In sampling top websites for the privacychoice service, we see that nearly all of them use hosted website analytics to understand user behavior. Like an ad network, an analytics service works through Javascript code embedded throughout pages on a website. As humans navigate the site, background communications with the analytics server provide complete visibility on behavior, including counting new or repeat users, seeing which search terms they used to find your site, and which of your pages pages are most popular. Using cookies and IP addresses, a user’s multiple sessions can be linked in order to understand user loyalty and behavior over time.
The sheer ubiquity of analytics code raises an obvious question: Is website analytics data used to target advertising?
The question gains importance given the growing overlap between analytics providers and ad networks, where Google is the biggest in each market. It has the widest footprint in selling and serving ads through the AdSense network and DoubleClick. It also also gives away Google Analytics for free to web publishers, which is present on over three-quarters of the sites sampled for privacychoice. For customers who are also advertisers on Google networks, the appeal is an integrated end-to-end cycle — from ad click through user actions taken on the site — enabling publishers to connect the dots for a more effective ad spend. The other analytics providers include a handful of enterprise-grade platforms like Omniture. Once Omniture becomes part of Adobe, they may have access to a larger web-wide footprint through the huge installed base of Flash applications (also widely used in ads).
Yahoo! also offers its own analytics product to advertising customers, and Yahoo! makes it clear that analytics data is leveraged to target advertising. User activities on sites running Yahoo!’s analytics program can be associated with the user’s account and activities on Yahoo!’s family of sites. For purposes of disclosure, websites using Yahoo!’s service are directed to include specific language in their privacy policies and a link to more information. According to Yahoo! search, around 3,000 sites carry the required language:
“We use third-party web beacons from Yahoo! to help analyze where visitors go and what they do while visiting our website. Yahoo! may also use anonymous information about your visits to this and other websites in order to improve its products and services and provide advertisements about goods and services of interest to you.”
Yahoo! can connect user activities from its analytics network with Yahoo!’s sites or ad networks. Does Google?
The answer is, probably not, if only in light of Google’s other practices. DoubleClick requires each participating website to make a special privacy disclosure about the use of information for ad targeting, and provides an opt-out cookie for consumers. Google Analytics has neither. Also Google analytics collects user information through a different domain (google-analytics.com) than they use for their ad networks (doubleclick.net, googlesyndication.com and others). While this doesn’t mean they can’t use analytics data for ad targeting, it does make it harder as a practical matter.
However unlikely it may be, given the huge but invisible reach of Google Analytics, it’s reasonable to expect an express statement from Google. This could be as simple as: information gathered via Google Analytics is not associated with other Google user information or used to target advertising.
To search of this kind of statement, you can start start by navigating Google’s privacy policies. Which one is relevant is not immediately obvious. Look at Google Analytics for a privacy policy and you end up at the general Google Privacy Center (unlike DoubleClick, which has a separate policy, and 15 other Google services, which have supplements to the general policy).
Google’s general policy is particularly unhelpful in explaining how user information is handled by Google Analytics. In the explanation of data gathering via cookies, IP addresses and such, matters are framed with “when you visit Google'” or “when you access Google services.” Who even knows they are using Google services when they happen to trigger Google Analytics code on a third-party site? But still you will find no express statement about mixing analytics and targeting data.
Turn from the consumer disclosures to the terms of service Google Analytics provides its analytics customers. There you find this express statement about the use of information:
Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at http://www.google.com/privacy.html , or such other URL as Google may provide from time to time), information collected in Your use of the Service.
The policy does go on to say that, although Google may retain and use the information, it will not share any site’s information with third parties. But by implication, Google still can use the information to target ads, so long as it does not disclose the targeting information to advertisers. The fact that Google probably doesn’t use analytics data this way isn’t the point. What is needed is a statement that makes Google accountable for that policy. In crafting privacychoice summaries, this ambiguity in Google’s policies means we cannot assume that users are anonymous to Google when they are on sites using Google Analytics.
This example provides important takeaways for folks writing rules for this industry. To ensure clarity and accountability, any company in the business of collecting and using information about users from across different websites should register each domain they use, and bind it legally to a complete privacy policy that governs the activity. There’s no room — and no reason — for ambiguity.
privacychoice 