Comentarios recientes

  • Alicia Fuenmayor: Tenía mucho tiempo buscando información de este tipo, de verdad muchas gracias, no te imaginas...
  • Aurélie Pols: you nailed it Jim! it’s about choice (but as I tend to write long blog posts, I tried to keep it...
  • Jim Sterne: Tomorrow’s Opt-In Form Please indicate your level of agreement with our collection of data and our...
  • Mandragora: me gusta
  • Patricia: Hola, enhorabuena por el post, creo que trasmite muy bien la necesidad de actuar sin perder la calma ante...



Google Analytics’s Privacy Policy looses 2 little words. What does this mean to the digital analytics industry?

Posted by: Aurélie Pols | Posted on: junio 19th, 2013 | 0 Comments

This was sent to me the night before Measure Bowling by Phil Pearce.

GA1

Ref: Change Detection

And as Maria was in Zaragoza, we had some discussions over email through the night and the next day.

To be honest, with the advent of Universal Analytics and the questions I heard Brian Clifton ask about retroactivity of measurement at eMetrics London some months ago, I was kind of expecting this. Moving from session centric to user centric does make for some very interesting questions.

However, before “bouh-ing” the lights out of Google and calling them horrible Big Brothers and what not, some thoughts.

Ok so basically was does this mean?

Personally Identifiable Information (PII), a very legal term, gets replaced by personal information, not so much a recognized legal term.

Note that the distinction between PII & non-PII is increasingly becoming a very, very thin line, with the entire debate about deanonymization, data scrubbing and limited data sets.

Getting back to the subject at hand, you’ll note that the Terms of Service did **not** change, clearly keeping the PII reference.

Hence, this is about waving liability towards users of Google Analytics.

If you’re a digital analyst reading this, it means you and the work you’re doing for your company. You are responsible.

And if you’re a consultant well you might want to start thinking about how much responsibility you want to take for your tagging documents.

As a side note, this is for the free tool Google Analytics used by a lot of businesses, worldwide and in Europe! See infographic below.

GA2

One of the next questions would then be about Google Analytics Premium, Google’s paying tool: does it collect PII? what happens if you use PII? Is it also forbidden by the Terms of Use? What will Google do if a Premium client collects PII?

Is Google going to ask them to spend their 150k € elsewhere????

In an article dating back to November 2012, there seemed to be more information available about what Google would do when PII was collected, infringing it’s terms of use:

Clancy Childs, the product manager for Google Analytics, was keen to stress at the launch that the tool will not be allowed to collect any personally identifiable information; usernames and customer IDs can be used, but if you use it to collect private data, such as email or home addresses, then you will have your data deleted. But whether that will satisfy the European bureaucrats is unclear.”

And I won’t even get started on Google Analytics Premium data in Big Query coming soon! By Clancy Childs: http://analytics.blogspot.com.es/2013/05/io-announcement-google-analytics.html

Comes in PRISM, the NSA and a bunch of other scary acronyms we’ve all been reading about over the past couple of weeks.

However Google protects itself from government requests, and let’s give them the benefit of doubt as fitting in a democracy, fact remains that the more Google Analytics collects, the worst it becomes for all actors involved: website visitors as they might be subject to privacy loss, digital analysts as we would have more work and well Google bien évidemment!

Whether the financial &/or direct access argument holds or not, we should ask ourselves whether we care. And what we actually care about. With we, being:

  • Citizens, who use Google’s services (search engine, gmail, etc.) and wish to protect their privacy as they increasingly request data protection;
  • Analysts, who pledged to protect their visitor’s data & just want to get their job done while feeling good about themselves;
  • Google, who pledges to not do evil and focuses on “organizing the worlds’ information”, while of course making sure their shareholders remain happy with their investments.

As much as it saddens me to read about how little taxes tech giants, “la bande de GAFA”, pardon my French, pay for their (European) operations, one has to recognize that if such tax schemes are possible, it’s our own European fault.

Indeed, as long as schemes like the “double Irish with a Dutch tax sandwich”, are allowed, you can’t blame corporations for taking advantage of them.

Europe’s lack of alignment when it comes to taxes, amongst so many other things, avoids the creation of a Nash equilibrium. Hence tech companies take the route recommended to them by tax specialists firms who basically do their job, in the best interest of their clients and shareholders.

Let’s move on.

In the light of all this, sit Digital Analysts, because they like to ask good questions and like to have the right tools to allow their audience to make informed decisions. Who ever their audience might be: colleagues within their company, citizens in search for insightful information to make better decisions in life or even politicians in search of the next needed legislation.

Digital analysts are active all over the world: in the US, certainly but also Europe, as recently demonstrated by Measurebowling, as well as Asia, Middle East or even Africa. Indeed, someone from South Africa subscribed to the Web Analyst’s Code of Ethics Pledge set-up by the Digital Analytics Association (DAA)!

And while one has to admit that the DAA is more of a US centric organization, one has to applaud their initiative for even setting up such a pledge back in the early days when privacy was still considered as something you basically had to get over.

Yet, for as much as I understand the preferred US way of dealing with Privacy would be through self-regulation, I for one, as a Google (Analytics) enthusiast would welcome a next step.

Don’t get me wrong: I love Google and fully recognize their social contribution and couldn’t care less about how much taxes they pay as it pales in comparison to their social contribution and the way they changed so many things. An Android even watches over my household, together with Vishnu and a little angel!

However, when you change 2 little words like that… you basically recognize the privacy game is evolving. Please allow me to list what bothers me:

  • The notion of “Personal information” is very vague and it’s not clear what you do with collected PII: is it deleted? Is it kept?
  • Why aren’t Terms of Use being policed? I mean if they exist, there is a reason beyond pure deterrence, no? Walk the talk, guys! I know of many sites collecting PII through their GA accounts. This data pops-up in GA reports so to my knowledge, deletion is not happening… would it be so hard to imagine a process where sites collecting PII through their GA accounts would be warned and shut down after a couple of warnings? Like the 3 strikes methodology the French use for Hadopi (might as well give it some use!).
  • Do you consider that the terms of use prohibiting collection of PII is enough and that this fact does not need to be enforced? My preferred way of working when it comes to privacy, or data protection, is through a risk matrix.
  1. Question 1: what is the probability of Google shutting down GA if we collect PII? Answer: unknown;
  2. Question 2: has Google ever shut down a website because it knows it collects PII? Answer: most of my Google Analytics contacts recognize the issue yet no one seems to be responsible… so to my knowledge, it never happened;
  3. Question 3: what would be the cost if it happened? Retagging, loss of data, etc.

Basically, you never get down to actually do a cost-benefit analysis as the risk matrix stops at question 2: as far as I know, it never happened, terms of use do not get enforced.

Now, one could of course argue that it might have happened but was never publicized, which would make sense. Yet, in all my conversations with Google Analytics product managers, Privacy seemed like a far, far away land that wasn’t within the realm of their responsibilities and decided by MoutainView. Yes, I love Peter Fleisher’s blog as well, mainly when he compares privacy to the Spanish inquisition and book burning!

Don’t do evil, huh? So why not prove it in our ever increasing skeptical world? Some suggestions:

  • Public disclosure of the number of GA accounts deleted per country, per month &/or public disclosure of the number of warnings send to GA customers/clients;
  • Private disclosure of severity of these warnings/deletions (e.g. unencrypted passwords or just emails & telephone numbers) and scale (e.g. number of unique visitors effected);
  • Easy means to report Privacy concerns related to GA by users (e.g. privacy@google.com or gaprivacy@google.com, which currently do not work). A Google Trusted store feedback system might be one way to solve this;
  • Inbuilt Privacy-by-Design detection via GTM JavaScript to prevent emails in URLs being captured using virtualPageviews to purge and/or adding default exclude parameter list to ensure PIIs they are not visible. Also, similar to the real-time goal trigger verification test, a PII verification test could be part of the GA setup process.
  • Adding PII to the setup checklist process: http://www.google.com/analytics/learn/setupchecklist.html

Now I do understand that a company becomes liable once they say they are going to do something and there’s a gap between the promise and the delivery. Hence, the easy strategy is usually to do nothing, nada!

Yet,

GA3

The problem of course with Privacy is that if you say/write you’ll do something, you actually have to stick by it, as certain multinationals pushed by their Corporate Responsibility streak painfully & recently found out.

So please, por favor, Google Analytics, don’t just change 2 little words in your Privacy Policy, in the hope no one will notice. Your community can help you, just lend an ear & tread carefully.

GA4

Comments are closed.