Skip to content

GDPR and

What is GDPR?

The General Data Protection Regulation (GDPR) is a new data regulation enacted by the European Union to safeguard the rights of consumers in the EU, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.

The GDPR applies to any business that…

  • Monitors the behavior of individuals in the European Union.
  • Provides services or goods to the EU (including free services), even if based outside the EU. Or…
  • Has an establishment in the EU, regardless of whether processing personal data of EU citizens.

The GDPR governs the collection, storage, transfer or use of personal data, where “personal data” is defined very broadly to include any information relating to an identified or identifiable individual.

The GDPR gives individuals greater rights and control over personal data about them than under the Directive, by regulating how businesses obtain, handle, store and transfer the personal data they collect. The GDPR also greatly increases fines for breaches and imposes a more rigorous enforcement structure.

Of specific interest for publishers and analytics companies (like are the regulations that deal with the storage, processing, regulation, and grant of consent from users.

Key changes under the GDPR

Here are some of the key changes brought about by the GDPR, compared to current law under the 1995 Data Protection Directive and other privacy-related laws:

  • Expanded rights for individuals: The GDPR provides expanded rights for individuals in the EU by granting them, among other things, the right to be forgotten (“right of erasure”) and the right to request a copy of any personal data stored in their regard (right to “data portability”).
  • Privacy impacts assessments and data security: The GDPR requires organizations to conduct privacy impact assessments, implement appropriate data security policies and protocols (“appropriate …to ensure a level of security appropriate to the risk”).
  • Recordkeeping and other compliance obligations: The GDPR requires organizations to keep detailed records on data activities and enter into written agreements with vendors that require vendors to commit to the same compliance obligations as the contracting organizations.
  • Data breach notification: The GDPR requires organizations to report data breaches to data protection authorities within 72 hours of discovery, and in serious cases to the affected individuals.
  • Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member countries.

How did handle GDPR? underwent a full review of systems and policies in 2017 and early 2018 to achieve GDPR compliance. also published its GDPR-ready terms of service in April, 2018 and its GDPR-ready privacy policy in May, 2018.

Is a “first-party” analytics vendor?

Yes. At, we’ve always taken consumer data privacy and data security seriously since we started operating a large-scale analytics service in 2010.

Although does not rely on the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as a legal basis for transfers of Customer Data in light of the judgment of the European Court of Justice in Case C-311/18, nonetheless we are self-certified under the Privacy Shield, which concerns transfer of data between the EU (and Iceland, Liechtenstein, Norway and Switzerland) and the US and, for as long as we are self-certified to the Privacy Shield, we will process personal data in compliance with the Privacy Shield Principles. We have also worked with several companies in Europe on the privacy requirements to be their first-party analytics vendor of choice.

We avoid storing extraneous data on visitors, only instrumenting sites with collection mechanisms that enhance our first-party reporting capabilities.

All the data that we collect automatically is de-identified. For example, our repeat visitor analytics is based on anonymous, randomized universally unique identifiers (aka UUIDs) that are stored on a per-site basis, and are not linked with any personal identities. We do make use of cookies and IP addresses, as described in our privacy policy and terms of service, but we restrict their use to merely recognizing unique browsers/devices, not as a way to link personal identity or other sensitive personal information.

What changed at under GDPR?’s Information Security (Infosec) Team performed a full internal audit for compliance with GDPR.

Our Information Security Team evaluated our systems and data storage to ensure GDPR readiness. We designated a dedicated internal team for data protection.

Whether it comes to our own internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites, we now ensure that it meets the appropriate privacy standards set by GDPR.

  • We catalog any Personal Information: We reviewed our systems, products and services to catalog and document the sources, uses, storage and disposal of all internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites. We ensured we have the legal basis for the storage and processing of this information.
  • Enhanced data integrity and security: We adopted security practices that are broadly recognized as industry standard.
  • Consent requirements: We audited for compliance with consent rules for any new data we capture, to ensure we continue to lawfully process personal information that is sent to us by clients, or that we collect ourselves from our own sites and services.
  • Providing visibility and transparency: As a data processor, we must provide our customers (the data controllers) with access to effectively manage and protect their data. We are also exploring product enhancements to provide better transparency, in order to also provide all reasonable assistance to our customers to comply with their own transparency and data rights access obligations.
  • Data Transfers between EU/Switzerland and the US: We previously certified under the EU/Swiss-US Privacy Shield program, which concerns transfers of data between the EU (and Iceland, Liechtenstein and Norway) and Switzerland, on the one hand, and the United States. Although does not rely on the Privacy Shield Framework as a legal basis for transfers of personal data in light of the judgment of the European Court of Justice in Case C-311/18, nonetheless for as long as we are self-certified to the Privacy Shield we will continue to comply with Privacy Shield and other applicable requirements under the GDPR governing data processing involving these types of data transfers.

Security and Privacy

At, we’ve always focused on a privacy-minded implementation of analytics: in many ways, the GDPR’s articles are a welcome codification of practices our engineering teams already follow. But, we used the GDPR to ensure all the details are covered.

One key aspect of this is system security. We made sure that the data we hold is kept in safe and secure hands, and that our security policies and software are up to date with industry standard best practices.

As for privacy, we’ve always been a privacy-first company; we’ve long had additional privacy measures, such as limiting IP Address collection and Third-Party Cookies on customer request, even before it was mandated by any privacy agency. We allow customers to control the data they send to us: a customer’s development team can send along in our tracking pixel only the minimum information necessary to do analytics properly, which makes us an attractive option already for security and privacy-conscious publishers and clients.

Our public stance on analytics and privacy can be found in a piece of writing by our Chief Technology Officer, entitled “Analytics and Privacy Without Compromise.”.

Data Protection Team

We created a Data Protection Team which is focused on engineering improvements to our systems, processes and our products to comply with the standards required by the GDPR.

This team focused on organizational changes for handling data protection issues, including compliance with consent and other requirements for how to lawfully collect personal data; improvements to systems and processes to comply with rights of individuals to access, review, correct or delete any personal data that is processed in our systems; ensuring that our own data collection privacy disclosures and data processing agreements are revised, as necessary; and, improving disaster response procedures and notification processes for responding to potential data breaches.

All organizations processing personal data of EU citizens have their own separate compliance obligations. This is true for our customers as much as it for us, and our customers must look to their own advisers to guide them through these processes.

Nonetheless, in relation to our customers’ use of our systems and services, there are several important things our customers should be doing to meet their own GDPR compliance obligations:

  • Update terms of service and privacy policies: On your websites or apps, these should be updated to communicate to your own customers and other users how you are using our systems (and any other similar services). These disclosure obligations are more important than ever under the GDPR, including the important obligation to be transparent about the third parties (including us) with whom you are sharing personal data of your users.
  • Confirm consent requirements: As the data controller, customers have ultimate control over the data we store and process for our customer’s monitored domains and apps. Customers need to manage their visitor/user experience to make sure they have robust privacy notices and, where necessary, implement compliant consent experiences.
  • Formalize data “processor” relationship: Our customer contracts contain appropriate provisions for the personal information we store, and balance the risks and responsibilities between our customers (the data “controllers”) and us (the data “processor”). If you have an older offline contract with, we ask that you sign or update a contract with us incorporating terms to clearly establish our respective data processing roles, in compliance with the GDPR and other generally acceptable privacy laws. This reflects our role as a data “processor” under the GDPR, processing data on your behalf as the data “controller”. Our standard product terms as of May, 2018 already incorporate this language.

Note on CCPA

In January 2020, also achieved compliance with CCPA, the regulation related to data privacy for the US state of California. We have information about CCPA available here. It is often convenient to achieve legal compliance with GDPR and CCPA at the same time, since both regulations concern personal information/data of internet visitors, including disclosures, access rights, and so on.

Reach out for help considers it a core operational responsibility to ensure first-party analytics is used responsibly and within the guidelines set by GDPR and other privacy frameworks.

We ask that customers reach out to their account representative if they need the direct help of our Infosec Team or our Data Protection Team.

Last updated: December 02, 2022