A 10-Point Best Practice Privacy Guide for Working With Google Analytics

Last year, privacy became mainstream news when the new EU privacy law came into effect on 26th May 2011 across all EU member states – see my previous posts on this subject. In short, the EU law states that you need to seek your visitor’s permission before you can track them. Exactly what permission is required (implied or explicit consent), and when this needs to be asked for (only when collecting personal information, or even to track visitors anonymously) is still a hot topic of debate in the industry, that I will return to in my next post.

Whatever the impact of the EU Privacy law, the key to any organisation’s privacy strategy is it’s privacy policy document – your communication with your visitors about what you do with their data. I have therefore put down my guidelines for writing a best practice privacy policy that will stand you in good stead if you are using Google Analytics in the UK and elsewhere in the Europe

Three guiding principals for writing a privacy statement

  • Put your customers first – not your legal team
    Don’t allow your legal team to write your privacy policy. Seriously! Let them review and provide input of course. However, a privacy policy is there to encourage trust between you and your potential new customers. Therefore it needs to be written for them to easily understand and not full of verbose legal jargon. The marketing team is the best place to start with this.
  • Keep it simple
    Write your privacy policy in plain English (or preferred language). Don’t try to write the Magna Carta! The important points are to be succinct, open and transparent. My privacy policy is less than 600 words – I recommend a hard limit of 1000 as an absolute maximum.
  • Don’t mix up anonymous concerns with personal ones
    This is a very common mistake. What you do with anonymous data is very different to what you do with personal data. The vast majority of your visitors – typically 97% of them will not be your customers or subscribers. They are your potential customers. Before they sign up or transact with you, they are simply anonymous visitors. Don’t mix up what you do with such benign information with what you do with customer information that is a small proportion of your traffic.

So with these principals in place, how does this look in practice? Below I have reproduced what I consider my best practice privacy policy with the key points emphasised for a website operating in the UK.

What a best practice privacy policy should look like

The screenshot of my privacy policy is shown below. You can also go straight to the text of my privacy policy (new window).

A] Firstly, declare that Google Analytics is your tracking tool of choice, though if you also use other tools (e.g. Clicktale, Kampyle, Uservoice etc.) you may wish to add “and associated tools” here. Google Analytics is a well known product and many visitors trust the Google brand with their privacy. Note that for UK websites, stating that Google Analytics is being used is a requirement of the Terms of Service (see section 8.1). Even if you are not based in the UK, which means you do not have to state you use Google Analytics, I still recommend you do so – just for transparency.

B] and C] emphasise that all collected data is anonymous by default. Personal info is only collected if explicitly asked for. That is, nothing sneaky is happening in the background and the visitor always has a choice when asked.

D] Adding a personal commitment form the CxO, Managing Director or Website owner is a nice touch to show how important the organisation takes privacy.

E] Separate out anonymous collected data from collected personal information of subscriptions/transactions. These are very different situations – no point scaring the vast majority of your visitors with statements about personal information if it is not relevant to them.

F] Make it easy and clear to understand how people can have their personal information removed if they wish to do so.

G] Google has some excellent documentation on its approach to privacy when Google Analytics is used. The link shown allows visitors to read more information without you getting bogged down in it (definitions of a cookie, data sharing options, opt-out browser add-on etc.) – it is not needed in your privacy policy.

I would love to hear your feedback on this approach to online privacy.

Looking for a keynote speaker, or wish to hire Brian…?

If you are an organisation wishing to hire me and my team, please view the Contact page. I am based in Sweden and advise organisations in Europe as well as North America.

You May Also Like…

Sayonara Universal Analytics

Sayonara Universal Analytics

My first Google Analytics data point was 15th May 2005 for UA-20024. If you are of a certain age, that may sound off...

14 Comments

  1. Jonathan

    Hi Brian,

    I have been searching for info on whether a Corporate IP/Name would be considered PII. I cannot find any specificity in Google results or their ToS.

    There are newer tools that some of our clients are using such as this one below which tells the actual company names (via ip lookup) and puts it under events area. I would love to get your thoughts on this.

    It feels like a very grey area to me. Reg flags for me/clients.

    One such vendor: https://www.google.com/analytics/partners/company/5105188650090496/gadp/5629499534213120/app/5707702298738688/listing/5685265389584384

    My search (your 3rd!): https://www.google.com/search?q=are+corporate+IP+addresses+considered+PII%3F&oq=are+corporate+IP+addresses+considered+PII%3F&aqs=chrome..69i57j69i60.600j0j7&sourceid=chrome&es_sm=122&ie=UTF-8#q=Google+analytics+are+corporate+IP+addresses+considered+PII%3F

    Thank you for any insights in advance.

    Jonathan

    Reply
    • Brian Clifton

      +Jonathan – Generally I would say it is *not* PII, as by definition this defines an organisation, not a person. Of course for small organisations (or small departments within them), it could be argued it becomes more personal.

      Reply
  2. Kara Tointon

    Do you know what percentage of websites actually feature a privacy statement, let alone a statement that Google Analytics are used. I bet the percentage is in the single figures.

    Google Analytics don’t track personal data, only location, browser, etc. Surely there’s a lack of severity with the data that’s tracked?

    Reply
    • Brian Clifton

      @Kara – I don’t have figures, however having a privacy statement on your website is the law in the EU and in many other countries. Having a compliant privacy statement on your site is also a requirement of the Google Analytics Terms of Service…

      I agree not all website owners are aware of this. However in my experience anyone that has a commercial website using knows enough to ask the question “what is required”?

      Reply
  3. John

    I am looking for this kind of information about privacy policy to implement google analytics.

    thank you

    Reply
  4. Brian Clifton

    @Carlos – Many thanks for the feedback

    @DanielWaisberg – thanks for the retweet.

    Reply
  5. Carlos Aguilar

    Even though most of my websites are targeted to Latin America, last year they approved a law stating that every website must now have a privacy policy (I know just now), we are currently developing several policies and this is probably going to be the foundation on witch they are built.

    Thank you for the insight.

    Got here from a RT from @danielwaisberg “10-Point Best Practice Privacy Guide for Working With @googleanalytics bit.ly/WRBWKI by @BrianClifton”

    Reply
  6. Ken McDonald

    Here is a post that I think shows some of the grey areas around privacy. It talks about three scenarios and whether people think they are legal, comply with Google’s terms of service, and/or are ethical. They then show the survey results in a follow-up blog. I find it interesting how the responses were all over the map. It shows that people really don’t know what to do about privacy.

    http://blog.immeria.net/2011/03/web-analytics-ethic-trivia.html#.T2c5f9Vwzng

    Reply
  7. Franz Keim

    Hi Brian,

    thanks for the helpful article and sharing your insights.
    From my own experience I can tell that it is sometimes extremely difficult to go up against your lawyers when you want to push through a user-friendly privacy policy version (obviously law requirements were made to torture real people). A good solution for this conflict is offered by Tim Grimsditch who shares some of his personal experiences on The Kernel (http://www.kernelmag.com/features/building-a-company/668/should-we-worry-about-user-privacy/).

    Reply
  8. Geddy van Elburg

    Hi Brian,
    Thanks for your insight. On the 28 th of january the EU commission launched a proposal for a legislation which will be effective and the same all through Europe. In the meantime we will have to wait and see what is happening with all the different EU privacy laws. Are they going to be on hold, or will they become active until this new regulation will be enforced.
    Geddy

    Reply
  9. Sergio Maldonado

    Hi Brian, good to read you again. I think it is a great idea to make a clear distinction in your policy between what “just happens” because the visitor is in your site and what submitting a form will involve.

    Now, Markus is totally right and the same applies to Spain (plus I doubt the UK can manage to stay less “anal” than the rest for much longer -here we go again, bloody Europeans- :)).

    Since GA is already discarding a storage of the full IP (indeed part of the HTTP request and also used for geo-segmentation before it’s gone), your paragraphs 2 and 3 would just get shorter and easier to understand by the end user, who I agree should be the first priority.

    Last thing I would add is a good distinction between third-party and first-party cookies explaining that you use the latter. Saying it may not take you too far in the EU yet, but doing it could mean a lot under Do Not Track initiatives in the US.

    Thanks!

    Reply
  10. Brian Clifton

    Nikki: Great timing!

    Markus: Yes, German law makers are particularly anal about this and insist on the last 3 digits of the ip address being removed before data is sent to Google. Its a very odd decision by them, as all computers need the full ip address in order to communicate with each other…

    Reply
  11. Markus Vollmert

    Hi Brian,

    thanks for the insight. Two suggestions: use the anonymizeIp function. Link directly to the GA opt-out plugin. At least in Germany both is required.

    Markus

    Reply
  12. Nikki Rae

    Hi Brian,

    This is great. Just talking about this in a class I am giving. Will give them your URL after lunch.

    Nikki Rae

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share This