Google Analytics have become an almost ever-present part of the contemporary Internet. Large, small, and medium-sized sites alike track their website visitors using Google’s free tools to identify where visitors are coming from, what they’re looking at (and for how long), where they subsequently navigate to, what keywords bring people to websites, and whether internal metrics are in line with advertising campaign goals. As of 2010, roughly 52% of all websites used Google’s analytics system, and it accounted for 81.4% of the traffic analysis tools market. As of this writing, Google’s system is used by roughly 58% of the top 10,000 websites, 57% of the top 100,000 websites, and 41.5% of the top million sites. In short, Google is providing analytics services to a considerable number of the world’s most commonly frequented websites.
In this short post I want to discuss the terms of using Google analytics. Based on conversations I’ve had over the past several months, it seems like many of the medium and small business owners are unaware of the conditions that Google places on using their tool. Further, independent bloggers are using analytics engines – either intentionally or by the default of their website host/creator – and are ignorant of what they must do to legitimately use them. After outlining the brief bits of legalese that are required by Google – and suggesting what Google should do to ensure terms of service compliance – I’ll suggest a business model/addition that could simultaneously assist in privacy compliance while netting an enterprising company/individual a few extra dollars in revenue.
Google Analytics, Privacy, and Opt-Outs
Google describes their tool as an “enterprise-class web analytics solution that gives you rich insights into your website traffic and marketing effectiveness….With Google Analytics, you’re more prepared to write better-targeted ads, strengthen your marketing initiatives and create higher converting websites.” While Google’s tools do provide considerable insight into websites’ visitors, the insight may come at the cost of vistors’ privacy and be accompanied by legal liability for organizations using the tools. Data protection experts in Germany warn that Google’s ‘insights’ violate German data protection laws, with recent analyses exploring whether German site owners should risk using Google’s system. As of the beginning of 2011 it remains unclear whether using Google analytics could put both German site owners – and owners of sites that Germans visit – at risk of sanction by authorities.
- screen resolution
- screen depth
- Google Analytics Account
- page title
- original referrer
- IP address
- IP address derived information (including ISPs, approximate location, country, and the potential to tie in the IP information with internal databases)
In the case of ga.js, the following is still captured:
Further, the following is captured via googleadservices.com:
- screen resolution
- bit depth
- time zone
- whether java is supported
While the opt-out does limit the amount of information that is provided through ga.js the Google webcrawlers can theoretically be used to match “ the url in both the referer and/or the googleadservices url= variable.” Doing so would let them combine the information gathered from Google’s ad services and analytics system, even if a user had opted-out of the analytics. In summary, the opt-out mechanisms that Google provides are somewhat disingenuous given that few users are likely to know the full range and magnitude of the systems that Google has deployed to collect information about web browsers’ actions. A more honest opt-out mechanism would opt users out of every Google product that captures browser traffic information.
Of course many of the people running Google analytics will have few concerns about the broader privacy concerns or problems associated with the opt-out mechanisms that the company provides. Instead site owners use the tools to derive information about their visitors. Unfortunately, many of these owners are using Google’s systems in contravention of Google’s Terms of Service (ToS).
Google could, and ought to, bundle a compliance mechanism with their Analytics product. It would be trivial for the company to create a spider that evaluated whether websites using the Analytics engine also contained privacy policies and required legalese. In cases where websites used the Google product but appeared in contravention of the ToS Google could direct an email to the website to remind the administrator of their duties under the Terms of Service. If compliance was not forthcoming (demonstrated by the continuing absence of the policy and legalese, discovered using Google’s crawlers) then the site owner would cease receiving information from Google Analytics. Indeed, privacy commissioners should demand that the company integrate such basic compliance tools into the product that they are offering. They should put some onus on Google to guarantee that its services are designed to comply both with the company’s own notice requirements and the notice and consent laws in privacy commissioners’ jurisdictions.
Google Analytics and Business
So, how can an enterprising business cash in on contraventions of Google’s Terms of Service? Creating a spider that checks whether websites are running the company’s Analytics product and has the required legalese should be a relatively simple task, and could be supplemented by an automated email to the site owner. That email might explain that the crawled website was violating Google’s terms of service and that, for a relatively low fee, the enterprising business could prepare the text that Google requires. This text, of course, would be a simple copy/paste of what Google already offers for free. Should a company integrate this kind of a search tool with already existing products – perhaps a privacy compliance service – then clients would receive an even better ‘bang for their buck’ with minimal extra effort being put forth by the consulting firm.
While privacy policies are certainly not the best way to notify anyone of anything, it is a (very minimal!) baseline that has global traction. While outside the scope of this post, what would be best would be a graduated privacy notice system that included first a set of principles (perhaps that adheres to a privacy commons notification model), second a somewhat detailed description of what the website/business did to collect, use, and disseminate personal information, and third the present legalese contained in most privacy policies.