Thursday, September 18, 2008

Online Data Tracking and Privacy

Online privacy is a hot button these days. Privacy advocates and lawmakers are putting a lot of pressure on several large internet companies such as Google, Microsoft and Yahoo to be transparent about how they intend to use users web surfing data (behavior). Mainly they are concerned with the companies that collect a huge amount of user data and then engage in Behavioral Targeting.

However online data tracking is not limited to companies who engage in Behavioral Targeting. Any companies which collects users’ web surfing data or user provided data needs to make sure do not compromise user privacy (actual or perceived). They need to clearly state how they are collecting data and how that data will be used.
Enterprise web analytics tools like Omniture, WebTrends, Coremetrics etc and free tools like Google Analytics and Yahoo IndexTools have made it very easy for website owners of any size to track users’ online behaviors. Most of the web analytics tools use a first party anonymous cookie to track users and their behaviors on any given site.

Side Note: The data is called anonymous because it mainly uses a cookie value to indentify a user (there are other ways which I am not covering in this post) without knowing who the actual user is. Say John Doe arrives on, a web analytics tool will drop a cookie with a random id say 123ASXBA12. This cookie id is not tied to any personally identifiable information (see below) of John Doe. So Web Analytics tools (in most cases) do not know who the person is, they just know that cookie id 123ASXBA12 came to the site. They use this id to track current and future site visits.

Even if the data is anonymous the potential of it being tied to personally identifiable information is there and that can cause privacy concerns. It is critical that every company that collects any sort of consumer data, anonymous or personal, needs to clearly state its data collection and usage policy in its site’s privacy policy.

Usually Web Analysts do not tackle this issue and it is left to the legal department. However, a lot of times the web analytics tracking and any kind of targeting is implemented without getting legal involved. As a result companies sometimes do not have proper privacy policy in place. This is a huge blunder, companies need to take privacy issues seriously and pay due attention to their privacy policy.

Do we need Privacy policy even though we use Third Party Web Analytics Tool and they collect the data.

It does not matter who is collecting the data. The data is collected on your site and is collected on your behalf so you are responsible for clearly stating how you are collecting and using the data.
Those who use Google Analytics, need to be aware that Google Analytics requires such disclosures. Here is what Google Analytics states in its Terms of Service
You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.

Tracking Personally Identifiable Data

In simple terms Personally Identifiable Information (PII) can identify a particular user, example last name, first name, email address etc. Most of the commercial Web Analytics Tools have the capability to track Personally Identifiable Information. In other tools such as Omniture, Webtrends etc. you can pass the personally identifiable information either via JavaScript variables or via importing an outside file which ties the anonymous cookie with identifiable information.
If you collect or track PII data then it becomes even more important that you disclose what information you are collecting or tracking and how you intend to use that information. Before you start collecting PII information, think hard what information you need and why you need it. Once you have figure out the information then make sure to fully disclose it on your site’s privacy policy.
I am a big supporter of giving users an opt-in option before using PII data for tracking and targeting. If you do decide that opt-in is not the right for your business model then at least provide an easy way for users to opt-out from being tracked and targeted using PII information.

Note: Google Analytics does not allow any Personally Identifiable information to be tracked via Google Analytics, period. Here is what Google Analytics Terms of Service says:
You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties' website(s)) with any personally identifying information from any source as part of Your use (or such third parties' use) of the Service.

Google Analytics even considers IP address as PII. It uses IP address to populate Geo Report but will not show IP address in any report. Other tools such as Omniture, WebTrends etc. can display IP and other PII data.

Optimization and Privacy

Most of the Optimization (A/B and Multivariate Testing) tools allow you to segment users based on IP, cookie or user provided data. For examples if you want to test a page on Males, age 35-45 from Redmond, WA, then you need to collect data from users so that you can create the right segment to test. However this type of data crosses the line of PII data, even though there could be thousands of users in that segment it can be used to identify a particular user. So make sure you are clear in your privacy policy that you might be (or are) using the data to test the optimal layout of the page and provide a better experience etc.

Examples of good privacy policies
Smart Money

As marketers and web analysts lets do our part, let’s make sure to be clear and forthcoming in our privacy policies.

Also see Jim Stern’s view on giving users the control on privacy.

Questions? Comments?



Looking to fill your Web Analytics or Online Marketing position? Try WebAnalytics Job Board

New Position

(Web Sales) Conversion Marketing Manager at Hewlett Packard (American Fork, UT)


  1. Jacques Warren2:18 PM

    Hi Anil,

    Excellent summary of the question. You reminded me that I have no such policy on my site, even though I use GA. The next version of the site (due in a couple of weeks) will certainly have one.

    I think this is just plain good practice to let visitors know we track them and what we use to do so. And I think we should make it clear, and insist, that using cookies can cause no harm (we're all legit sites aren't we?).

    What do you think of the new anonynous mode (i.e. no cookie at all) Chrome and IE8 will offer? Do you think that many people will use it? Do people really care about being truly anonymous on the web? What about all those sites we all use more and more that recognize us and make our life so much simpler?

  2. Anil: A few months ago Google claimed it could impose its legal terms on the public just by publishing the terms. Maybe members of the public can impose their own terms of privacy protection on Google just by publishing those terms! A person might -- for example -- say in her published privacy terms that analytics engines cannot keep records of her activities longer than a week. --Ben My ideas are not legal advice for any particular situation, just fodder for public discussion.


I would like to hear your comments and questions.