O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Blackhat Analyics 4: May the 25th be with you!

1.038 visualizações

Publicada em

Blackhat Analyics 4: May the 25th be with you!

Publicada em: Dados e análise
  • ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ I love this site. It always finds me the best tutors in accordance with my needs. I have been using it since last year. The prices are not expensive compared to other sites. I am glad I discored this site:)
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • There are over 16,000 woodworking plans that comes with step-by-step instructions and detailed photos, Click here to take a look ●●● http://t.cn/A6hKwqcb
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • There are over 16,000 woodworking plans that comes with step-by-step instructions and detailed photos, Click here to take a look ■■■ http://tinyurl.com/y3hc8gpw
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • The #1 Woodworking Resource With Over 16,000 Plans, Download 50 FREE Plans... ➤➤ http://tinyurl.com/y3hc8gpw
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Blackhat Analyics 4: May the 25th be with you!

  1. 1. BlackHat Analytics 4: May the 25th be with you
  2. 2. #MeasureCamp @philpearce Web Analytics Exchange mentor 750 GA questions answered Tracking protection group (DNT) Welcome Phil Pearce Analytics Expert & Master of the Dark Arts Accelerate-Agency.com @philpearce linkedin.com/in/philpearce
  3. 3. Just a quick Leia Disclaimer... #SPWK @philpearce I`m not her!
  4. 4. Ask my brother instead... #SPWK @philpearce Or consult your Leia council
  5. 5. Blackhat Analytics Summary 1. Inbalance: Reason behind GDPR 2. PERC vs GDPR: whats changed? • Fines • PI definitions 3. Jedi Training: Steps to be Compliant • Vendor Settings • Script Settings • CMS plugins • Privacy policy changes • Supplier Contracts 4. Checklist 5. Take aways #SPWK @philpearce
  6. 6. A long time ago... …or about 6 light years ago to be precise!
  7. 7. Cookie Law in 2012...
  8. 8. now... GDPR
  9. 9. Don’t panic… ...I have seen a vision of your future
  10. 10. Generalisation…
  11. 11. 2 Strikes… before fine For any new law… there will be a grace period to account for accidental non-compliance or to give large enterprise time to adjust their systems
  12. 12. Expect lots of Craziness before 25th May!
  13. 13. Before things return to normal
  14. 14. Before things return to normal
  15. 15. Begin craziness…
  16. 16. PERC vs GDPR PERC GDPR IP Address Not personal data Personal Data UserID Not personal data Personal Data TransactionID Not personal data Personal Data Cookie Identifier Not personal data Personal Data Device Signature Not personal data Personal Data Standardisation Different in EU countries Harmonised Across EU Charge for Subject Access Request £10 Free Max fine £500,000 £17,500,000
  17. 17. £17,500,000 or 4% global revenue
  18. 18. GDPR in 2mins bit.ly/gdpr-videos2
  19. 19. Ouch! The privacy police just got handed a giant stick!
  20. 20. How to avoid being fined… Principles… 1. Notify & provide reason for data collection 2. Allow users to View/Edit/Delete their data 3. Special Categories of Data require Consent 4. Consent must be Pro-active tickbox 5. Any financial decision based on user-data must have consent, such as pricing personalisation
  21. 21. GA settings Never Delete GA Events and PageURLs setting… aka don’t expire…
  22. 22. GA settings
  23. 23. Add Address and Contact for the DPO in your organisation
  24. 24. PII safeguards …to prevent GA account deletion!
  25. 25. PII detection Quick Test 1. Email [a-zA-Z0-9_.-]+(@|%40) [da-zA-Z.-]+.[a-zA-Z.]{2,6} 2. IP_address ^([0-9]+.){3}[0-9]+$ Source: www.cardinalpath.com/what-you-need-to-know-about-google-analytics-personally-identifiable- information/
  26. 26. PII prevention filters PP01: TidyURL - Replace email with EMAIL-OBFUSCATED-BY- FILTER@gmail.com URL (.*?)(=|%3D)([a-zA-Z0-9_.+-]+(@|%40)[a-zA-Z0-9- ]+.[a-zA-Z0-9-.]+)($|&.+) Output URL $A1=EMAIL-OBFUSCATED-BY-FILTER@gmail.com$A5 PP02: Tidy EventLabel - Replace email with EMAIL-OBFUSCATED-BY- FILTER@gmail.com EventLabel (.*?)(=|%3D)([a-zA-Z0-9_.+-]+(@|%40)[a-zA-Z0- 9-]+.[a-zA-Z0-9-.]+)($|&.+) Output EventLabel $A1=EMAIL-OBFUSCATED-BY- FILTER@gmail.com$A5
  27. 27. Generic PII exclude params email, emailAddress, clientEmailAddress, Username, postCode, mac, oldPassword, password, password_confirmation, regCode, username, username_confirm, signin[username], signin[runas], signin, sign_in, conf, gpid, obem, inf_contact_key, user_id, userId, username1, frmUsername, nickName, qz_user_name, url_mac, Email, email, mail, MAIL, feedback_email, newEmailAddress, newemailaddress, emailAddress, emailaddress, recipientName, recipientEmail, MMDB_ID, mmdb_id, EMAIL_ID, email_id, email[body], email[subject], interaction[email], interaction[name], CVC_M1RSUBNM, CVC_M1RADDR1, CVC_M1RADDR2, CVC_M1RCITY, CVC_M1RSTATE, CVC_M1RCTRYC, CVC_M1RZIP, CVC_M1REMAIL, CVC_M1RTACCT, MSRSUBNM, MSRADDR1, MSRADDR2, WESCITY, WESSTATE, WESZIP, MSREMAIL, Name, selectedAddress, selectedAddres_0, selectedAddres_1, selectedAddres_2, selectedAddres_3, selectedAddres_4, selectedAddresSize, Address1, Address2, City, State, Zip, zipcode, qz_user_country, state, oauth_token, oauth_verifier, rptregcta, rptregcampaign, nickName, selectedAddress, username1, frmUsername, mac_address, username, password, login, firstName, lastName, payerName, street, city, country, zipCode, payerEmail, email, rfemail, rflogin, login, PayerID, user
  28. 28. GTM Accept GDPR AnnonIP CD20 for consent CD19 for consentTimeStamp 2year to 1.5yr cookie Disabled Remarketing non-loggined new users IP resolves to EU
  29. 29. Tick this box Secure logins
  30. 30. GTM user access audit See actual audit here.
  31. 31. Conditionally disabled Remarketing via GTM… bit.ly/2IxMKRt
  32. 32. Right to Be forgotten
  33. 33. Right to Be forgotten
  34. 34. Privacy Policy page updates Opt-out links Subject Access mailto or deletion request
  35. 35. Adwords Remarketing cookie durations CustomerMatch
  36. 36. Facebook Remarketing cookie durations CustomerMatch
  37. 37. Email 1. IP match to EU 2. .co.uk et al email extension matched to EU
  38. 38. Breach notification http://en.wikipedia.org/wiki/Data_breach http://www.symantec.com/content/de/de/about/downloads/press/2010_annual_study.pdf PII`s data sucked-out from exposed servers! Companies must notify DPA within reasonable amount of time, but not (currently) obligated to notify public!
  39. 39. Contracts for Suppliers bit.ly/gdpr-supplier-contract
  40. 40. Mistakes to avoid implementing 1. Mobile popups 2. Asking for consent on Newsletters 3. Triggering Adwords pop-up on landing page cpc fine 4. Asking users in China or USA for consent 5. Excessively confusing pop-ups
  41. 41. Automatically monitoring & enforcement of the system. aka Automatic “Health checks”
  42. 42. Example…
  43. 43. Imperial Durnt, durnt, durnt… durnt, dan ner! External Feedback mechanism
  44. 44. Google Adwords privacy cpc tax SSL as ranking signal SERP ranking organic bonus. Google “trusted stores” program Note: See “Privacy as a ranking factor slides” and TrustFactor video.
  45. 45. Training and Checklist
  46. 46. Light Score 1. Do you have a Privacy Policy? +1 2. Do you link to Privacy Policy on global footer(or header) try.powermapper.com +1 3. HTML links on Privacy Policy: • Do you mention you use cookies OR link to “How Google uses cookie data“ www.google.com/policies/privacy/partners/ +0.25 • Do you mention the word “Do Not Track” or DNT on privacy policy +0.25 • Link to GA opt-out plugin OR GA opt-out page +0.25 • Link to DoubleClick remarketing opt-out OR Adchoices link +0.25 4. Has your Privacy Policy has been updated within the last 12months +1 5. If your using session recording (e.g. ClickTale) have you set sensitive fields to either type=password OR have relevant class: <input id="CreditCardPin" class="tracking- sensitive ClickTaleSensitive -metrika-nokeys“type="text"> +1 6. Is AnonymiseIP enabled for EU Visitors +1 7. Is GTM`s 2 stage authentication login setting enabled OR similar TMS setting +1 8. Do you have a GA custom email alert for URLs containing “@” or “@gmail” +1 9. GA exclude traffic from robot setting is enabled +1 10.You have actioned atleast one GA heathcheck alert +1 Ref: www.google.com/analytics/terms/us.html [n] / 10
  47. 47. Force Rankings: Make a note of your Light score
  48. 48. Darkness and the Light - scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone - 0-2 Darth Maul - 3-5 Count Dooku - 6-8 Darth Vader - 10 Darth Sideous Light score -
  49. 49. Dark Score 1. 3rd party cookies are being deployed on your website -1 2. Have not enable frequency capping on Display network -1 3. UserID tracking is enabled, but not declared to users on privacy page. 4. GA`s data append via CSV upload (dimension widening) for userID as a customDimension using sensitive data (e.g. Financial grouping/status based on users postcode/address) -1 5. Using Device Signature (Android App only) -1 6. Email address stored in GA url report -1 7. Storing passwords in GA URL report -1 8. Respawn of users sessionID cookie, after the user tries to clear cookie -1 9. Using any of the techniques mentioned on evercookie -1 10.Using opt-in ClickJacking to install a trojan virus -100 [n] / 10
  50. 50. Force Rankings: Make a note of your Dark score
  51. 51. Darkness and the Light - scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone - 0-2 Darth Maul - 3-5 Count Dooku - 6-8 Darth Vader - 10 Darth Sideous Light score Dark Score - -
  52. 52. Now: Light Score - Dark score = Actual score
  53. 53. Darkness and the Light - scorings 10 Yoda 6-8 Luke 3-5 Leia 0-2 Chewbacca 0 Neutral Zone - 0-2 Darth Maul - 3-5 Count Dooku - 6-8 Darth Vader - 10 Darth Sideous Light score Dark Score Sum of both - - -
  54. 54. Malintent Accidental Bad Good Overall Score? -10 +10
  55. 55. If you got a dark score join these…  “MOA code of conduct” or “DAA code of ethics” will eventually introduce one www.digitalanalyticsassociation.org/codeofethics www.moaweb.nl/Richtlijnen/internationale-gedragscodes-en-richtlijnen/2012-09-17%20GRBN%20Code%20Comparison.pdf/view
  56. 56. Thanks & Questions #SPWK @philpearce
  57. 57. Links to resources GDPR video playlist https://www.youtube.com/watch?v=PMHO2T1p0g8&index=68&list=PL45AABD8BB96D3785&t=0s CookieLaw video playlist https://www.youtube.com/playlist?list=PL45AABD8BB96D3785 checklist https://www.omnisend.com/blog/gdpr-for-ecommerce-definitive-guide-free-gdpr-checklist/ essentials blog post by webguild https://www.thewebguild.org/news/gdpr-essentials-for-web-developers-and-site-owners post on GooglePlus https://plus.google.com/u/0/+StephaneHamel-immeria/posts/YcnrmoQQpT4 GDPR view by a marketer https://www.portent.com/blog/internet-marketing/gdpr-29-things-marketers-must-know.htm vendor - HotJar Webinar https://www.hotjar.com/privacy/gdpr-compliance-with-hotjar-webinar vendor - WooCommerce https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/ GDPR supplier template http://bit.ly/gdpr-supplier-contract
  58. 58. Login security
  59. 59. Watch this video A link to the video is here.
  60. 60. Install this App
  61. 61. Verify App
  62. 62. Print backup codes 123 999 xxx
  63. 63. Tick this box Now you can...
  64. 64. Thanks from Phil the Analytics Adventurer

×