Lesson 7

GDPR compliant tracking

For marketing to function properly, user-tracking is essential. Again, the GDPR has some changes ready which we will explain in more detail in this chapter.

Tracking responsibility

With the inception of the GDPR, one thing is clear: If you use a tracking pixel (Google Analytics, Facebook, etc.), this is your sole responsibility. This also applies if you, for example, include this pixel in the backoffice of Digistore24, on the order form, or order confirmation page.

Regarding this use of the Facebook Pixel, the person who is using the pixel is responsible for its use. You can read about this here, on the last page. Consequently, the person responsible must also ensure that it complies with all GDPR requirements.

Unlike with Facebook, tracking with Google Analytics is considered to be less of a problem. This is because Google Analytics evaluates pseudonymized data in its default settings, therefore making it impossible to draw conclusions from the personal data.

Requirements for GDPR compliant tracking with tracking pixels

Requirements for GDPR compliant tracking with tracking pixels:

  • You must indicate your data protection policy at every step of the tracking. We already discussed how to write legally-compliant wording in lesson 3.  
  • You also have to give the user the possibility to opt out on every page (website, landing page, order form, etc.) on which you integrate pixels. This is the minimum requirement for normal tracking with the Facebook pixel.
  • If you would also like to have permission to record the email address from Facebook (so called custom audiences), then an opt-out is no longer enough. For this, you need an additional opt-in, in other words a legal consent, beforehand. This means that tracking may only begin when your website visitor actively agrees that his or her data may be used for this purpose.
  • For your own protection, be careful to clearly and transparently inform data subjects about the data processing, in this case through tools such as Facebook. You can certainly justify this well by, for example, telling the customer that you only want to show them relevant websites.
  • Contact the makers of the respective tool for information on how best to obtain consent.
  • Be sure to collect as little data as possible at all times. If possible, only use tools that work anonymously.

Is affiliate tracking still possible under the GDPR?

If you use affiliate links on your website, the IP address is transmitted to Digistore24 with each click. For this reason, you should mention this in your data protect policy. We have created a template text for this.

You can find it via this link: https://www.digistore24.com/en/home/extern/cms/page/frontend/legal/privacy#14-sample-texts-for-vendors-and-affiliates

In addition, a separate directive is currently in the works - the E-privacy policy. Currently, it is not yet possible to view these, as the policy is still being written and probably won’t come into effect before 2019.


This is our interpretation of the current legal situation. This can change over time, mainly due to jurisdiction and how it is practically interpreted by lawyers.

Downloads / Learning materials

Checklist Google Analytics GDPR compliant


←To lesson 6

To lesson 8→

Overview Lectures

Switch quickly and easily to all lessons of the course.

Course Overview
Lesson 1 GDPR basics - definitions
Lesson 2 Data protection: Your business - your responsibility
Lesson 3 Data protection declaration
Lesson 4 Data processors
Lesson 5 Email marketing: what changes
Lesson 6 Lead magnets and the coupling prohibition
Lesson 8 Internal handling of data
Lesson 9 Information request
Lesson 10 GDPR and Digistore24

We would like to expressly point out that this online course in no way replaces legal advice from a specialist lawyer and has no claim to correctness or completeness. 

www.digistore24.com | Impressum | Privacy policy

English | German

Made with Coachannel Badge