Privacy Policy White Paper

Transcription

1 Published April Edgewater Place, Suite 600 Wakefield, MA Phone: +1 (781) (800) Fax: (781)

2 License This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

3 Contents Introduction... 4 Purpose... 4 The Digital Analytics Association (DAA) and the DAA Standards Committee... 4 The intended audience for this document... 4 Questions to Address As You Develop Your Privacy Policy... 6 What information is collected?... 7 Who is holding data?... 7 Where is my data being held?... 7 How long is my data held?... 7 How do I opt out?... 8 Who can release my data and in what form?... 8 Is my analytics data matched up with personally identifiable information, like my name and address?... 8 What obligations are put upon the marketer by the analytics vendor?... 8 So, what should my Privacy Policy look like?... 8 Conclusion Glossary

4 Introduction Purpose Privacy is not simply a technical issue. Because privacy is a cultural concept that varies with region and organization, both technical and policy issues must be addressed when discussing privacy. The goal of our efforts is to provide a solid basis for understanding key issues about the products in the analytics marketplace: how they collect data, how they store data, and what burdens they place upon those who use the products. Whether you re a practitioner or a brand deploying an analytics product, it s crucial that you understand how the products you use affect the privacy of your users. That privacy is an important aspect of your relationship with the customer, and ignoring it in today s marketplace where discussions of privacy are highly charged imperils your brand. This document, though it comes from the DAA Standards committee, does not prescribe standards for privacy policies or privacy practices of analytics tools and services. Instead it seeks to introduce important considerations for establishing privacy policies and to educate readers on key questions of the policy development process. The Digital Analytics Association (DAA) and the DAA Standards Committee The Digital Analytics Association exists to help organizations understand and overcome the challenges of data acquisition, exploration, deduction, and application. The DAA is a not-for-profit volunteer-powered association that strives to help individuals become more skilled through education, community, research, and advocacy. The DAA Standards Committee, co-chaired by Anna Long and Darrin Wood, is publishing this white paper under its auspices to encourage good practices by its members. A special thanks to Shabbir Safdar for his leadership and contribution to this project. The intended audience for this document This white paper was written for the marketing professional audience. If you re a marketing professional in-house or in-agency, you choose and deploy web analytics products and services for your own brands or the brands of your clients. But you don t choose or deploy these products in a vacuum. These products operate in a regulatory and reputational context in which their privacy practices often matter very much to your customers, and the products you choose and deploy are an integral part of that context. This guide will help expedite the research you need to understand the implications of any given product. Although this paper focuses primarily on marketing professionals, it may also support the work of people in other roles, such as these: Policymakers: If you re a policymaker thinking through these issues, you can use this document to learn about the key privacy features to understand about any analytics product. Media: If you re a member of the media, you have the challenging job of explaining highly technical and emotional issues of privacy and tracking to the public. We hope this guide increases your understanding of analytics products to support your work. We ve licensed this entire report under Creative Commons so that you can reuse this material in your own work without having to rewrite it. Consumers: As a user of the World Wide Web, you may have questions about web analytics tools and your online privacy. You may wonder: What is web analytics? What do these products know about me? Are they tracking my actions as I visit websites? If so, how long do the tools retain my data? These are all reasonable 4

5 questions the public has asked about every new technology that collects data, and this document can explain the issues for you. Policymakers, Media, and Consumers should know: 1. That the analytics industry has regulations and best practices to protect consumer privacy, and that many web analytics tool vendors and digital analysts adhere to them, and 2. That web browsers such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari can help consumers make themselves virtually anonymous to these technologies To some extent, the capability to control their own privacy choices already resides in the hands of consumers. For example, Internet Explorer, Firefox, Chrome, and Safari all have user-controlled privacy options that affect communication between the browser and the web server computers on which websites reside. These options can change with each browser release, so be sure to refer to your browser s help documentation for more information. Please note the terminology used throughout this document: Businesses that purchase analytics services and that have a primary relationship with consumers are referred to as marketers Vendors that sell analytics products are referred to as analytics vendors The people who visit websites or other digital assets are referred to as consumers. They may not actually purchase products from a website, but because they consume the information and services on the website, we use consumers as a generic term Note that this document addresses a variety of privacy issues. Much of the material will apply to multiple locales, but some of it may be specific to the United States. Privacy laws and regulations vary widely around the world, and parts of this document would not apply in a country with a different regulatory overlay (such as Canada or the members of the European Union). Refer to the privacy laws of your region to determine what material must be included to meet legal requirements for your website. If you are seeking information for the EU, the DAA s EU Special Interest Group (SIGEU) has published a white paper that describes the EU privacy environment. For more information on the SIGEU white paper on EU privacy compliance, visit 5

6 Questions to Address As You Develop Your Privacy Policy Web analytics tools create a number of privacy issues that need to be addressed as you write your privacy policy. Consumers have relationships with the brands they frequent, and information is shared in those relationships. To discuss the dimensions of privacy policies, let s take an example: say that you visit a website of a favorite shoe company, called Awesome Shoes. Because marketers at Awesome Shoes want to understand how consumers use their website, they ve purchased a tool called SUPER WEB ANALYTICS from an analytics vendor. This tool records the behavior of any consumer visiting the AwesomeShoes.com website, storing it on a server operated by SUPER WEB ANALYTICS. Any time you visit AwesomeShoes.com, your web browser communicates with the web server hosting AwesomeShoes.com and makes requests to the AwesomeShoes.com web server for the HTML, graphics, and other assets that you see on the page. At that time, it also downloads a small piece of JavaScript code that tells your browser to report information about your web page visit to the server operated by the analytics vendor, SUPER WEB ANALYTICS 1. Periodically, the marketers for Awesome Shoes use the SUPER WEB ANALYTICS website service to view the data of visitors to the AwesomeShoes.com website. Quite often these reports display aggregate anonymous data, such as how many people visited the AwesomeShoes.com website on a particular day, how many bought shoes, and how many looked at each different page. The marketing staff of Awesome Shoes studies these metrics to determine how people are using the website, how to improve it, and, of course, how to encourage people to buy more shoes from Awesome Shoes. In our example, you, the consumer, know that you re dealing with Awesome Shoes because you have visited its website. But unless you read the Awesome Shoes privacy policy or look in the HTML source code of the AwesomeShoes.com web pages, you probably aren t aware that some data is now being held by the analytics vendor SUPER WEB ANALYTICS. Consumers also may be unaware that their data sometimes is shared with or sold to third parties. Once consumers are aware of this practice, they may have the following questions: What information is collected? Who is holding my data? Where is my data being held? How long is my data held? Can I opt out of tracking? Is my analytics data matched up with personally identifiable information, like my name and address? Is my data being sold to third parties? Will I receive unwanted targeted marketing as a result of visiting this site? Because consumers are concerned about these issues, so too are marketers like those from Awesome Shoes. They want to know: 1 For the purposes of this version of the document, we are only focusing on analytics tools that use page tagging with remote data storage and analysis of logfiles (files recording activity by web servers as consumers visit websites). We are not addressing tracking data collected by other technologies such as ad network tracking or live hit counters, even though both may fit some definitions of analytics tools. 6

7 What do I need to explain to web visitors about the privacy practices of web analytics products I use? What do I need to understand about the privacy practices of the web analytics products I use in order to ensure that my site is compliant with all laws and regulations governing my business? What other restrictions are put on the marketer about how data can be handled? Let s discuss each of these questions in more detail, covering issues that a marketer should be aware of. What information is collected? This is the most basic piece of information that consumers want to know. In many cases it consists of a consumer s browsing history and any information the consumer submits while on your site. Identifiers such as IP address may be used by the analytics tool, but they are not necessarily stored for subsequent access and analysis. Often the information that is collected is not personally identifiable, and web analytics companies frequently have policies in place that prevent the storage of personally identifiable information (PII). You can check the web analytics product s documentation for more detail on collection and storage. Your site s Privacy Policy should reflect this information along with your own data collection practices. Note that some analytics companies may offer a process that allows consumers to opt out of measurement, a fact that should be reflected in your Privacy Policy as well. Who is holding data? Are you collecting analytics data through a server you control, such as with a logfile analyzer or a self-hosted analytics product, or is the data being collected by a third party? Even though some consumers may not be aware of the various first-party and third-party agreements that website owners can arrange, you need to be transparent about who is collecting and holding the data collected for your website. Where is my data being held? For consumers, the question Where is my data being held? is often related to the question What are the legal protections covering my data? The consumer may also ask Is there a familiar type of legal due process that is required before the data is released to third parties, such as law enforcement? and What country s privacy regulations govern my stored data? Depending on the sensitivity of the data, consumers may choose not to use a site if they do not trust the legal authority that governs the physical location of the data. Getting a vendor to admit where it stores your analytics data may be challenging and in some cases may be impossible. Yet as a marketer you need to be transparent about the answers you have been given by your vendor when you communicate with consumers. How long is my data held? Many analytics products do not hold data indefinitely. Limited retention times can be some comfort to consumers concerned about data collection, since these finite retention periods indicate there are procedures in place that limit the shelf life of data. The comscore Digital Analytix product allows its marketer clients to select their data storage timeframes based upon business needs. Other products charge their customers according to the storage periods negotiated, so those customers often limit storage duration. (If you re self-hosting an analytics product and haven t yet set a data retention period, you will on the day your server fills up!) Best practice is to set a retention period according to your 7

8 organization s operating needs (which may include regulatory compliance) and communicate that to consumers as part of your policy. How do I opt out? Consumers want to know whether they can opt out of tracking, and the opt-out options for the various analytics product are different. Some web analytics companies may offer a process that allows consumers to opt out of measurement. If opting out affects the functionality of your website, you need to be clear about that in your Privacy Policy. Who can release my data and in what form? Some analytics companies share consumer data with other organizations beyond the website owner. If the analytics company shares or releases consumer data with anyone besides the marketer, either in aggregate or individually, the Terms of Service of your analytics product should specify this situation. This information, plus your own privacy practices, should be disclosed to the consumer. Is my analytics data matched up with personally identifiable information, like my name and address? Some analytics vendors offer services that will match anonymous web traffic session data with personal information. Other vendors, such as KISSMetrics, provide mechanisms for marketers to make those associations themselves. And still other vendors, such as Google Analytics, prohibit any combining of PII with their tracking identifiers. Combining anonymous data with PII can provide a more complete picture of visitor behavior, but the practice is controversial. If you do combine PII with website tracking data, you need to inform the consumer about it. You also need to take whatever additional appropriate measures are necessary to safeguard sensitive PII data. Consumers perceptions of adequate privacy safeguards can differ considerably when the data is anonymous or when PII is involved, and there are often legal ramifications as well. What obligations are put upon the marketer by the analytics vendor? The Terms of Service may spell out additional responsibilities the marketer may have as a user of the analytics tool. For example, the Google Analytics Terms of Service require that websites using Google Analytics maintain a published Privacy Policy. While you do not necessarily need to communicate this obligation to the consumer, you do need to know what obligations you have in the Terms of Service so that you are in compliance with the product s requirements. So, what should my Privacy Policy look like? Note that there are different schools of thought about how to write a Privacy Policy. The ones written by lawyers for purposes of avoiding potential future litigation tend to be unreadable by a lay person. Others attempt to cover all data-related behavior across all tools in greater technical detail than a lay person would understand. A web search of the term privacy policy generator will bring up websites that can assist you, but be aware that at best they can only provide you with basic material on which to build. A good guideline for how you should behave with customer data can be found in the Digital Analytics Association s document The Web Analyst s Code of Ethics

9 What we have included below covers some elements of a larger Privacy Policy that your (or your client s) online presence should include. You may want to define some of the terms that you use; see the Glossary at the end of this paper for suggested definitions. Disclosure of the use of a technique and/or tool: Example text: In order to study the use of our website and make it better, we use the SUPER WEB ANALYTICS analytics product. This product collects data about your browsing on every page you view, including the page name, the links you click on, how long you stay, and what page and site you arrived from. It also collects details sent to us from your web browser, such as your browser plugins, your screen size, and your operating system. Disclosure of the type of tracking technology used: Example text: SUPER WEB ANALYTICS tracks your travels through our site using first-party cookies. Disclosure of the location and retention of the data: Example text: You can learn more about the SUPER WEB ANALYTICS tool at its website, fictitioussuperwebanalytics.com. The data about our visitors is kept on its servers, the exact location of which SUPER WEB ANALYTICS hasn t disclosed to us. We have configured the data to be kept for 24 months, after which we no longer have access to it. Instructions for consumers to opt out of tracking: Example text: If you d like to opt out of being tracked by the analytics product, you can do so by following these instructions provided to us by SUPER WEB ANALYTICS. Additionally, you can use the built-in features of many browsers to surf the web anonymously. Refer to your browser s help documentation for more information. Disclosure of data handling practices and combination of web analytics data with other data: Example: We don t combine web analytics tracking data with personal identifying data, and therefore we don t have any ability to identify the website visit patterns of individual visitors. 9

10 Conclusion Every modern civil society has serious and ongoing discussions about privacy that take place in multiple venues simultaneously. Privacy is a culturally specific issue and one that evolves over time. Given that a one-size-fits-all solution cannot work for privacy, this document is intended to inform marketers about the more important aspects of privacy in an online environment. We encourage digital analysts and marketers to research further to fully understand the issues that consumers have in order to achieve better disclosure. 10

11 Glossary For purposes of this privacy policy discussion, we have defined the basic terms below. These terms are not official DAA Standards Committee definitions, originating instead from the sources listed. What are cookies? 3 A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for communication between a website visitor s browser and a website. The cookie stores data for a variety of purposes selected by the website developer. The data can be used to automatically sign a visitor into a website, store the visitor s preferences for interacting with the website, hold shopping cart contents, or summarize prior actions such as a previous visit to a web page. What are cookies not? 4 Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on a consumer s computer. However, they can be used by spyware to track a user s browsing activities: this is a major privacy concern that prompted European and U.S. lawmakers to take action. Cookies can also be stolen by hackers to gain access to a victim s web account. What are first- and third-party cookies? 5 First-party cookies are cookies set with the same domain (or its subdomain) that appears in a browser s address bar. Third-party cookies are cookies being set by domains different from the one shown on the address bar (i.e., the web pages on that domain may feature content from a third-party domain, such as an advertisement run by showing advertising banners). Third-party cookies can be used to aggregate information from a user s visits to multiple websites. For example, suppose a user visits which includes an advertisement that sets a cookie with the domain ad.foxytracking.com. When the user later visits another advertisement can set another cookie with the domain ad.foxytracking.com. The advertiser can then use these cookies to build up a browsing history of the user across all the websites where this advertiser has advertisements. Why does nobody talk about second-party cookies? There is no such thing as a second-party cookie, just first and third. Personally identifiable information 6 Personally Identifiable Information (PII), as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. 3 This definition is taken from the Wikipedia entry HTTP cookie. 4 This is from the Wikipedia entry HTTP cookie. 5 This is also from the Wikipedia entry for HTTP cookie. 6 From the Wikipedia entry Personally identifiable information 11

12 What is the DO NOT TRACK header? From the DoNotTrack.us website: Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. Much like the popular Do Not Call registry, Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking. Do Not Track signals a user s opt-out preference with an HTTP header, a simple technology that is completely compatible with the existing web. The World Wide Web Consortium (W3C) has recognized the importance of this capability and has formed a Tracking Protection Working Group to develop related standards for its implementation. The W3C has also formed the Customer Experience Digital Data Community Group to standardize the data collected by websites, which has privacy implications as well. The DAA Standards Committee is working with the W3C on privacy issues and will publish more information as these specifications mature. 12

13 401 Edgewater Place, Suite 600 Wakefield, MA Phone: +1 (781) (800) Fax: (781)