What is GDPR?

The General Data Protection Regulation (GDPR) is a new data regulation enacted by the European Union to safeguard the rights of consumers in the EU, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.

The GDPR applies to any business that...

  • Monitors the behavior of individuals in the European Union.
  • Provides services or goods to the EU (including free services), even if based outside the EU. Or...
  • Has an establishment in the EU, regardless of whether processing personal data of EU citizens.

The GDPR governs the collection, storage, transfer or use of personal data, where "personal data" is defined very broadly to include any information relating to an identified or identifiable individual.

The GDPR gives individuals greater rights and control over personal data about them than under the Directive, by regulating how businesses obtain, handle, store and transfer the personal data they collect. The GDPR also greatly increases fines for breaches and imposes a more rigorous enforcement structure.

Of specific interest for publishers and analytics companies (like are the regulations that deal with the storage, processing, regulation, and grant of consent from users.

Key changes under the GDPR

Here are some of the key changes brought about by the GDPR, compared to current law under the 1995 Data Protection Directive and other privacy-related laws:

  • Expanded rights for individuals: The GDPR provides expanded rights for individuals in the EU by granting them, among other things, the right to be forgotten ("right of erasure") and the right to request a copy of any personal data stored in their regard (right to "data portability").

  • Privacy impacts assessments and data security: The GDPR requires organizations to conduct privacy impact assessments, implement appropriate data security policies and protocols ("appropriate ensure a level of security appropriate to the risk").

  • Recordkeeping and other compliance obligations: The GDPR requires organizations to keep detailed records on data activities and enter into written agreements with vendors that require vendors to commit to the same compliance obligations as the contracting organizations.

  • Data breach notification: The GDPR requires organizations to report data breaches to data protection authorities within 72 hours of discovery, and in serious cases to the affected individuals.

  • Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company's annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member countries.

When will be compliant?

Starting in 2017, underwent a full review of systems and policies to ensure GDPR compliance, and will have full GDPR compliance by the May 2018 deadline.

In what ways is already prepared?

At, we've always taken consumer data privacy and data security seriously since we started operating a large-scale analytics service in 2010.

We are self-certified under the EU-US Privacy Shield, which concerns transfer of data between the EU and US. We have also worked with several companies in Europe on the privacy requirements to be their first-party analytics vendor of choice.

We avoid storing extraneous data on visitors, only instrumenting sites with collection mechanisms that enhance our first-party reporting capabilities.

All the data that we do collect is de-identified. For example, our repeat visitor analytics is based on anonymous, randomized universally unique identifiers (aka UUIDs) that are stored on a per-site basis, and are not linked with any personally identifiable information. Further, the automatic collection of some web browser data, such as IP Addresses and Third-Party Cookies, can be explicitly disabled by customers, as described in our Privacy Considerations. Many of our EU customers already disable these two mechanisms to further ensure that web browser data cannot be linked to PII via third party datasets.

What plans does have for compliance?'s Information Security (Infosec) Team is doing a re-evaluation of our compliance with GDPR.

Our Information Security Team is evaluating our systems and data storage to ensure GDPR readiness. We have designated a dedicated internal team to drive our company to meet GDPR requirements. Whether it comes to our own internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites, we will ensure that it meets the appropriate privacy standards set by GDPR.

  • Identifying personal data: We are reviewing our systems, products and services to identify and document the sources, uses, storage and disposal of all internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites.

  • Enhancing data integrity and security: We're also exploring different standardized security practices that are broadly recognized as industry standard to have an easy point of reference for our clients. We will also publicize our security, privacy, and data storage practices for the benefit of our customers.

  • Consent requirements: We are ensuring compliance with consent and other requirements for how to lawfully collect personal data.

  • Providing visibility and transparency: As a data processor, we must provide our customers (the data controllers) with access to effectively manage and protect their data. We are exploring product enhancements to provide better transparency, in order to also provide all reasonable assistance to our customers to comply with their own transparency and data rights access obligations.

  • Data Transfers between EU/Switzerland and the US: We previously certified under the EU/Swiss-US Privacy Shield program, which concerns transfers of data between the EU and Switzerland, on the one hand, and the United States. We will continue to comply with Privacy Shield and other applicable requirements under the GDPR governing data processing involving these types of data transfers.

Here are some of the ways that we're preparing for GDPR compliance by May 2018.

Ensuring security and privacy

At, we've always focused on a privacy-minded implementation of analytics: in many ways, the GDPR's articles are a welcome codification of practices our engineering teams already follow. But, we are using the GDPR to ensure all the details are covered.

One key aspect of this is system security. We're making sure that the data we hold is kept in safe and secure hands, and that our security policies and software are up to date with industry standard best practices.

As for privacy, we've always been a privacy-first company; we've long had additional privacy measures, such as turning off IP address collection and Third-Party Cookies on customer request, even before it was mandated by any privacy agency. We allow customers to control the data they send to us: a customer's development team can send along in our tracking pixel only the minimum information necessary to do analytics properly, which makes us an attractive option already for security and privacy-conscious publishers and clients.

Our public stance on analytics and privacy can be found in a piece of writing by our Chief Technology Officer, entitled "Analytics and Privacy Without Compromise.".

Forming a data protection team

We created a Data Protection Team which is focused on engineering improvements to our systems, processes and our products to comply with the standards required by the GDPR.

This team is focused on organizational changes for handling data protection issues, including compliance with consent and other requirements for how to lawfully collect personal data; improvements to systems and processes to comply with rights of individuals to access, review, correct or delete any personal data that is processed in our systems; ensure that our own data collection privacy disclosures new data processing agreements, as necessary; and, improving disaster response procedures and notification processes for responding to potential data breaches.

What Should Our Customers be Doing (as relates to use of's


Of course, all organizations processing personal data of EU citizens have their own separate compliance obligations. This is true for our customers as much as it for us, and our customers must look to their own advisers to guide them through these processes. Nonetheless, in relation to our customers' use of our systems and services, there are several important things our customers should be doing to meet their own GDPR compliance obligations:

  • Update terms of service and privacy policies: On your websites or apps, these should be updated to communicate to your own customers and other users how you are using our systems (and any other similar services). These disclosure obligations are more important than ever under the GDPR, including the important obligation to be transparent about the third parties (including us) with whom you are sharing personal data of your users.

  • Consent requirements: As the data controller, customers have ultimate control over the data we store and process for our customer's monitored domains and apps. Customers need to manage their visitor/user experience to make sure they have robust privacy notices and, where necessary, implement compliant consent experiences.

  • Data "processor" relationship: Our customer contracts contain appropriate provisions for personal data we store, and balance the risks and responsibilities between our customers (the data "controllers") and us (the data "processor"). If you are in the EU, we ask that you sign or update a contract with us incorporating terms to clearly establish our respective data processing roles, in compliance with the GDPR and other generally acceptable privacy laws. This reflects our role as a data "processor" under the GDPR, processing data on your behalf as the data "controller".

Reach out for help considers it a core operational responsibility to ensure first-party analytics is used responsibly and within the guidelines set by GDPR and other privacy frameworks.

We ask that customers reach out to their account representative if they need the direct help of our Infosec or Data Protection teams.

Do you have an urgent support question?