FouAnalytics is a GDPR-Compliant Alternative to Google Analytics
TL;DR
- no PII ever
- no cookies ever
- in EU we discard IP addresses, no data transfer out of EU
- data not used for any other purpose outside of FouAnalytics
- clients may ask to delete data at any time
GDPR Experts Reviewed FouAnalytics
Many thanks to Allen Woods, Pia Tesdorf, Johnny Ryan, Hessie Jones, Jana Krahforst, and other data protection officers and GDPR practitioners for your guidance, discussions and recommendations over the years regarding privacy and data protection. I consider myself a privacy advocate. Since the very beginning of the development of FouAnalytics in 2012, I made the commitment to protect privacy. This took the form of 1) never collecting any PII ("personally identifiable information"), 2) only collecting anonymous javascript parameters from browsers, 3) never setting cookies, and 4) never using the collected data for any purpose other than determining "bot or not." These decisions were made well before GDPR. Now, 10 years later, FouAnalytics is in a strong position, given the passage of the General Data Protection Regulation ("GDPR") and the beginnings of its enforcement around the world.
Source documents:
Allen Woods pointed me to the three key source documents above. I will focus my comments below on the Danish finding that "use of Google Analytics... involves transfers of personal data of website visitors to Google in the US in non-compliance with data protection law" and how FouAnalytics addresses the key points plus others.
How FouAnalytics Complies with Privacy Regulations
Let me start this section by inviting other GDPR practitioners, privacy professionals, and data protection officers to chime in and challenge my assumptions and assertions below. I very well may have missed something and I am willing to learn and make adjustments.
For European Union customers, FouAnalytics is served from our datacenter in Frankfurt, Germany. The anonymous javascript parameters collected from browsers is written to that data center. No data leaves the EU; specifically no raw data is transferred to the U.S. All the data is processed locally in the Frankfurt datacenter.
For EU users, FouAnalytics discards the IP address entirely, which is considered PII in the German interpretation of GDPR. The IP address is not just anonymized or truncated for pseudo-anonymization purposes, it is discarded entirely. FouAnalytics will discard the HTTP_USER_AGENT as well. Neither the IP addresses nor the HTTP_USER_AGENT are critical to the primary function of FouAnalytics, which is to label a visit "bot or not." In fact, bots are good enough to lie accurately about the user agent and bots can disguise their traffic (IP address) by bouncing the traffic through residential proxy services. Both HTTP_USER_AGENT and IP address are unreliable for fraud detection.
As stated above, no PII is ever collected or needed for fraud detection or to label a visit "bot or not." None of the data is pseudo-anonymized because it is entirely anonymous to begin with. It is collected from the browser at the moment the javascript code is executed and not derived from any other previously collected dataset.
领英推荐
The company that operates FouAnalytics does not have other lines of business, like ad targeting, ad exchanges, data selling, etc. The data will not be used for any purpose other than labeling a visit "bot or not." The data will not be permitted to be combined with other data sets, to prevent any possibility of re-identification of users. The data lacks key-value pairs that would be necessary for any re-identification.
As stated above, FouAnalytics does not set cookies for cross-session tracking. Cross-session tracking is not used or needed for determining "bot or not." You can use urlscan.io to check for yourself (screen shot below)
All data is protected in-transit and at-rest. When data is written back to the server -- in transit -- it is encoded with custom-built, continuously rotating encoding (every visit is encoded differently) in addition to being protected by standard HTTPS protocols. When the data is stored -- at-rest -- it is being protected by standard database and server security.
Because FouAnalytics does not collect any PII from users and is an essential tool for the site owner to assess whether visitors are "bot or not" I believe that FouAnalytics can be run on the site without gathering consent from visitors.
FouAnalytics is a GDPR-Compliant Alternative to Google Analytics?
In the course of 2022, several decisions have been issued in Austria, France, Denmark, and Italy in cases concerning the use of Google Analytics. If in the future, Google Analytics is deemed to be illegal and must be removed, I believe that FouAnalytics could serve as a GDPR-compliant alternative. After reading the above, what do you think?
Privacy-practitioners, please challenge me on any or all of the above.
PageXray versus FouAnalytics for Sites and Digital Media
Since some of you raised this question, the above is mainly dealing with FouAnalytics, analytics for websites and digital ads. Privacy professionals may be familiar with PageXray by FouAnalytics, which is different.
PageXray is a tool that analyzes a webpage by loading it in a headless chrome browser. All of the javascript is allowed to execute so we can see what is called into the page by javascript. These are the ads and trackers that you cannot see when you "view source" because the code is not installed directly on the page itself.
FouAnalytics is the analytics platform for websites and digital ads. See the following 2 articles for screen shots and examples of how advertisers and publishers use FouAnalytics.
How Site-Owners Use FouAnalytics to Troubleshoot Bot Traffic
How to use FouAnalytics to Scrutinize Clicks from Programmatic Campaigns
As Tash Whitaker pointed, you should not talk PII but personal data under GDPR that has a different scope. I have been using your great tool for a long time. Allen Wood use to be convinced websites could not function without cookies. Now cookies are not all. Tracking will be diverted towards Java Script I guess. EPrivacy concern any tracking device. Waiting to see what the new Brave’s promise will be. I so hate cookies.
Founder & CEO at Com Olho | Crowdsourced security that never sleeps
2 年We should leave this race, and build our own system.
FouAnalytics - "see Fou yourself" with better analytics
2 年note that bots give consent, because they want to cause the ads to load. Alexander Hanff, is it OK for FouAnalytics to measure bots (software programs) that give consent to tracking and ads? I assume so.
FouAnalytics - "see Fou yourself" with better analytics
2 年How Site-Owners Use FouAnalytics to Troubleshoot Bot Traffic https://www.dhirubhai.net/pulse/how-site-owners-use-fouanalytics-troubleshoot-bot-dr-augustine