long-term data security, you should establish data protocols and processes. 

  To protect your user data, set up rules and systems within your organisation that people can reference and follow continuously to prevent data misuse.

  Leverage data ethically with Matomo

  Data is everything in business.

  But it’s not something to be taken lightly. Mishandling user data can break customer trust, lead to penalties from organisations and even create legal trouble and massive fines.

  You should only use privacy-first tools to ensure you’re handling data responsibly.

  Matomo is a privacy-friendly web analytics tool that collects, stores and tracks data across your website without breaking privacy laws.

  With over 1 million websites using Matomo, you can track and improve website performance with :

  • Accurate data (no data sampling)
  • Privacy-friendly and compliant with privacy regulations like GDPR, CCPA and more
  • Advanced features like heatmaps, session recordings, A/B testing and more

  Try Matomo free for 21-days. No credit card required.

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I accept the terms and conditions and data processing agreement (DPA)

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  
  

  Start improving your websites now

  

• Protecting consumer privacy : How to ensure CCPA compliance

  18 août 2023, par Erin — CCPA, Privacy

  The California Consumer Privacy Act (CCPA) is a state law that enhances privacy rights and consumer protection for residents of California. 

  It grants consumers six rights, like the right to know what personal information is being collected about them by businesses and others. 

  CCPA also requires businesses to provide notice of data collection practices. Consumers can choose to opt out of the sale of their data. 

  In this article, we’ll learn more about the scope of CCPA, the penalties for non-compliance and how our web analytics tool, Matomo, can help you create a CCPA-compliant framework.

  What is the CCPA ? 

  CCPA was implemented on January 1, 2020. It ensures that businesses securely handle individuals’ personal information and respect their privacy in the digital ecosystem. 

  

  CCPA addresses the growing concerns over privacy and data protection ; 40% of US consumers share that they’re worried about digital privacy. With the increasing amount of personal information being collected and shared by businesses, there was a need to establish regulations to provide individuals with more control and transparency over their data. 

  CCPA aims to protect consumer privacy rights and promote greater accountability from businesses when handling personal information.

  Scope of CCPA 

  The scope of CCPA includes for-profit businesses that collect personal information from California residents, regardless of where you run the business from.

  It defines three thresholds that determine the inclusion criteria for businesses subject to CCPA regulations. 

  Businesses need to abide by CCPA if they meet any of the three options :

  1. Revenue threshold : Have an annual gross revenue of over $25 million.
  2. Consumer threshold : Businesses that purchase, sell or distribute the personal information of 100,000 or more consumers, households or devices.
  3. Data threshold : Businesses that earn at least half of their revenue annually from selling the personal information of California residents.

  What are the six consumer rights under the CCPA ? 

  Here’s a short description of the six consumer rights. 

  

  1. Right to know : Under this right, you can ask a business to disclose specific personal information they collect about you and the categories of sources of the information. You can also know the purpose of collection and to which third-party the business will disclose this info. This allows consumers to understand what information is being held and how it is used. You can request this info for free twice a year.
  2. Right to delete : Consumers can request the deletion of their personal information. Companies must comply with some exceptions.
  3. Right to opt-out : Consumers can deny the sale of their personal information. Companies must provide a link on their homepage for users to exercise this right. After you choose this, companies can’t sell your data unless you authorise them to do so later.
  4. Right to non-discrimination : Consumers cannot be discriminated against for exercising their CCPA rights. For instance, a company cannot charge different prices, provide a different quality of service or deny services.
  5. Right to correct : Consumers can request to correct inaccurate personal information.

  6. Right to limit use : Consumers can specify how they want the businesses to use their sensitive personal information. This includes social security numbers, financial account details, precise geolocation data or genetic data. Consumers can direct businesses to use this sensitive information only for specific purposes, such as providing the requested services.

  Penalties for CCPA non-compliance 

  52% of organisations have yet to adopt CCPA principles as of 2022. Non-compliance can attract penalties.

  

  Section 1798.155 of the CCPA states that any business that doesn’t comply with CCPA’s terms can face penalties based on the consumer’s private right to action. Consumers can directly take the company to the civil court and don’t need prosecutors’ interventions. 

  Businesses get a chance of 30 days to make amends for their actions. 

  If that’s also not possible, the business may receive a civil penalty of up to $2,500 per violation. Violations can be of any kind, even accidental. An intentional violation can attract a fine of $7,500. 

  Consumers can also initiate private lawsuits to claim damages that range from $100 to $750, or actual damages (whichever is higher), for each occurrence of their unredacted and unencrypted data being breached on a business’s server.

  CCPA vs. GDPR 

  Both CCPA and GDPR aim to enhance individuals’ control over their personal information and provide transparency about how their data is collected, used and shared. The comparison between the CCPA and GDPR is crucial in understanding the regulatory framework of data protection laws.

  Here’s how CCPA and GDPR differ :

  Scope

  • CCPA is for businesses that meet specific criteria and collect personal information from California residents. 
  • GDPR (General Data Protection Regulation) applies to businesses that process the personal data of citizens and residents of the European Union.

  Definition of personal information

  • CCPA includes personal information broadly, including identifiers such as IP addresses and households. Examples include name, email id, location and browsing history. However, it excludes HIPAA-protected medical data, clinical trial data and other personal information from government records.
  • GDPR covers any personal data relating to an identified or identifiable individual, excluding households. Examples include the phone number, email address and personal identification number. It excludes anonymous and deceased person’s data.

  

  Consent

  • Under the CCPA, consumers can opt out of the sale of their personal information.
  • GDPR states that organisations should obtain explicit consent from individuals for processing their personal data.

  Rights

  • CCPA grants the right to know what personal information is being collected and the right to request deletion of their personal information.
  • GDPR also gives individuals various rights, such as the right to access and rectify their personal data, the right to erasure (also known as the right to be forgotten) and also the right to data portability. 

  Enforcement

  • For CCPA, businesses may have to pay $7,500 for each violation. 
  • GDPR has stricter penalties for non-compliance, with fines of up to 4% of the global annual revenue of a company or €20 million, whichever is higher.

  A 5-step CCPA compliance framework 

  Here’s a simple framework you can follow to ensure compliance with CCPA. Alongside this, we’ll also share how Matomo can help. 

  Matomo is an open-source web analytics platform trusted by organisations like the United Nations, NASA and more. It provides valuable insights into website traffic, visitor behaviour and marketing effectiveness. More than 1 million websites and apps (approximately 1% of the internet !) use our solution, and it’s available in 50+ languages. Below, we’ll share how you can use Matomo to be CCPA compliant.

  1. Assess data

  First, familiarise yourself with the California Consumer Privacy Act and check your eligibility for CCPA compliance. 

  For example, as mentioned earlier, one threshold is : purchases, receives or sells the personal data of 100,000 or more individuals or households. 

  But how do you know if you have crossed 100K ? With Matomo ! 

  Go to last year’s calendar, select visitors, then go to locations and under the “Region” option, check for California. If you’ve crossed 100K visitors, you know you have to become CCPA compliant.

  

  Identify and assess the personal information you collect with Matomo.

  2. Evaluate privacy practices

  Review the current state of your privacy policies and practices. Conduct a thorough assessment of data sharing and third-party agreements. Then, update policies and procedures to align with CCPA requirements.

  For example, you can anonymise IP addresses with Matomo to ensure that user data collected for web analytics purposes cannot be used to trace back to specific individuals.

  

  If you have a consent management solution to honour user requests for data privacy, you can also integrate Matomo with it. 

  3. Communicate 

  Inform consumers about their CCPA rights and how you handle their data.

  Establish procedures for handling consumer requests and obtaining consent. For example, you can add an opt-out form on your website with Matomo. Or you can also use Matomo to disable cookies from your website.

  

  Documenting your compliance efforts, including consumer requests and how you responded to them, is a good idea. Finally, educate staff on CCPA compliance and their responsibilities to work collaboratively.

  4. Review vendor contracts

  Assessing vendor contracts allows you to determine if they include necessary data processing agreements. You can also identify if vendors are sharing personal information with third parties, which could pose a compliance risk. Verify if vendors have adequate security measures in place to protect the personal data they handle.

  That’s why you can review and update agreements to include provisions for data protection, privacy and CCPA requirements.

  Establish procedures to monitor and review vendor compliance with CCPA regularly. This may include conducting audits, requesting certifications and implementing controls to mitigate risks associated with vendors handling personal data.

  5. Engage legal counsel

  Consider consulting with legal counsel to ensure complete understanding and compliance with CCPA regulations.

  Finally, stay updated on any changes or developments related to CCPA and adjust your compliance efforts accordingly.

  Matomo and CCPA compliance 

  There’s an increasing emphasis on privacy regulations like CCPA. Matomo offers a robust solution that allows businesses to be CCPA-compliant without sacrificing the ability to track and analyse crucial data.

  You can gain in-depth insights into user behaviour and website performance — all while prioritising data protection and privacy. 

  Request a demo or sign up for a free 21-day trial to get started with our powerful CCPA-compliant web analytics platform — no credit card required. 

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to CCPA. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.