Tracking tools, email services and e-commerce infrastructure become subject to GDPR the moment they collect IP addresses, cookie identifiers, location and personal information. So the practical question is not “what is GDPR” but which obligations the data you collect places on you, and what your systems need to do about it. Any site processing the data of a person residing in the European Union falls within scope, regardless of where its servers are1 2.
This article covers GDPR’s practical obligations and their system-side equivalents for anyone running a site or application that collects personal data. I covered the measurement impact of consent management earlier in You Added a Consent Banner and Traffic Dropped 30%; the focus here is the compliance framework and what needs to be done.
When Do You Fall Within GDPR Scope
The General Data Protection Regulation (GDPR) is a binding and enforceable regulation established within the European Union to protect the personal data of EU citizens1. It has applied across all EU member states since May 25, 20183. Its scope covers individuals residing in EU member states, those residing there as EU nationals, and organizations that have commercial relationships with EU member states. Personal data obtained must be acquired with the individual’s consent in accordance with the regulation, then processed and stored under the same rules. GDPR also applies to historical data: even if it was collected before May 25, 2018, it must be handled within the regulation’s rules2.
If you market to, or process the personal data of, individuals residing in the EU, including end-users, customers and employees, you must comply with GDPR and obtain their consent in order to continue operating. Data obtained must be stored as set out in the regulation. Individuals have the right to withdraw their consent at any time. Organizations that fail to comply may face serious penalties and legal consequences when a data-related issue arises2.
What Counts as Personal Data
Under the regulation, the following are considered personal data (data subject):
- Identity information: name, identification number
- Bank account details
- Address (residential, business) and location (geolocation)
- IP address, cookie data and other internet-related data
- Physical appearance descriptors and biometric data
- Ethnic and national origin information
- Political opinions, ideologies
- Medical data (health status, medications used)
Taking these into account, tracking tools, social media and forum sites holding user profiles, e-commerce sites storing address and identity records, content sites offering comment and feedback features (WordPress), profile services (Disqus, Gravatar), sites and apps using various tags for retargeting, and email newsletter services all fall within GDPR scope.
Who Collects Which Data
Many sites assume they “don’t collect data” while in fact falling within scope. The table below shows where each type of data comes from in a typical digital setup and why it counts as personal data.
| Collected data | Typical source | Why it is personal data |
|---|---|---|
| IP address, cookie identifier | Analytics tools, ad tags | Identifies the device and, indirectly, the person |
| Name, ID number, address | E-commerce checkout, signup forms | Direct identity information |
| Location (geolocation) | Mobile app, IP-based detection | Determines the person’s whereabouts |
| Email, open and click history | Email newsletter services | Behavioral data tied to the person |
| Biometric, health, ethnic origin | Special-category forms | Special-category data, requires extra protection |
The Legal Basis for Processing
Whenever personal data is recorded or used, GDPR requires you to clearly state the purpose of collection and processing, the legal basis, the retention period, and whether the data is shared with any third party or outside the European Economic Area (EEA). Data subjects have the right to request a copy of their data or its erasure at any time. If a business faces a breach that adversely affects the confidentiality of personal data (for example, theft of information), it must notify the affected individuals within 72 hours1 3 2.
Personal data must fall under at least one legal basis; otherwise it cannot be processed. According to Article 6 of the regulation, the valid legal grounds for processing are1:
a. The data subject has given consent to the processing of personal data b. The obligations arising from a contract with the data subject are being fulfilled c. For the purpose of complying with the data processor’s legal obligations d. The vital interests of the data subject or another person are at stake e. The processing is in the public interest or for a task carried out by a public authority f. For the legitimate interests of a data controller or third party, not overridden by the EU Charter of Fundamental Rights
The User’s 8 Rights and Their System Equivalent
Under GDPR, your visitors, users and customers have 8 rights regarding their personal data4. When a request relating to these rights arrives, you must respond within 30 days. The key is to treat each right not as a slogan but as a process with a real system equivalent.
| Right | User request | What the system needs |
|---|---|---|
| Information | What data, for what purpose | Transparent privacy notice and disclosure at collection |
| Access | A copy of my data | A process that exports the data (within 30 days) |
| Rectification | Correct inaccurate or incomplete data | Update flow and accuracy check |
| Erasure (oblivion) | Delete my data entirely | Permanent deletion and consent withdrawal |
| Restriction | Stop processing | Processing flag: store but do not use |
| Portability | Provide it in machine-readable format | Structured export (JSON, CSV) |
| Object | Object to specific processing | Opt-out that halts processing |
| No automated decision-making | Request human intervention | An exit path from automated decisions |
Actions to Take
In the context of monitoring user activity and the use of personal data, the core steps to follow are:
- Inform visitors about your identity, the content of the data you collect, the purpose of collection, how and where it is stored, and with whom it is shared.
- Obtain explicit and clear consent from visitors whenever any data is collected.
- Allow visitors to access and download the data you collect.
- Delete visitors’ data on request. If there is a legal obligation (for example, invoice data), you may refuse the deletion request.
- Notify visitors within 72 hours of any data breach.
The Cost of Non-Compliance
- All businesses processing the data of EU member-state citizens fall under GDPR, regardless of location.
- Organizations that fail to comply may face fines of up to 20 million euros or up to 4% of annual global turnover, whichever is higher.
- When data is collected, the purpose of storage and processing must be stated in an easily understandable way, and consent withdrawal must be easily accessible.
- Breach notifications are mandatory.
- It must be clearly stated which data is collected, for what purpose, and for how long it is retained.
For a more detailed review, see the text of The General Data Protection Regulation published by the Council of the European Union3 5. I also recommend reviewing the article How Do We Manage the GDPR Process? shared by Netsparker.
An audit of your tracking, consent and data-processing flows against GDPR obligations, with a consent-aware server-side tracking setup focused on data ownership.
Consent and Data Flow AuditFootnotes
- General Data Protection Regulation ↩ ↩2 ↩3 ↩4
- A Detailed Insight Into GDPR (General Data Protection Regulation) ↩ ↩2 ↩3 ↩4
- The general data protection regulation. European Council Council of the European Union ↩ ↩2 ↩3
- What is GDPR? Rights, Responsibilities, and What Needs to Be Done ↩
- Data protection reform. European Council Council of the European Union ↩
- 01 GDPR is about data, not tools: any tracking or email service that collects IP, cookie, location or identity data falls within scope
- 02 Scope follows the data subject, not geography: if you process the data of an EU resident, GDPR applies wherever your servers are
- 03 Processing must rest on at least one legal basis (Article 6); consent is only one of them, not the only option
- 04 The user's 8 rights are a system requirement, not a slogan: each needs a process that responds within 30 days
- 05 Breach notification within 72 hours is mandatory; the penalty ceiling is 20 million euros or 4% of annual global turnover (whichever is higher)
+ Does GDPR only bind companies based in the European Union?
No. Scope depends on the data subject residing in the EU, not on the company's location. Any organization processing the data of someone living in the EU is subject to GDPR, regardless of where its servers or headquarters are.
+ Does using tracking tools fall under GDPR?
Yes. IP addresses and cookie identifiers are considered personal data under the regulation. Analytics tools, ad tags, email newsletter services and platforms holding user profiles therefore fall within GDPR scope.
+ Is obtaining explicit consent enough on its own for GDPR compliance?
No. Consent is only one of the legal bases in Article 6. Compliance also requires transparent disclosure, stating the retention period, processes that satisfy the user's 8 rights, and a breach notification mechanism.
+ What must you do in the event of a data breach?
If the breach adversely affects the confidentiality of personal data, the affected individuals must be notified within 72 hours. Breach notification is mandatory under the regulation.