.png?width=667&height=667&ext=.png)
Handle 3rd Party Analytics Scripts in a GDPR World with Kentico EMS
Introduction
With the May 25th 2018 GDPR deadline looming it seems like every third email in my inbox is about either a privacy policy change, or a client asking for information about how to handle GDPR on their Kentico website. More than one of those emails have asked me how to handle GDPR compliance when it comes to analytics tracking scripts like Google Tag Manager, Universal Analytics, or Marketo. This is a bit of sticky situation in my mind because the personal data is not exactly stored in the Kentico website, but the website definitely serves the JavaScript code that starts to track the person. As far as I can tell, this is still very much a GDPR issue to deal with that you can't just ignore if you want to stay in compliance.
Now, Kentico 11 has a great new Data Protection app that makes it easy to handle GDPR compliance compared to most CMS's. However, the fully built in features are targetted mostly at Kentico functionality like Kentico E-Commerce, Kentico Analytics, and Kentico Activity Tracking. So I thought I would try out the new Data Protection functionality of tracking and applying consents on third party services instead.
Kentico 11's Data Protection App
Since last year, Kentico has spent a ton of resources on understanding and supporting GDPR in Kentico CMS. The main feature that was added as of Kentico 11 was the new Data Protection application. This application serves as the primary tool in Kentico that allows website administrators the ability to generate and track Consents, handle the governance of Data Portability, and handle the Right to Access and Right to be Forgotten features that a GDPR compliant website requires. In my opinion, these features are best in class when it comes to supporting the request from a Data Subject who wants to see everything that the website knows about their personal information and/or erase that personal information.
I'm not going to cover all of these features in this blog post, because it would be way too big of a job. However, one thing to be aware of is that these features are mostly geared towards the Kentico Portal Engine develop methodology from the "front-end" perspective. What I mean here is that using the tools of the Data Protection app means using Kentico Web parts and Kentico Macros which doesn't help the MVC "story". Using Kentico's Data Protection features is something that you could achieve in the preferred MVC model, however you will have more work to do so. It's not the end of the world for MVC developers though, as the good news is that the API and admin screens are all still there for you to leverage.
The Setup
Next, I will illustrate how you can use parts of the system to achieve compliance with serving third party scripts. To do this you must meet the baseline requirements of having Kentico 11 EMS installed and licensed, be using the Portal Engine on your site, and have Online Marketing enabled the correct way. Once you have that you will also need to have the third party script code that you want to load on your site. For the remainder of this example blog post I am going to use the excellent Siteimprove Analytics tracking code.
Pro Tip: Haven't heard of Siteimprove? Or do you currently use Siteimprove? Then you should check out my team's Siteimprove for Kentico extension. It's a free add-on to Kentico that bridge's the gap between Kentico and Siteimprove.
The first step that most people do to add in custom analytics code is to use the Head Html web part on the Master page template of their Kentico site. This web part simply adds whatever html you want into the head section of every page of the site. It's very easy to do this. Simply edit your site's Master page, and click the add web part button into any web part zone on the Master page. Choose the Html Head web part and click of to add it. When the web part's property dialog is open, paste in your tracking code into the Head Html code property box.
Click the Save & Close button to commit the change to the template. You now have the tracking code rendering on every page of your site that uses this Master page, to every visitor who comes across your site. Back before GDPR compliance this was good enough, but not now.
The second step is to setup a way that makes sure the tracking code is only rendered to visitors who have given their consent to be tracked. Now we must open the Data Protection app from the Kentico menu and navigate to the Consents tab. This is where we can setup a unique consent that is explicit to the ability to manage our user's consent to having activities tracked via the Siteimprove code. Click on the New Consent button and give it a unique display name and code name. Remember the code name, we will need that later.
After that you can edit the Consent to have a short description and long description. The two description texts can be used to identify the details of the consent on say your privacy policy page or even contain the full legal disclosure of the consent. It's up to you (and your legal team). Basically, the new Consent you created is the way Kentico relates each visitor's acknowledgement of opting-in to giving permission to be tracked. You can add as many or as few of these Consents are you need. Just remember it needs to explicit to the purpose you are using the personal information. You cannot have one single consent that covers every single feature of the site and every single possible way that personal information will be used. That would violate the GDPR's principle of purpose limitation and data minimization.
The third step is to now go back to your Head Html web part and change the Enabled condition. Go back and edit the web part, and click the small black arrow next to the Enabled property. That should open up the Macro editor and let you copy in this macro:
{ % (OnlineMarketingContext.CurrentContact.AgreedWithConsent("SiteimproveAnalyticsConsent")) # % }
Click on Save & Close and move to the next step. It should look like:
The last part of the solution is to use the newly rebuilt Cookie law and tracking consent web part that ships with version 11. This web part is what ties together the ability that Kentico has to gather and manage consent for each Online Marketing Contact that visits the site. Just like the Head Html web part, go ahead and add one of these to your Master page as well.
Once that is placed, the properties dialog should again appear and present you with a few options (few being a ton of them!). For the most part if you want a simple scenario like we are trying to achieve you can leave many of the properties alone. To get the simple behavior of asking for consent for people who have not agreed to the terms, and hiding the message if they have, I configured the properties like the below screen shots show. Remember the most important thing is to tie the correct Consent that you created in the second step above to the Tracking consent web part property.
This is the web part that really handles the Consent text at the top or bottom of your website notification area. This was originally slightly misleading to me because I thought that was the actual Consent short description text field, but it turned out it is the web part's Exact level behavior -> Text property instead. Save and close that web part and now it is time to start testing the solution out.
The Results
It is somewhat easy to test the solution. When you load the outside of the site a message will appear asking visitors for consent to track their activities based on the text you have configured. Note this is the Dancing Goat starter site that has some CSS and HTML already created to show the messages at the top of the screen. You may have to add this to your site as well (the look and feel part).
While viewing the source we can confirm that the Siteimrpove analytics script is not being loaded like so:
After the user clicks on the allow cookies button the message can optionally change to show the tracking is enabled:
And again viewing the source of the page now shows that the script is being correctly rendered to the page.
With this solution in place we are now properly asking for and receiving consent before any personal information is being collected and sent to the third party service.
Conclusion
There you have it. This is one approach you can use to handle third party JavaScript tracking code for your Kentico site. There are other ways as well. For example, with Google Universal Analytics (GA) you can tun on IP Anonymization. This requires a code change to enable in GA. If you use Google Tag Manager, adjust your tag or GA Settings variable from inside of the GA website by clicking into More Settings -> Fields to Set and then add a new field named "anonymizeIp" with a value of "true". If you are not using GTM then what the heck? The ability to include GTM was another great feature that was added in Kentico 11 as well. Maybe it's time to upgrade?
However, to be clear, I am not a lawyer and this is not official legal advice. I'd recommend you do your own due diligence on making sure your GDPR compliance is up to par. But at least with Kentico 11 it you have a few tools in your toolbox to get the job done efficiently. So don't let the May 25th deadline get you down.
That's all for now.
