Omnibus prik

AU collected student data for Google Analytics without consent for almost two years: "It’s very unfortunate"

After a test period of the Brightspace learning platform in 2021, AU forgot to remove a plugin that placed Google Analytics cookies in the students’ browsers. As a result, Brightspace sent unauthorised data about the students’ use of the platform to Google Analytics for almost two years.

"The plugin remained in place by mistake," explains division manager Anders Hyldig. Photo: Lars Kruse/AU Foto

From when AU started using Brightspace in 2021 until September 2022, the platform was placing unauthorised Google Analytics cookies in the students’ browsers.

AU installed the Google Analytics plugin in Brightspace when it tested the platform in early 2021, before it launched the platform for all students in Autumn of the same year. During this pilot period, Brightspace used the plugin with the students’ and teachers’ consent in order to collect data to help improve the user-friendliness of the system.

But this plugin was not removed once the pilot period was over – something that the Centre for Educational Development (CED) at AU, the system owner of Brightspace, describes as a regrettable error. As a result, student data continued to be collected, and, from Autumn 2021, this included data from all Brightspace users across AU – none of whom were aware that the plugin was installed.

Anders Hyldig, division manager at CED, confirms that this error occurred:

“The plugin remained in place by mistake once the pilot period was over. This means that it continued to collect aggregate usage data after the pilot period, but this data has not been used for anything, and the first thing we did when we discovered the error was of course to stop collecting data and to get all the data deleted. Immediately. It was a human error,” says Anders Hyldig, who continues:

“It’s very unfortunate, and it shows that there are some processes we can tighten up. Once we have completed a pilot test, we need to make sure we deliver the system in proper working order. We have learned from this,” has says.

Data protection officer criticises CED

According to data protection laws – for example, the ePrivacy Directive – a website needs the permission of the website user if it wishes to use cookies. Once a cookie is in place, it collects data about the user’s behaviour on a website – in this case, it sent the data to the web analytics tool Google Analytics. For almost two years, Google Analytics cookies were in place in Brightspace without students being asked for their consent.

Anders Hyldig explains that CED became aware of the plugin in late September 2022. In September, the Danish Data Protection Agency took a position on Google Analytics and concluded that “it would be illegal to simply continue using the tool”. The only way to carry on using Google Analytics, according to the agency, was to “make a plan to legalise its use by putting supplementary measures in place”. The Danish Data Protection Agency had already expressed concern about the legality of using Google Analytics in January 2022, when its Austrian counterpart concluded that a company could not legally use the tool.

In September the same year, students from the critical data course at AU contacted AU’s data protection unit when they became aware – via their lecturer, assistant professor Midas Nouwens – that Brightspace was using precisely these cookies. In their enquiry, which also concerned their surprise that Brightspace was allowing teachers to view student behaviour on the platform, they requested to know the legal basis for processing the data and why the data was being collected in the first place.

In his response to the enquiry from the students, AU Data Protection Officer Søren Broberg Nielsen criticised CED for its unauthorised use of Google Analytics cookies. However, he also notes that the plugin has now been removed, that the data has not been used, and that a request has been made to delete the data from Google.

Assistant Professor Midas Nouwens, who conducts research on digital rights and data protection and who – to our knowledge – was the first person to detect the plugin, believes that the error has been dealt with correctly.

“This clearly shouldn’t have happened, but, at the same time, the mistake has been handled satisfactorily”, says Midas Nouwens.

It was Victor Nørgaard, a fourth-semester student on the information studies programme, who contacted AU’s data protection unit on behalf of the students on the data studies course, and he is happy that the plugin has now been removed.

“It’s great that the plugin has gone and that they acknowledged their mistake,” says Victor Nørgaard.