How to make sure your URLs are data compliant

Author avatar

Emma Barnes

I look at Google Analytics a lot. I also report on content performance a lot. Something I have noticed a lot is that many websites have URL structures that are not data compliant.

You’re probably wondering how a URL can’t be data compliant. I’ll get to that.

Before I go further I would like to say that this post is not just for Google Analytics users – it is for anyone who is involved in creating websites or changing URLs.

What is data compliance?

Data compliance is when any stored data (either in a physical file or a digital one) follows the Data Protection Act.

The Data Protection Act states that information about a person must follow these rules:

  • Information is used fairly and lawfully
  • Information is used for limited, specifically stated purposes
  • Information is used in a way that is adequate, relevant and not excessive
  • Information is accurate
  • Information is kept for no longer than is absolutely necessary
  • Information is handled according to people’s data protection rights
  • Information is kept safe and secure
  • Information not transferred outside the UK without adequate protection

Data protection applies to any personal data that can relate to a living individual who can be identified from the data or by combining that data with other data in the possession of the data controller.

Although “Personal data” most commonly refers to traditional data such as names and addresses, in this example I will be talking about e-mail addresses – although it could still apply to a number of other personal data examples.

How can a URL not be Data compliant?

Many websites require the use of an e-mail address for full access to the website for example:

  • Logging in
  • Placing orders
  • Leaving comments
  • Using contact Forms
  • Subscribing to newsletters

And I have seen a few examples whereby a user has either logged into a website or clicked a link from a newsletter and the URL looks something like this:

http://www.ecommercesite.com/category/item?tag=123&[email protected]

Herein lies the issue: a person’s e-mail address is clearly visible within the URL. This is not data compliant due to the following:

  • It is unlikely that whenever the user supplied their e-mail address they were told “your e-mail address will be seen in a URL” (not a specifically stated purpose)
  • There is no need for an e-mail address to be seen with a URL (data is not used in a relevant manner)
  • Data from URLs will be stored as long as any web analytics software that processes URLs (such as Google Analytics and other analytical platforms) are used (data is kept for longer than necessary)
  • People who are not relevant to the handling of e-mail addresses (such as Web Analysts) may be able to access this data (data is not handled in accordance to data protection rights)
  • Anyone with access to web analytics software that processes URLs can access this data (data is not kept safe and secure)
  • Ability to access web analytics software that processes URLs from outside the UK (information can be transferred outside of the UK without adequate protection)

Being unable to comply with the Data Protection Act is a serious offence – for example, fines of up to £500,000 have been issued to companies who do not comply.

How to make sure your URLs are data compliant

If your website currently has an issue like this (You can check by using Google Analytics or other web reporting software that capture URLs) you need to make sure that where your website is capturing e-mail addresses, it either strips the URL of the e-mail address or replaces it with a token.

For example:

http://www.ecommercesite.com/category/item?tag=123

http://www.ecommercesite.com/category/item?tag=123&email=12345

What to do if your URLs did not previously comply with the Data Protection Act

For any data that was previous captured that does not comply with data compliance needs to be destroyed or secured. This may mean:

  • Deleting profile on a web analytics software that processes URLs if these sorts of URLs are appearing.
    • Loss of historical data before data compliant URLs were processed
    • Pull any required reports that do not use these types of URLs and save them elsewhere.
    • A new profile may be set up for use by web analysts once URLs comply with the Data Protection Act
  • Alternately, if this information is relevant, not excessive and still required, making access to web analytics software that process URLs restricted to the relevant data controllers alone.
    • Historical reports will have to be pulled via this person
    • A new profile may be set up for use by web analysts once URLs comply with the Data Protection Act
  • Deleting any reports created that include URLs with personal data within them
    • Make a copy of the report without this information
  • If these URLs are relevant to the report, make sure they are stored securely

Bath

+44 (0) 1225 480 480

20 Manvers Street

Bath

BA1 1JW

Leeds

+44 (0) 113 260 4010

2nd floor, 2180 Century Way,

Thorpe Park,

Leeds, LS15 8ZB.

London

+44 (0) 113 260 4010

5th Floor, Cordy House,

91 Curtain Road

London, EC2A 3BS

Part of the St. Ives Group

  • By pressing submit you consent for Edit to contact you via your email or telephone number for purposes relevant to your request for our goods or services. Your contact details, including your name, company, telephone number and email address will be used by Edit. By contacting you are agreeing to Edit’s Privacy Policy. If you have any questions, please ensure you review this section before submitting.

  • This field is for validation purposes and should be left unchanged.

© 2018 Edit. St Ives Group. Company reg. no. 3624881, All rights reserved. VAT Registered GB 927458295 Privacy Policy | Terms & Conditions | Cookie Policy