I look at Google Analytics a lot. I also report on content performance a lot. Something I have noticed a lot is that many websites have URL structures that are not data compliant.
You’re probably wondering how a URL can’t be data compliant. I’ll get to that.
Before I go further I would like to say that this post is not just for Google Analytics users – it is for anyone who is involved in creating websites or changing URLs.
What is data compliance?
Data compliance is when any stored data (either in a physical file or a digital one) follows the Data Protection Act.
The Data Protection Act states that information about a person must follow these rules:
- Information is used fairly and lawfully
- Information is used for limited, specifically stated purposes
- Information is used in a way that is adequate, relevant and not excessive
- Information is accurate
- Information is kept for no longer than is absolutely necessary
- Information is handled according to people’s data protection rights
- Information is kept safe and secure
- Information not transferred outside the UK without adequate protection
Data protection applies to any personal data that can relate to a living individual who can be identified from the data or by combining that data with other data in the possession of the data controller.
Although “Personal data” most commonly refers to traditional data such as names and addresses, in this example I will be talking about e-mail addresses – although it could still apply to a number of other personal data examples.
How can a URL not be Data compliant?
Many websites require the use of an e-mail address for full access to the website for example:
- Logging in
- Placing orders
- Leaving comments
- Using contact Forms
- Subscribing to newsletters
And I have seen a few examples whereby a user has either logged into a website or clicked a link from a newsletter and the URL looks something like this:
http://www.ecommercesite.com/category/item?tag=123&email=first.last@domain.com
Herein lies the issue: a person’s e-mail address is clearly visible within the URL. This is not data compliant due to the following:
- It is unlikely that whenever the user supplied their e-mail address they were told “your e-mail address will be seen in a URL” (not a specifically stated purpose)
- There is no need for an e-mail address to be seen with a URL (data is not used in a relevant manner)
- Data from URLs will be stored as long as any web analytics software that processes URLs (such as Google Analytics and other analytical platforms) are used (data is kept for longer than necessary)
- People who are not relevant to the handling of e-mail addresses (such as Web Analysts) may be able to access this data (data is not handled in accordance to data protection rights)
- Anyone with access to web analytics software that processes URLs can access this data (data is not kept safe and secure)
- Ability to access web analytics software that processes URLs from outside the UK (information can be transferred outside of the UK without adequate protection)
Being unable to comply with the Data Protection Act is a serious offence – for example, fines of up to £500,000 have been issued to companies who do not comply.
How to make sure your URLs are data compliant
If your website currently has an issue like this (You can check by using Google Analytics or other web reporting software that capture URLs) you need to make sure that where your website is capturing e-mail addresses, it either strips the URL of the e-mail address or replaces it with a token.
For example:
http://www.ecommercesite.com/category/item?tag=123
http://www.ecommercesite.com/category/item?tag=123&email=12345
What to do if your URLs did not previously comply with the Data Protection Act
For any data that was previous captured that does not comply with data compliance needs to be destroyed or secured. This may mean:
- Deleting profile on a web analytics software that processes URLs if these sorts of URLs are appearing.
- Loss of historical data before data compliant URLs were processed
- Pull any required reports that do not use these types of URLs and save them elsewhere.
- A new profile may be set up for use by web analysts once URLs comply with the Data Protection Act
- Alternately, if this information is relevant, not excessive and still required, making access to web analytics software that process URLs restricted to the relevant data controllers alone.
- Historical reports will have to be pulled via this person
- A new profile may be set up for use by web analysts once URLs comply with the Data Protection Act
- Deleting any reports created that include URLs with personal data within them
- Make a copy of the report without this information
- If these URLs are relevant to the report, make sure they are stored securely