Comentarios recientes

  • Alicia Fuenmayor: Tenía mucho tiempo buscando información de este tipo, de verdad muchas gracias, no te imaginas...
  • Aurélie Pols: you nailed it Jim! it’s about choice (but as I tend to write long blog posts, I tried to keep it...
  • Jim Sterne: Tomorrow’s Opt-In Form Please indicate your level of agreement with our collection of data and our...
  • Mandragora: me gusta
  • Patricia: Hola, enhorabuena por el post, creo que trasmite muy bien la necesidad de actuar sin perder la calma ante...

(English-US) Role-playing: which one are you Google Analytics? Controller or processor?

Posted by: María G. Moriano | Posted on: abril 1st, 2014 | 0 Comments

Once upon a time there was a prosperous Kingdom. Let´s call it the Kingdom of offline. A King who had two sons governed it. One of them would eventually rule in his father’s place. For the other, the father created the Kingdom of the Internet, full of innovative and courageous people. Unfortunately activity in the Kingdom of the Internet was blind. There was no way to know if there were people walking into the Kingdom so the royal magicians created cookies. The situation was reversed and darkness turned into light.


The Kingdom of the Internet was blessed with efficient administration thanks to data driven decision-making: its citizens turned data into useful information thanks to the powerful magic of analytics. Segmentation to optimize, find patterns and outliers quickly became the new mantra at the Kingdom of the Internet.

More and more citizens were moving into the Kingdom, royal magicians created new crafts to improve its administration.  Tag Management Systems and Market Automation tools were presented to the King and he was pleased. The management of cookies, which had proliferated as a consequence of the increasing number of citizens arriving to the Kingdom of the Internet looking for fortune, was made easier through the use of Tag Management Systems. Marketing Automation modernized the repetitive tasks that were labor intensive.

Slowly but surely, the Kingdom of the Internet continued to grow. The King demanded more and more crafts from his royal magicians. One of the magicians found a way to turn Tag Management Systems into a way not just to improve cookie management but also to process all that data and provide better information for Marketing Automation.

In the meantime a variety of evolutions were taking place:

  • Many magicians with their crafts rebelled against their servant destinies. Data had brought light and brightness to the Kingdom of the Internet so they demanded recognition and glory. They started collecting data for themselves as well, not only for the Kingdom. Data had become gold coins currency so the wizards and their crafts became even more powerful than the King and his Kingdom;
  • Both Kings, the 2 brothers managing offline and the Internet Kingdoms, realized their citizens were actually the same people, just dressed differently! Dressing tablets, smartphones, PCs, Social Media nicks and digital media identities or simply using their typical offline attire. Both brothers decided to merge the Kingdoms in order to better administer them, starting with a better understanding of their people and properties.

However, the citizens were actually the ones providing the gold coins that were making the wizards and their crafts richer, also indirectly enriching the Kings. When the 2 Kings realized this, they suddenly remembered that their citizens were visiting their Kingdoms looking for goods, commodities and security.

If a King is not able to provide security, why pay fees to the realm or the King? What for?


This little tale puts us in front of our today´s dilemma: everybody is happy with the advantage of more efficient online services yet transparency is necessary to feel secure. Lack of transparency makes users feel insecure while malicious activity is on the rise to steal the data, as the pile of gold coins keeps increasing.

Each character in this little tale has a clearly defined role. Roles are useful, they are like uniforms; they help identify actors in a play as well as roles and responsibilities.

A policeman in uniform confirms he/she is there to help me in case of trouble, I can trust that. On the opposite side of the spectrum, wearing a police uniform is a crime if you are not an officially recognized representative of the law. You are not allowed to dupe citizens into thinking you are. Hence, everybody trusts a policeman in uniform.

The European principles of Controller and Processor follow exactly this same idea of roles. The tool a website uses to measure it’s traffic and optimize it’s online presence has a specific role. The tool is the processor; the company using the tool is the controller. If a tool, like Google Analytics, claims both roles, under which conditions can this take place? These questions seem simple but they hold dire consequences for all parties involved!

Controller and Processor roles are indeed European, old continent, concepts. We confess. Yet the need for clearly defined and distinct roles and responsibilities remains universal. These concepts of roles are also embedded into the US privacy jargon, to cite just one country, randomly. Time for truth now: who is who?

The Controller defines what the collected data will be used for. Lawyers call it Purpose. Data are Privacy and technology neutral. After data collection, the obtained information will depend upon the purpose of my process. Thus, the Controller is the one defining how the data will be used.

Simply put, the data provided to the Controller by the users is done so for certain, clearly, specified tasks. This can be done through a Processor. However, the Processor cannot process the data neither save the data for it’s own purposes. This same logic has prevailed until recently also for Tag Management Solutions: they just passed on the tags, didn’t collect any data hence were not eligible to any specific Privacy restrictions. And it makes sense, if the data is just transiting through your pipes, you’re not responsible for it in the first place, except in terms of integrity and security. Privacy plays no direct real role here.

If data is the new oil, the one transporting the oil and delivering it to a refinery shouldn’t be allowed to do something with the crude oil in the first place. Or should he?

The natural way business takes place is for a company to pay a fee to a subcontractor for carrying out certain requested tasks. Simply put, if you pay you are the client. But if don’t, you turn into something different, but definitely not a client. Some analytics tools are free for the sites using them so, how do they get paid? Well, they process data to fulfill the service for the website but they get the data for their own purposes as well. Are they Processors or Controllers? In certain cases, they are suddenly both!

Let´s take the Google Analytics example, to show how this works.

A website decides to measure user activity.

The users provide their data to the website that is in charge of defining the purpose for the use of the collected data. The tool, in this case GA, is a processor as it processes the data to deliver the analytical service, requested by the website. Yet it becomes a controller when it is processing data for its own purposes.

So what? Can I hear you say

  • From a legal standpoint, clear roles need to be defined in order to structure the legal conditions ruling the relationships:
  • When GA is acting as a Processor, as a subcontractor, the company using the tool to measure its digital properties needs to fulfill certain conditions. For example, in Europe a web site needs to get the consent of the user to get IP addresses and will need to get into a contract with the processor to fix the limits of the processing. In a few countries, such as Spain, additional information security measures need to be in place, which may vary depending upon the type of data collected (measuring Costco type websites doesn’t hold the same legal implications as for an abortion clinic site for example).
  • When GA is acting as a Controller the company using the tool to measure its digital properties will need to comply with the applicable law as well. This means that they will need to get the user´s consent in Europe for example. They have not the control of the site so the site acquires the duty of getting user´s consent and providing the information on behalf of GA. If this is new to you, we suggest you check GA’s Terms & Conditions. More specifically look for “Google and its wholly owned subsidiaries may retain and use, subject to the terms of its privacy policy (located at, information collected in Your use of the Service.”
  • From a business point of view, the company using the tool to measure its digital properties is allowing another party, Google, to get access to a most precious asset: data. Data flows and conditions should be clearly understood and checked because external links to the data chains are being added. Let´s all make sure the quality and the accountability conditions are the proper ones, according to your legislation and the one of those you are addressing through your digital communication.

This is just a quick overview related to Google Analytics,

Just imagine what happens when your company uses multiple analytics tools, Tag Management solutions, marketing automation tools, third party cookies for advertising, segmentation services, agencies, etc. etc.

Who is who in your digital ecosystem? Who is doing what with your user´s data? Are they Controllers or Processors? Or both? Which is the relation between them? Are you confident about their information security procedures? Do they have mechanisms in place in case of data breaches?

Yes, it is not easy to draw the data flows and it’s often difficult to exactly understand the relationships between the players involved. Even if it just a simple analytics tool, the picture will not be the same if you’re in the US, Europe or China; if you’re using a free or a paying tool.

Obviously the website owner, the initial Controller, decides how to manage her digital properties and which tools to use as, ultimately, this party is responsible in case of trouble. The roles’ definitions should be undertaken prior to any installation or use, just to be sure we are not putting weak links within our trusted data chain.


Similarly, an analytics &/or ad agency, working for a company whishing to collect data, needs to understand the legal implications of the tools they will implement on behalf of their clients. Additionally we cannot forget the other player in the field: the vendors of analytics tools themselves, who present so many flavors in terms of privacy, security and duties to the sites, according to their business model.

Our advice is: understand your data lifecycles! Once they are known, define your internal security measures to protect your data assets. Check whom you are sharing or disclosing information with.

Nobody ever said Data governance was easy, certainly not in a complex data environment! You have to fight the corporate anti-bodies and accept to be called the Business Prevention Unit (BPU). It requires the will to set-up a plan, defining what you want to measure and why to get to a point where you can govern your data or live with an acceptable risk level.

First step: Risk assessment covering privacy and security that will allow you to define Purpose and clean up your data mess. Do you want to start? We are ready, are you?

Comments are closed.