Google Analytics and End User Privacy

Phil Bogle has an important post on the privacy implications of the new Google Analystics website traffic measuring product:

The thing that’s a little bit disappointing is that Google used their standard search engine terms of service and privacy policy with Google analytics. This seems inappropriate– even the Adwords policies would have been more inappropriate.

It’s one thing to give Google full access to all of the information I enter into Google. It’s another thing to share with a third party the complete session history of everyone on my site. Google’s privacy policy ought to more clearly spell out what they will do with this data. (They do promise not to give it away to a third party, but when you’re a large corporation you don’t need to give it away to extract a great deal of value.)

I know that Doubleclick and all of the targeted online advertising players do similar things to track users across the internet. The thing that bothers me a little bit in the case of Google is that they seem to be encouraging site owners to gloss over the issues by presenting the standard privacy policy as if it was adequate, and that they are targeting the least sophisticated sites which tend not to even have privacy policies for their users.

Keep in mind that Google is injecting Javascript into your page, in principle giving them access to form contents and anything else on the page. As far as I can tell, Google’s terms of service would allow them to spam every email address that users entered into my site. (Not that they would do this, but still…)


UPDATE: Eric Siegmund reports that the Google Analytics’ Terms of Service requires that all sites using the service have a privacy policy, and that the privacy policy discloses the use of tracking cookies:

7. PRIVACY . You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data. [emphasis added]

One concern here, of many, is whether a user of a website with such a privacy policy understands that its not only the owner of the site who might collect cookie data, but Google, who has the potential to aggregate and mine such data against their immense databses of web search and other online intellectual activity.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s