A 10-Point Best Practice Privacy Guide for Working With Google Analytics
Last year, privacy became mainstream news when the new EU privacy law came into effect on 26th May 2011 across all EU member states – see my previous posts on this subject. In short, the EU law states that you need to seek your visitor’s permission before you can track them. Exactly what permission is required (implied or explicit consent), and when this needs to be asked for (only when collecting personal information, or even to track visitors anonymously) is still a hot topic of debate in the industry, that I will return to in my next post.
Three guiding principals for writing a privacy statement
- Put your customers first – not your legal team
- Keep it simple
- Don’t mix up anonymous concerns with personal ones
This is a very common mistake. What you do with anonymous data is very different to what you do with personal data. The vast majority of your visitors – typically 97% of them will not be your customers or subscribers. They are your potential customers. Before they sign up or transact with you, they are simply anonymous visitors. Don’t mix up what you do with such benign information with what you do with customer information that is a small proportion of your traffic.
A] Firstly, declare that Google Analytics is your tracking tool of choice, though if you also use other tools (e.g. Clicktale, Kampyle, Uservoice etc.) you may wish to add “and associated tools” here. Google Analytics is a well known product and many visitors trust the Google brand with their privacy. Note that for UK websites, stating that Google Analytics is being used is a requirement of the Terms of Service (see section 8.1). Even if you are not based in the UK, which means you do not have to state you use Google Analytics, I still recommend you do so – just for transparency.
B] and C] emphasise that all collected data is anonymous by default. Personal info is only collected if explicitly asked for. That is, nothing sneaky is happening in the background and the visitor always has a choice when asked.
D] Adding a personal commitment form the CxO, Managing Director or Website owner is a nice touch to show how important the organisation takes privacy.
E] Separate out anonymous collected data from collected personal information of subscriptions/transactions. These are very different situations – no point scaring the vast majority of your visitors with statements about personal information if it is not relevant to them.
F] Make it easy and clear to understand how people can have their personal information removed if they wish to do so.
I would love to hear your feedback on this approach to online privacy.