Some popular services of various kinds (such as for analytics or heat mapping purposes) make the claim that their services do not collect personal data. This means that whenever users navigate a website or use an app that such services are integrated into, their personal data is not collected and processed by that service.
When these claims are usually made in two distinct cases:
- Where these services actually do not collect any personal data at all.
- Where the personal data is anonymized before it’s collected in such a way that it doesn’t allow the user to be identified. This anonymization can be done in various ways, for example, by hashing.
Hashing is a procedure by which given data (such as an e-mail address or an IP address) is processed automatically via an algorithm into a unique sequence of values (numbers and letters). These cryptographic hash functions cannot be reversed: once the hashed output is generated, there is virtually no way to invert the function in order to re-generate the source information. If you’d to know more technical details about this, you can read Opinion 05/2014 on Anonymisation Techniques released by the former Article 29 Data Protection Working Party.
Let’s take a look at how these cases are treated by the GDPR and ePrivacy below.
Furthermore, considering the general principle of transparency (via Articles 5 & 12 of the GDPR), services that do not collect personal data should not be mentioned – as this could mislead users into thinking that those services do collect and process personal data.
With consideration to the above, we’ve adopted a policy of not adding such services to the generator. To clarify, these services can still be added as a custom service if you’d like, but we do not offer them as standard (pre-built) integration.
Which services fall within this category?
Currently, we’ve determined that the following services fall under this policy:
The above reasoning does not equally apply to cookie policies. In this case, EU law requires website or app providers to disclose any cookies or similar tracking technologies, regardless of whether they collect and process personal data or not. This approach has been confirmed most recently by the European Court of Justice in its Planet49 decision.
*Not sure what cookie “similar technologies” are? Read what the UK’s Data Protection Authority has to say about them here.