A 10-Point Best Practice Privacy Guide for Working With Google Analytics
Google Analytics specific, Privacy and Accuracy February 13th, 2012Last year, privacy became mainstream news when the new EU privacy law came into effect on 26th May 2011 across all EU member states – see my previous posts on this subject. In short, the EU law states that you need to seek your visitor’s permission before you can track them. Exactly what permission is required (implied or explicit consent), and when this needs to be asked for (only when collecting personal information, or even to track visitors anonymously) is still a hot topic of debate in the industry, that I will return to in my next post.
Whatever the impact of the EU Privacy law, the key to any organisation’s privacy strategy is it’s privacy policy document – your communication with your visitors about what you do with their data. I have therefore put down my guidelines for writing a best practice privacy policy that will stand you in good stead if you are using Google Analytics in the UK and elsewhere in the Europe
Three guiding principals for writing a privacy statement
- Put your customers first – not your legal team
Don’t allow your legal team to write your privacy policy. Seriously! Let them review and provide input of course. However, a privacy policy is there to encourage trust between you and your potential new customers. Therefore it needs to be written for them to easily understand and not full of verbose legal jargon. The marketing team is the best place to start with this.
- Keep it simple
Write your privacy policy in plain English (or preferred language). Don’t try to write the Magna Carta! The important points are to be succinct, open and transparent. My privacy policy is less than 600 words – I recommend a hard limit of 1000 as an absolute maximum.
- Don’t mix up anonymous concerns with personal ones
This is a very common mistake. What you do with anonymous data is very different to what you do with personal data. The vast majority of your visitors – typically 97% of them will not be your customers. They are your potential customers. Before they sign up or transact with you, they are simply anonymous visitors. Don’t mix up what you do with such benign information with what you do with customer information that is a small proportion of your traffic.
So with these principals in place, how does this look in practice? Below I have reproduced what I consider my best practice privacy policy with the key points emphasised for a website operating in the UK.
What a best practice privacy policy should look like
A] Firstly, declare that Google Analytics is your tracking tool of choice, though if you also use other tools (e.g. Clicktale, Kampyle, Uservoice etc.) you may wish to add “and associated tools” here. Google Analytics is a well known product and many visitors trust the Google brand with their privacy. Note that for UK websites, stating that Google Analytics is being used is a requirement of the Terms of Service (see section 8.1). Even if you are not based in the UK, which means you do not have to state you use Google Analytics, I still recommend you do so – just for transparency.
B] and C] emphasise that all collected data is anonymous by default. Personal info is only collected if explicitly asked for. That is, nothing sneaky is happening in the background and the visitor always has a choice when asked.
D] Adding a personal commitment form the CxO, Managing Director or Website owner is a nice touch to show how important the organisation takes privacy.
E] Separate out anonymous collected data from collected personal information. These are very different situations – no point scaring the vast majority of your visitors with statements about personal information if it is not relevant to them.
F] Make it easy and clear to understand how people can have their personal information removed if they wish to do so.
G] Google has some excellent documentation on its approach to privacy when Google Analytics is used. The link shown allows visitors to read more information without you getting bogged down in it (definitions of a cookie, data sharing options, opt-out browser add-on etc.) – it is not needed in your privacy policy.
I would love to hear your feedback on this approach to online privacy.
February 13th, 2012 at 1:41 pm
Hi Brian,
This is great. Just talking about this in a class I am giving. Will give them your URL after lunch.
Nikki Rae
February 13th, 2012 at 2:40 pm
Hi Brian,
thanks for the insight. Two suggestions: use the anonymizeIp function. Link directly to the GA opt-out plugin. At least in Germany both is required.
Markus
February 13th, 2012 at 7:25 pm
Nikki: Great timing!
Markus: Yes, German law makers are particularly anal about this and insist on the last 3 digits of the ip address being removed before data is sent to Google. Its a very odd decision by them, as all computers need the full ip address in order to communicate with each other…
February 13th, 2012 at 10:20 pm
Hi Brian, good to read you again. I think it is a great idea to make a clear distinction in your policy between what “just happens” because the visitor is in your site and what submitting a form will involve.
Now, Markus is totally right and the same applies to Spain (plus I doubt the UK can manage to stay less “anal” than the rest for much longer -here we go again, bloody Europeans-
).
Since GA is already discarding a storage of the full IP (indeed part of the HTTP request and also used for geo-segmentation before it’s gone), your paragraphs 2 and 3 would just get shorter and easier to understand by the end user, who I agree should be the first priority.
Last thing I would add is a good distinction between third-party and first-party cookies explaining that you use the latter. Saying it may not take you too far in the EU yet, but doing it could mean a lot under Do Not Track initiatives in the US.
Thanks!
February 14th, 2012 at 7:56 am
Hi Brian,
Thanks for your insight. On the 28 th of january the EU commission launched a proposal for a legislation which will be effective and the same all through Europe. In the meantime we will have to wait and see what is happening with all the different EU privacy laws. Are they going to be on hold, or will they become active until this new regulation will be enforced.
Geddy
February 14th, 2012 at 9:38 am
Hi Brian,
thanks for the helpful article and sharing your insights.
From my own experience I can tell that it is sometimes extremely difficult to go up against your lawyers when you want to push through a user-friendly privacy policy version (obviously law requirements were made to torture real people). A good solution for this conflict is offered by Tim Grimsditch who shares some of his personal experiences on The Kernel (http://www.kernelmag.com/features/building-a-company/668/should-we-worry-about-user-privacy/).
March 19th, 2012 at 1:54 pm
Here is a post that I think shows some of the grey areas around privacy. It talks about three scenarios and whether people think they are legal, comply with Google’s terms of service, and/or are ethical. They then show the survey results in a follow-up blog. I find it interesting how the responses were all over the map. It shows that people really don’t know what to do about privacy.
http://blog.immeria.net/2011/03/web-analytics-ethic-trivia.html#.T2c5f9Vwzng
January 22nd, 2013 at 5:35 pm
Even though most of my websites are targeted to Latin America, last year they approved a law stating that every website must now have a privacy policy (I know just now), we are currently developing several policies and this is probably going to be the foundation on witch they are built.
Thank you for the insight.
Got here from a RT from @danielwaisberg “10-Point Best Practice Privacy Guide for Working With @googleanalytics bit.ly/WRBWKI by @BrianClifton”
January 23rd, 2013 at 9:11 am
@Carlos – Many thanks for the feedback
@DanielWaisberg – thanks for the retweet.