Close

Tip someone about this web page


Loading
* You must enter 2 valid e-mail addresses
Your tip has been submitted
An unexpected error occurred. Please try again later

Use of web analysis tools

graphs as illustration for web analysis tolls
The Norwegian Data Protection Authority has reviewed the use of the web analysis tool Google Analytics by two public agencies.

The findings and conclusions from this review may also be of relevance for other public and private enterprises using analysis tools on their websites.

Why is use of Google Analytics problematic – does it not just entail analysis of impersonal data?

Google Analytics is an analysis tool which collects information, such as IP addresses, regarding visitors to websites. This is collected to allow analysis of the visitors' behaviour during visits to the websites. In many contexts, IP addresses are regarded as a form of personal data. This is because the IP address may be linked to the hardware used and thus make it possible to trace the person who visited the website. Identification of a person via the IP address may also facilitate compilation of this person's web behaviour across various different websites. In the terms of use for Google Analytics, for example, Google states that the IP addresses collected may be used for provision of other services linked to the activity on the website and use of the Internet. In principle, this means that Google may use IP addresses to compile data on visitors across different services owned by Google, for example in order to customise search results and advertisements.

If an enterprise uses an external supplier (processor) to collect and analyse information, it is very important that this enterprise is in control of and has established guidelines for the actions of the data processor. When a public body or a private business uses Google Analytics, the IP addresses of the users are collected by Google (the processor), which then analyses the behaviour of the visitors to the website. If the enterprise accepts the terms of use established by Google for its services, the enterprise will no longer be in control of the information collected regarding the visitors to the website. 

Who is responsible for making sure the analysis tool is in compliance with applicable legislation?

All enterprises using analysis tools on their websites are responsible for making sure such tools are in compliance with regulatory requirements. If an enterprise uses a third party or supplier (processor) to analyse the data collected, the enterprise will still be responsible for ensuring that this processing is in line with the regulatory requirements. If your enterprise uses Google Analytics, for example, Google will be considered the data processor as Google is the party actually processing the information collected. Your enterprise, however, will still be responsible for making sure the personal data is processed in accordance with the applicable legislation.

Which requirements apply for use of web analysis tools?

Enterprises using analysis tools on their websites must make sure all processing of personal data is carried out in accordance with rules and regulations relating to data protection. This entails that:

  • IP addresses collected must be anonymised or changed to ensure visits to the website cannot be traced to specific hardware and thus to a specific person.
  • The information collected is only to be processed for statistical purposes. Enterprises are not to collect any information other than what is necessary for this purpose.
  • Visitors to the website must be informed of which information is collected and processed and how this is done.

Enterprises using another party or supplier, i.e. a data processor, to carry out the analysis on their behalf, will still be responsible for how the processing in question is carried out. This means that:

  • The enterprise must be in control of which information is handled by the processor and how it is handled.
  • The agreement between the enterprise and the processor must ensure that the processing will be in compliance with the Norwegian legislation relating to data protection. The enterprise cannot accept the processor's own terms and conditions unless these are in compliance with Norwegian law.

What action must be taken by enterprises using Google Analytics or similar tools?

The Data Protection Authority recommends that all users of web analysis tools clarify which information is processed and how. If use of the analysis tool is free of charge, there is good reason to question why this is so and what the enterprise in reality has accepted, on behalf of the visitors to the website, by using the tool in question free of charge. The following issues should also be clarified:

  • Is the entire IP address of the visitors processed, or just an anonymised or unidentifiable version?
  • Is the information collected used for purposes other than analysis?
  • Is the visitors to the website informed of which information relating to them is processed and how this is done?

If personal data is not processed in compliance with the regulatory requirements, the enterprise must demand that the tool and procedures be changed. If this request is not complied with, the enterprise must phase out the use of the web analysis tool in question.

What happens if we continue to use Google Analytics?

Both private and public enterprises are obliged to comply with the legislation relating to data protection. The Data Protection Authority may carry out audits to check whether the regulatory requirements are complied with. Such audits will not, however, take place until after the final decision has been made regarding the audit cases involving the Directorate of Taxes and the State Educational Loan Fund. It may take a few months before the final decision is ready. However, all Norwegian enterprises are already now requested to evaluate their continued use of tools such as Google Analytics in its current form.

Which information must be provided to the visitors of our website?

The users are entitled to know which personal data is collected, why and what it is used for. The information to the users must be easily available on the enterprise's website.