The findings and conclusions from this review may also be of relevance for other public and private enterprises using analysis tools on their websites.
Why is use of Google Analytics problematic – does it not just entail analysis of impersonal data?
Who is responsible for making sure the analysis tool is in compliance with applicable legislation?
All enterprises using analysis tools on their websites are responsible for making sure such tools are in compliance with regulatory requirements. If an enterprise uses a third party or supplier (processor) to analyse the data collected, the enterprise will still be responsible for ensuring that this processing is in line with the regulatory requirements. If your enterprise uses Google Analytics, for example, Google will be considered the data processor as Google is the party actually processing the information collected. Your enterprise, however, will still be responsible for making sure the personal data is processed in accordance with the applicable legislation.
Which requirements apply for use of web analysis tools?
Enterprises using analysis tools on their websites must make sure all processing of personal data is carried out in accordance with rules and regulations relating to data protection. This entails that:
IP addresses collected must be anonymised or changed to ensure visits to the website cannot be traced to specific hardware and thus to a specific person.
The information collected is only to be processed for statistical purposes. Enterprises are not to collect any information other than what is necessary for this purpose.
Visitors to the website must be informed of which information is collected and processed and how this is done.
Enterprises using another party or supplier, i.e. a data processor, to carry out the analysis on their behalf, will still be responsible for how the processing in question is carried out. This means that:
The enterprise must be in control of which information is handled by the processor and how it is handled.
The agreement between the enterprise and the processor must ensure that the processing will be in compliance with the Norwegian legislation relating to data protection. The enterprise cannot accept the processor's own terms and conditions unless these are in compliance with Norwegian law.
What action must be taken by enterprises using Google Analytics or similar tools?
The Data Protection Authority recommends that all users of web analysis tools clarify which information is processed and how. If use of the analysis tool is free of charge, there is good reason to question why this is so and what the enterprise in reality has accepted, on behalf of the visitors to the website, by using the tool in question free of charge. The following issues should also be clarified:
Is the entire IP address of the visitors processed, or just an anonymised or unidentifiable version?
Is the information collected used for purposes other than analysis?
Is the visitors to the website informed of which information relating to them is processed and how this is done?
If personal data is not processed in compliance with the regulatory requirements, the enterprise must demand that the tool and procedures be changed. If this request is not complied with, the enterprise must phase out the use of the web analysis tool in question.
What happens if we continue to use Google Analytics?
Both private and public enterprises are obliged to comply with the legislation relating to data protection. The Data Protection Authority may carry out audits to check whether the regulatory requirements are complied with. Such audits will not, however, take place until after the final decision has been made regarding the audit cases involving the Directorate of Taxes and the State Educational Loan Fund. It may take a few months before the final decision is ready. However, all Norwegian enterprises are already now requested to evaluate their continued use of tools such as Google Analytics in its current form.
Which information must be provided to the visitors of our website?
The users are entitled to know which personal data is collected, why and what it is used for. The information to the users must be easily available on the enterprise's website.