Statcounter and the GDPR
NOTE: This article is for informational purposes only. This article is not, nor is it intended to be, legal advice and should not be considered as such.
Statcounter is an anonymous web tracking service. We don't attempt to identify an individual person . Our focus is on what visitors to your website do, not who that visitor is.
The GDPR deals with the regulation of personal data. If you are not storing personal data then much of the GDPR will not apply.
We have identified two areas where users may be storing personal data and need to modify behaviour.
IP Labels and Custom Tags
We will no longer allow any personal data to be stored in our IP labels or custom tags.
GDPR and IP addresses
The GDPR makes it clear that an ip address and other cookie identifiers may be considered personal data.
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
However, for an IP address and other identifiers to be considered personal information, a user must be able to identify the person behind the IP address. As a regular user of Statcounter is not able to do that, an IP address should not be treated as personal data. There is legal precedent for this in the Irish High Court. They made the eminently sensible ruling that in the hands of an ISP (who controls that ip address range) that should be considered personal data, however in the hands of a record company who can't identify the individual behind the ip address it should not be considered personal data.
Irish High Court Ruling in EMI Records & Ors -v- Eircom Ltd
If an IP address were to be treated as personally identifiable information for all users it would have a number of bad effects.
a) The internet cannot work under GDPR if an ip address is always considered personal data. Under GDPR you can only store personal data with the permission of the user. You can't connect to a website without giving your IP address to the web server. If the web server can't store the IP address without first getting permission, then the initial connection to the website cannot happen.
b) If ip addresses were treated as personal data it would make defending your website and advertising budget from bot networks and click fraud rings extremely difficult. The IP address is the crucial piece of information required to detect, investigate and defend against many kinds of attacks, and a bot network is not going to give you permission to store its IP address.
We would strongly support the argument that in the hands of an ISP who control that ip address range, that is personal data but in the hands of anybody else who cannot relate that IP address back to a person it should not.
If for your organisation, an IP address does constitute personal data, then you can turn on the "mask ip address" setting available in project settings. This will remove the last octet of the ip address. e.g. 184.108.40.206 would become 203.102.102.*
Answers to other GDPR questions
How do I set the length of time that my visitor data is stored with you?
This can be set at https://statcounter.com/log-quota/.
Please see this article.