Posts Tagged ‘Google Analytics’

Website analytics and targeting: is there an elephant in the room?

September 29, 2009

In sampling top websites for the privacychoice service, we see that nearly all of them use hosted website analytics to understand user behavior. Like an ad network, an analytics service works through Javascript code embedded throughout pages on a website. As humans navigate the site, background communications with the analytics server provide complete visibility on behavior, including counting new or repeat users, seeing which search terms they used to find your site, and which of your pages pages are most popular. Using cookies and IP addresses, a user’s multiple sessions can be linked in order to understand user loyalty and behavior over time.

The sheer ubiquity of analytics code raises an obvious question: Is website analytics data used to target advertising?

GAThe question gains importance given the growing overlap between analytics providers and ad networks, where Google is the biggest in each market. It has the widest footprint in selling and serving ads through the AdSense network and DoubleClick. It also also gives away Google Analytics for free to web publishers, which is present on over three-quarters of the sites sampled for privacychoice. For  customers who are also advertisers on Google networks, the appeal is an integrated end-to-end cycle — from ad click through user actions taken on the site — enabling publishers to connect the dots for a more effective ad spend. The other analytics providers include a handful of enterprise-grade platforms like Omniture. Once Omniture becomes part of Adobe, they may have access to a larger web-wide footprint through the huge installed base of Flash applications (also widely used in ads).

Yahoo! also offers its own analytics product to advertising customers, and Yahoo! makes it clear that analytics data is leveraged to target advertising. User activities on sites running Yahoo!’s analytics program can be associated with the user’s account and activities on Yahoo!’s family of sites. For purposes of disclosure, websites using Yahoo!’s service are directed to include specific language in their privacy policies and a link to more information. According to Yahoo! search, around 3,000 sites carry the required language:

“We use third-party web beacons from Yahoo! to help analyze where visitors go and what they do while visiting our website. Yahoo! may also use anonymous information about your visits to this and other websites in order to improve its products and services and provide advertisements about goods and services of interest to you.”

Yahoo! can connect user activities from its analytics network with Yahoo!’s sites or ad networks. Does Google?

The answer is, probably not, if only in light of Google’s other practices. DoubleClick requires each participating website to make a special privacy disclosure about the use of information for ad targeting, and provides an opt-out cookie for consumers. Google Analytics has neither. Also Google analytics collects user information through a different domain ( than they use for their ad networks (, and others). While this doesn’t mean they can’t use analytics data for ad targeting, it does make it harder as a practical matter.

However unlikely it may be, given the huge but invisible reach of Google Analytics, it’s reasonable to expect an express statement from Google. This could be as simple as: information gathered via Google Analytics is not associated with other Google user information or used to target advertising.

To search of this kind of statement, you can start start by navigating Google’s privacy policies. Which one is relevant is not immediately obvious. Look at Google Analytics for a privacy policy and you end up at the general Google Privacy Center (unlike DoubleClick, which has a separate policy, and 15 other Google services, which have supplements to the general policy).

Google’s general policy is particularly unhelpful in explaining how user information is handled by Google Analytics. In the explanation of data gathering via cookies, IP addresses and such, matters are framed with “when you visit Google'” or “when you access Google services.” Who even knows they are using Google services when they happen to trigger Google Analytics code on a third-party site? But still you will find no express statement about mixing analytics and targeting data.

Turn from the consumer disclosures to the terms of service Google Analytics provides its analytics customers. There you find this express statement about the use of information:

Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at , or such other URL as Google may provide from time to time), information collected in Your use of the Service.

GA in PCThe policy does go on to say that, although Google may retain and use the information, it will not share any site’s information with third parties. But by implication, Google still can use the information to target ads, so long as it does not disclose the targeting information to advertisers. The fact that Google probably doesn’t use analytics data this way isn’t the point. What is needed is a statement that makes Google accountable for that policy. In crafting privacychoice summaries, this ambiguity in Google’s policies means we cannot assume that users are anonymous to Google when they are on sites using Google Analytics.

This example provides important takeaways for folks writing rules for this industry. To ensure clarity and accountability, any company in the business of collecting and using information about users from across different websites should register each domain they use, and bind it legally to a complete privacy policy that governs the activity. There’s no room — and no reason — for ambiguity.


Which companies collect user information on government websites?

September 10, 2009

Yesterday and today many smart people have been gathered for the Gov2.0 conference to discuss bringing our government into the 21st century, Web-wise. One important topic is the integration of public and private Web services, particularly how government sites can leverage privately-provided social networking, site analytics and communications tools.

The privacychoice system provides a glimpse into how this integration is progressing. By sampling pages on top websites, the privacychoice system maps which tracking networks we find on those sites in order to create a Network Privacy Profile. This Profile gathers in one place the summaries and excerpts for the relevant third-party privacy policies. This provides a composite of the privacy practices citizens sign up to now when using government sites. Click through from this list to see the individual profiles for top-traffic government sites we have scanned.

Of the top several dozen dot-gov sites in our system, here’s the breakdown of how many of them have integrated third-party-served content or services:

50%     AddThis/Clearspring
34%    Google Analytics
26%    CrazyEgg
24%    WebTrends
5%       YouTube

(No other companies were found on more than a one or two government sites and were less than 5%.)

From a privacy point of view, it’s concerning to see AddThis with such a high share, given their relatively weak approach to privacy issues. Also, although it’s no surprise to see Google Analytics making inroads (it’s a great, free service), this comes despite ambiguities in Google’s formal policies as to how user data is handled (more on that in a future post). CrazyEgg and Webtrends present the least concern, since their policies expressly disavow sharing information other than with the site where collected (thus no cross-site profiles are created).