General Data Protection Regulation Compliance
The General Data Protection Regulation (GDPR) governs the way how data on individuals is collected and processed online. It contains specific guidelines designed to strengthen sensitive data protection and make transparent all elements of data collection, storage and processing. The legislation came into effect on May 25, 2018.
Who does the GDPR affect?
All businesses established in the European Economic Area (EEA) and Switzerland must comply with the GDPR when it comes to handling data of EEA citizens. Companies from countries outside the EEA that collect data of EEA citizens must also comply or face stringent fines. There are steps that companies themselves can take to become compliant, but compliance with the GDPR significantly depends on how your web analytics system operates.
How does Yandex.Metrica comply with the GDPR?
We have carefully vetted all of Yandex.Metrica’s features to make sure they are fully GDPR-compliant either by default, or through using some additional settings. Here is a list of features and options that make Yandex.Metrica usage GDPR-compliant:

1. Improving site visitors’ privacy
All data processed by Yandex.Metrica has always been anonymous and de-personalized. In Yandex.Metrica reports, you can only see technical and non-sensitive data that cannot in any way be exploited to establish a user’s identity. In addition, we take further steps to exclude even the slightest risk of matching any data to an individual. We have redesigned our Session Replay tool so that it provides GDPR compliance out-of-the-box. The Session Replay tool automatically masks any data in the form fields that can be deemed confidential. Our algorithms analyze the names of form fields – but not the characters that users enter into those fields – and change their content to asterisks, so that no confidential data can potentially appear in Session Replay recordings.

2. Full control of potentially sensitive information
Site owners can further fine-tune the way Session Replay records content. This may be necessary for form fields that are not confidential per se – and therefore they won't be automatically masked by Yandex.Metrica, – but that still can contain data that can be deemed sensitive. Our users can altogether disable recording in all forms using a simple toggle in the Yandex.Metrica's interface. Alternatively, they can record only some fields' content, or, vice versa, disable recording only in some fields: that can be done with a special css class in a site's code. There are also css classes available to manage recording of any element of a site like an input field other than a form field (for example, a data picker), a chatbox, a picture, or any other piece of content. Learn more.

3. Data collection notice
We offer all our users a ready-to-use solution to ask for a site visitor’s consent to data collection with Yandex.Metrica, and to defer the loading of the code snippet for the Yandex.Metrica tag on site pages. Without the user's consent, the snippet will not load. We provide the sample text for such a notice, which is vetted by Yandex’s legal experts, as well as an example of implementing such a notice in a site’s code. Data is transferred to Yandex.Metrica servers via secure HTTPS channels.

4. Opt-out add-on
Collecting data about individual users can be blocked with the Yandex.Metrica opt-out browser add-on that is available for the most popular desktop browsers.

5. IP masking
All Yandex.Metrica users can request that a full IP address of site visitors will not be processed or stored on our servers. Even though this may affect the accuracy of visitor location data, we allowed this option to be easily available to all Yandex.Metrica users regardless of whether or not they need to be GDPR-compliant. All you need to do as a Yandex.Metrica user is check the relevant box in your tag settings.

6. Transparent Data Processing Agreement
We have thoroughly researched the GDPR requirements with the help of legal advisers both within Yandex and outside the company to make sure that our procedures of data collection, storage and processing are communicated fully and transparently. Click here to review our Data Processing Agreement.

7. Simple one-click acceptance of Data Processing Agreement
We have introduced the option to digitally accept the Data Processing Agreement. To do so, check the relevant box when viewing your tag’s settings or when adding a new tag.

What do our customers need to do?
1. Ensure that your site’s Terms of Service or Privacy Policy clearly state how you use Yandex.Metrica and other analytics services.

2. Make sure your Session Replay settings are in compliance with the GDPR. That means that you allow Yandex.Metrica to only record the content of form fields that cannot under any circumstances contain any personal data.

3. Carefully study and accept the Data Processing Agreement with Yandex.Metrica when you receive a notification or see the relevant box to check in the Yandex.Metrica interface. If you have any questions about the Data Processing Agreement, we are here to help. You can contact us using our special feedback form.

Do you have any questions?
Please contact us if you have further questions about collecting data with Yandex.Metrica.