Back to Details

meta-analytics-privacy

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analytics Privacy and Data Governance

分析隐私与数据治理

Sources: Raaz (c.2023) Web Analytics Blueprint; Hanlon and Tuten (2022) The SAGE Handbook of Digital Marketing
<!-- dual-compat:start -->
资料来源: Raaz(2023年左右)《Web Analytics Blueprint》;Hanlon和Tuten(2022年)《The SAGE Handbook of Digital Marketing》
<!-- dual-compat:start -->

Use when

适用场景

  • Privacy-by-design analytics setup for clients operating under Uganda's Data Protection and Privacy Act 2019, Kenya's Data Protection Act 2019, and international frameworks (GDPR, CCPA). Covers cookie consent implementation, GA4 privacy configuration, data minimisation, and WhatsApp data governance. Invoke when setting up GA4 for a new client, configuring cookie consent banners, advising on analytics data governance, or when a client asks about data protection compliance for their digital channels. Does not replace legal counsel — flags compliance requirements and provides implementation guidance.
  • Use this skill when it is the closest match to the requested deliverable or workflow.
  • 针对受《2019年乌干达数据保护与隐私法案》、《2019年肯尼亚数据保护法案》及国际框架(GDPR、CCPA)约束的客户,开展隐私设计优先的分析设置工作。内容涵盖Cookie同意机制实施、GA4隐私配置、数据最小化以及WhatsApp数据治理。适用于为新客户搭建GA4、配置Cookie同意横幅、提供分析数据治理建议,或客户询问其数字渠道的数据保护合规问题时。本内容不替代法律顾问服务——仅指出合规要求并提供实施指导。
  • 当本技能与所需交付成果或工作流程最匹配时使用。

Do not use when

不适用场景

  • Do not use this skill for graphic design, video production, software development, or legal advice beyond the repository's stated scope.
  • Do not use it when another skill in this repository is clearly more specific to the requested deliverable.
  • 请勿将本技能用于图形设计、视频制作、软件开发,或超出本知识库规定范围的法律咨询。
  • 当知识库中另有更符合所需交付成果的技能时,请勿使用本技能。

Workflow

工作流程

  1. Collect the required inputs or source material before drafting, unless this skill explicitly generates the intake itself.
  2. Follow the section order and decision rules in this 
    SKILL.md
    ; do not skip mandatory steps or required fields.
  3. Review the draft against the quality criteria, then deliver the final output in markdown unless the skill specifies another format.
  1. 除非本技能明确要求自行收集信息,否则在起草前需收集所需输入或源材料。
  2. 遵循本
    SKILL.md
    中的章节顺序和决策规则;不得跳过必填步骤或必填字段。
  3. 根据质量标准审核草稿,除非技能指定其他格式,否则最终输出采用Markdown格式。

Anti-Patterns

反模式

  • Do not invent client facts, performance data, budgets, or approvals that were not provided or clearly inferred from evidence.
  • Do not skip required inputs, mandatory sections, or quality checks just to make the output shorter.
  • Do not drift into out-of-scope work such as code implementation, design production, or unsupported legal conclusions.
  • 不得编造未提供或无法从证据中明确推断的客户事实、绩效数据、预算或审批信息。
  • 不得为缩短输出内容而跳过必填输入、必填章节或质量检查。
  • 不得偏离工作范围,开展代码实现、设计制作或无依据的法律结论等工作。

Outputs

输出成果

  • A structured audit, report, model, or analytical framework in markdown, with decisions and recommendations tied to evidence.
  • 采用Markdown格式的结构化审计报告、模型或分析框架,所有决策和建议均需有证据支撑。

References

参考资料

  • Use the inline instructions in this skill now. If a 
    references/
    directory is added later, treat its files as the deeper source material and keep this 
    SKILL.md
    execution-focused.
<!-- dual-compat:end -->
  • 当前使用本技能中的内联说明。若后续添加
    references/
    目录,需将其中文件作为深度源材料,并保持本
    SKILL.md
    以执行为核心。
<!-- dual-compat:end -->

Required Inputs

必填输入信息

Ask for the following before generating any deliverable:
  1. Client business name
  2. Industry
  3. Country / city (defaults to Uganda / East Africa)
  4. Primary goal (e.g. achieve DPPA compliance, configure GA4 privacy settings, set up cookie consent)
  5. Website platform (WordPress, Wix, Squarespace, custom-built — affects consent banner implementation)
  6. Audience geography (Uganda only; Uganda + Kenya; Uganda + international including EU — determines which frameworks apply)
  7. GA4 access level (Admin required for privacy configuration changes)
  8. Data currently collected (list all tracking pixels, analytics tools, and third-party tags active on the website)
在生成任何交付成果前,需向客户询问以下信息:
  1. 客户企业名称
  2. 所属行业
  3. 国家/城市(默认乌干达/东非)
  4. 核心目标(例如:达到DPPA合规要求、配置GA4隐私设置、搭建Cookie同意机制)
  5. 网站平台(WordPress、Wix、Squarespace、定制开发——影响同意横幅的实施方式)
  6. 受众地域(仅乌干达;乌干达+肯尼亚;乌干达+含欧盟在内的国际地区——决定适用的框架)
  7. GA4访问权限级别(隐私配置变更需Admin权限)
  8. 当前收集的数据(列出网站上所有活跃的跟踪像素、分析工具和第三方标签)

Why Analytics Privacy Matters in EA

东非地区分析隐私的重要性

Uganda's Data Protection and Privacy Act 2019 (DPPA) and Kenya's Data Protection Act 2019 (DPA) both require informed consent before collecting personal data — including analytics data linked to individual users. Non-compliance carries financial penalties and significant reputational risk.
For clients with international audiences (e-commerce, NGOs, professional services exporting to EU markets), GDPR (EU, 2018) and CCPA (California, USA) may additionally apply.
This skill provides implementation guidance only. For specific legal advice, data protection impact assessments, or drafting of a privacy policy, refer the client to a qualified data protection lawyer in their jurisdiction.
《2019年乌干达数据保护与隐私法案》(DPPA)和《2019年肯尼亚数据保护法案》(DPA)均要求在收集个人数据(包括与用户关联的分析数据)前获得知情同意。不合规将面临财务处罚和重大声誉风险。
对于拥有国际受众的客户(如电商、非政府组织、向欧盟市场提供服务的专业机构),可能还需适用GDPR(欧盟,2018年)和CCPA(美国加州)。
本技能仅提供实施指导。如需具体法律咨询、数据保护影响评估或隐私政策起草,需将客户推荐至其所在司法管辖区的合格数据保护律师。

Regulatory Framework Summary

监管框架摘要

FrameworkApplies whenKey requirement
Uganda DPPA 2019Client operates in Uganda or processes data of Ugandan residentsInformed consent before data collection; right to access and deletion
Kenya DPA 2019Client operates in Kenya or processes data of Kenyan residentsConsent; data minimisation; right to erasure
GDPR (EU)Client offers goods/services to EU residents OR monitors EU user behaviourExplicit opt-in consent; right to be forgotten; Data Protection Officer for large-scale processing
CCPA (California)Client has 50,000+ California consumers/year, or earns 25%+ revenue from California dataRight to opt-out of data sale; disclosure of data collection practices
GDPR applicability test: Does the client's website accept payments or enquiries from EU residents? If yes, GDPR applies — escalate to a data protection lawyer before proceeding.
框架适用场景核心要求
Uganda DPPA 2019客户在乌干达运营,或处理乌干达居民的数据收集数据前需获得知情同意;用户享有访问和删除数据的权利
Kenya DPA 2019客户在肯尼亚运营,或处理肯尼亚居民的数据需获得同意;数据最小化;用户享有删除权
GDPR(欧盟)客户向欧盟居民提供商品/服务,或监控欧盟用户行为需明确的 opt-in 同意;用户享有被遗忘权;大规模数据处理需配备数据保护官
CCPA(加州)客户每年拥有5万+加州消费者,或25%+收入来自加州数据用户享有退出数据售卖的权利;需披露数据收集行为
GDPR适用性测试: 客户的网站是否接受欧盟居民的付款或咨询?若是,则适用GDPR——在继续操作前需将客户转介给数据保护律师。

Cookie Consent Implementation

Cookie同意机制实施

All websites collecting analytics data must display a cookie consent banner that:
  1. Appears before any tracking cookies are set — not after the page loads with cookies already active
  2. Explains what data is collected and why — in plain language, not legal boilerplate
  3. Provides a genuine opt-out — a real "Reject all" button, not a dark pattern that buries the opt-out
  4. Remembers the user's choice — for a minimum of 12 months
  5. Distinguishes cookie categories — at minimum: Necessary (no consent required) vs. Analytics (consent required) vs. Marketing (consent required)
Recommended tools for EA clients:
  • CookieYes — free tier available; integrates with WordPress, Wix, and custom sites; generates a consent log
  • Usercentrics — more robust for GDPR requirements; paid but affordable
  • Custom implementation — acceptable if the client has a developer and the implementation meets all five requirements above
Dark patterns to avoid: Pre-ticked "Accept" boxes; hiding the "Reject" option in small text; making "Accept all" one click and "Manage preferences" three clicks. Dark patterns are explicitly prohibited under GDPR and are increasingly scrutinised under DPPA.
所有收集分析数据的网站必须展示Cookie同意横幅,且需满足以下条件:
  1. 在设置任何跟踪Cookie前显示——不得在页面加载并已激活Cookie后才显示
  2. 用通俗易懂的语言说明收集的数据及用途——避免使用法律术语堆砌的模板化内容
  3. 提供真实的退出选项——设置真正的“全部拒绝”按钮,不得使用隐藏退出选项的暗黑模式
  4. 记住用户的选择——至少保留12个月
  5. 区分Cookie类别——至少分为:必要Cookie(无需同意)、分析Cookie(需同意)、营销Cookie(需同意)
推荐给东非客户的工具:
  • CookieYes——提供免费版;可与WordPress、Wix及定制网站集成;生成同意日志
  • Usercentrics——更符合GDPR要求;付费但价格合理
  • 定制化实施——若客户有开发人员且实施满足上述五项要求,可采用此方式
需避免的暗黑模式: 预先勾选“接受”框;用小号字体隐藏“拒绝”选项;“全部接受”一键完成,而“管理偏好”需三步操作。暗黑模式明确违反GDPR,且在DPPA下受到越来越严格的审查。

GA4 Privacy Configuration

GA4隐私配置

Complete these steps in order. All require Admin access in GA4.
Step 1 — Data Retention Admin → Data Settings → Data Retention Set to 14 months maximum. This reduces the volume of personal data retained and is the minimum recommended setting for DPPA/GDPR alignment.
Step 2 — Google Signals Admin → Data Settings → Data Collection → Google Signals Disable Google Signals unless the client has a specific, documented need for cross-device tracking. Google Signals links analytics data to Google Account profiles — this is personal data linkage that requires explicit consent.
Step 3 — IP Anonymisation Admin → Data Streams → [select stream] → Configure tag settings → Show all → Redact visitor IP addresses Enable this setting. It masks the user's location to city level only — the user's precise IP address is not stored. This is recommended for all clients regardless of regulatory framework.
Step 4 — Consent Mode Configuration Configure GA4 consent mode so the tag fires in "consent pending" state by default and only collects full analytics data after the user grants consent via the cookie banner. This requires integration between the consent management platform (CookieYes or equivalent) and the GA4 tag via Google Tag Manager.
Step 5 — Data Deletion Requests Admin → Data Deletion Document the process for responding to a user's right-to-erasure request. Under DPPA 2019, the client must be able to delete an individual user's data within a reasonable timeframe. In GA4, use the Data Deletion tool to remove data associated with a specific user identifier.
按以下顺序完成步骤,所有步骤均需GA4中的Admin权限
步骤1——数据保留 Admin → Data Settings → Data Retention 设置为最长14个月。这将减少保留的个人数据量,是符合DPPA/GDPR要求的最低推荐设置。
步骤2——Google Signals Admin → Data Settings → Data Collection → Google Signals 禁用Google Signals,除非客户有明确的、有文档记录的跨设备跟踪需求。Google Signals会将分析数据与Google账户资料关联——这种个人数据关联需获得明确同意。
步骤3——IP匿名化 Admin → Data Streams → [选择数据流] → Configure tag settings → Show all → Redact visitor IP addresses 启用此设置。它会将用户位置掩码至城市级别——不会存储用户的精确IP地址。无论适用何种监管框架,均建议所有客户启用此设置。
步骤4——同意模式配置 配置GA4同意模式,使标签默认处于“待同意”状态,仅在用户通过Cookie横幅授予同意后才收集完整分析数据。这需要通过Google Tag Manager将同意管理平台(如CookieYes)与GA4标签集成。
步骤5——数据删除请求 Admin → Data Deletion 记录响应用户删除权请求的流程。根据《2019年DPPA》,客户必须能够在合理时间内删除单个用户的数据。在GA4中,使用数据删除工具移除与特定用户标识符关联的数据。

Data Minimisation Principle

数据最小化原则

Collect only the data necessary for the stated analytics purpose. Before adding any tracking pixel, custom dimension, or third-party tag to a client's website, document:
  1. What data this collects — list every data point captured
  2. Why it is needed — the specific analytics or business purpose it serves
  3. How long it will be retained — the retention period before deletion or anonymisation
  4. Who has access — which internal and external parties can view this data
This documentation is both an ethical and legal requirement under DPPA 2019. Maintain it in a simple data register (a Google Sheet is sufficient for most EA clients).
Audit prompt: Review all active tags in Google Tag Manager. Remove any tag that has not been used in the past 90 days or whose purpose cannot be clearly stated.
仅收集实现既定分析目标所需的数据。在向客户网站添加任何跟踪像素、自定义维度或第三方标签前,需记录:
  1. 收集的数据内容——列出捕获的每个数据点
  2. 收集的原因——其服务的具体分析或业务目标
  3. 保留时长——删除或匿名化前的保留周期
  4. 访问权限——哪些内部和外部人员可以查看此数据
根据《2019年DPPA》,此记录既是道德要求也是法律要求。可将记录保存在简单的数据登记册中(对于大多数东非客户,Google表格即可满足需求)。
审计提示: 审核Google Tag Manager中的所有活跃标签。移除过去90天未使用或无法明确说明用途的标签。

WhatsApp and Social Media Data Governance

WhatsApp与社交媒体数据治理

WhatsApp Business does not provide personal analytics data about individual users. However, client-side records — broadcast lists, contact databases, conversation histories — constitute personal data under DPPA 2019.
Advise clients to:
  1. Document the data: Maintain a record of all WhatsApp contacts — name, number, source of contact, consent basis, date added
  2. Honour opt-out requests within 48 hours: If a contact asks to be removed from a broadcast list, remove them immediately and confirm removal
  3. Do not share contact data with third parties without documented consent from each individual contact
  4. Store contact data securely: WhatsApp contact lists exported to spreadsheets must be stored in access-controlled files (Google Drive with restricted sharing), not in unsecured email attachments
Social media data note: Facebook, Instagram, and TikTok analytics dashboards provide aggregate data only — they do not expose individual user personal data to page administrators. No additional consent is required for using native platform analytics. However, installing the Meta Pixel on a website does constitute personal data collection and requires cookie consent.
WhatsApp Business不提供关于单个用户的个人分析数据。但客户端记录——广播列表、联系数据库、对话历史——属于《2019年DPPA》定义的个人数据
建议客户:
  1. 记录数据:保留所有WhatsApp联系人的记录——姓名、号码、联系方式来源、同意依据、添加日期
  2. 48小时内响应退出请求:若联系人要求从广播列表中移除,需立即移除并确认已完成移除
  3. 未经每个联系人的书面同意,不得与第三方共享联系数据
  4. 安全存储联系数据:导出到电子表格的WhatsApp联系人列表必须存储在受访问控制的文件中(如设置了受限共享的Google云端硬盘),不得存储在未加密的电子邮件附件中
社交媒体数据说明: Facebook、Instagram和TikTok的分析仪表板仅提供聚合数据——不会向页面管理员暴露单个用户的个人数据。使用原生平台分析无需额外同意。但在网站上安装Meta Pixel属于个人数据收集,需获得Cookie同意。

International Framework Escalation

国际框架升级处理

If any of the following conditions apply, pause implementation and refer the client to a qualified data protection lawyer before proceeding:
  • The client's website serves EU residents and currently has no GDPR-compliant consent mechanism
  • The client collects and stores health, financial, or biometric data of any kind
  • The client is a public institution or processes data on behalf of government bodies
  • The client has experienced a data breach in the past 12 months
  • The client operates in multiple East African jurisdictions with different regulatory frameworks
若出现以下任一情况,需暂停实施并将客户转介给合格的数据保护律师后再继续:
  • 客户的网站服务欧盟居民,且目前无符合GDPR要求的同意机制
  • 客户收集和存储任何类型的健康、财务或生物识别数据
  • 客户是公共机构或代表政府机构处理数据
  • 客户在过去12个月内发生过数据泄露事件
  • 客户在多个东非司法管辖区运营,且各地区监管框架不同

Quality Criteria

质量标准

Output meets the standard for this skill if:
  • The applicable regulatory frameworks (DPPA, DPA, GDPR, CCPA) are identified based on the client's audience geography before any implementation guidance is given
  • All five GA4 privacy configuration steps are included and sequenced correctly
  • Cookie consent implementation meets the five requirements: pre-load, plain language, genuine opt-out, remembered choice, and category distinction
  • The data minimisation principle is applied — a documentation requirement is included, not just a configuration checklist
  • WhatsApp contact data is addressed as personal data subject to DPPA 2019
  • Legal referral triggers are clearly stated — the skill does not overreach into legal advice
  • Language is British English throughout; imperative in all instructional sections
若满足以下条件,则输出成果符合本技能的标准:
  • 在提供任何实施指导前,已根据客户的受众地域确定适用的监管框架(DPPA、DPA、GDPR、CCPA)
  • 包含所有五项GA4隐私配置步骤,且顺序正确
  • Cookie同意机制实施满足五项要求:预加载显示、通俗易懂的语言、真实的退出选项、记住用户选择、区分Cookie类别
  • 应用了数据最小化原则——不仅包含配置清单,还包含记录要求
  • 将WhatsApp联系数据视为受《2019年DPPA》约束的个人数据
  • 明确列出法律转介触发条件——本技能不越界提供法律咨询
  • 全程使用英式英语;所有指导部分采用祈使语气