Google Analytics and Your Privacy Policy

If you're hosting a website, analytics is critical to growing your audience or customer base. Insight into how visitors interact with your site and its products or services is a time-tested method of fine-tuning your website's appeal.

The most popular site analytics tools include Wordpress Jetpack, LiveInternet, New Relic, and Google Analytics. Considering how ubiquitous Google's products are, it's not surprising that some surveys estimate Google Analytics is used by over 83% of websites. Odds are, if you run a website, you're using Google Analytics — and what's more, that means you probably need a privacy policy.

How Does Google Analytics Work?

Google Analytics gathers information about your site's visitors by placing a temporary file called a cookie on the visitor's computer through their web browser. The Google Analytics cookie tracks information like:

  • Referring site (eg, a search engine or a linked from another site)
  • Search terms used to find your site
  • Pages viewed
  • How long each page was viewed
  • Device type, browser, and operating system
  • Geographic area in which the visitor appears to be located (via their IP address)
  • Links clicked (whether internal to your site or external to another site)
  • Event information such as date and time of each visit.

If you click around on your Google Analytics dashboard, you can see the full list of fields in the reports you view.

Google Analytics Dashboard - Click to See Bigger Image
Click image to enlarge.

Is Google Analytics a Privacy Concern?

When it comes to surveilling your site's visitors, tracking seems harmless, right? After all, most site owners have benign intentions when using the information provided by Google Analytics. You might use it to improve understanding of your customer in a completely innocent way. However, your visitors will likely assume the worst unless you spell it out for them in a privacy policy.

By now, it should also occur to you that other sites are tracking this information about you. Analytics looks like an entirely different beast depending on which side of the telescope you're looking through.

For the time being, privacy laws in the United States are fairly lenient with regard to cookie tracking. However, if your site attracts visitors from other parts of the world like the European Union, you could be in violation of their privacy laws.

Location Tracking via IP Address

Of particular note is that Google Analytics can roughly determine your computer's location by analyzing its IP address. However, IP addresses don't function like GPS satellites. Although GPS is capable of determining your exact location (within a few meters), IP addresses aren't nearly that precise. Additionally, there are ways to mask IP addresses to make it seem like the computer is elsewhere.

Despite the imprecision of IP addresses, many people are wary of being tracked by location and what that information might be used for. This is all the more reason it's in your best interest to write a privacy policy clarifying your intentions for using that information.

Google Analytics and the Law

Most places in the world allow you to use Google Analytics without restrictions. But there are things that all website owners should worry about.

The most important law is probably the EU Privacy Directive, which most people refer to as simply the "EU cookie law." In its simplest terms, the law says that if you're going to do any tracking whatsoever of visitors on your website, you must alert them and give them a method of opting out of said tracking. In practice, compliance with the law usually takes the form of "cookie banners" like the one below.

Cookie Banner - Compliance: this site tracks visits anonymously. Close this book to confirm you are happy with that, or find out more in the best practices privacy statement.

Why should you care about EU laws if you aren't European? Regardless of where your site is hosted, you might need to comply with the EU law, or other laws different countries may enact. If your site is targetting customers in other countries, it is more likely that the laws would apply to you. At this point, it isn't clear. But it is safest just to follow the most stringent laws so you don't have to worry.

Automatic Opting Out of Google Analytics Cookie Tracking

The good news for website owners is that since the original law went into effect in 2011, many browsers have implemented a feature that allows web surfers to automatically opt-out of all tracking requests. For example, in Chrome, the opt-out setting can be found in Settingss > Advanced Settings > "Privacy" section:

Checkbox: send a 'do no track' request with your browsing traffic

Additionally, Google has created a browser add-on that can be installed into any browser - including Microsoft Internet Explorer 11, Google Chrome, Mozilla Firefox, Apple Safari, and Opera. It's a good idea to include this link in your privacy policy.

Although the browser-based opt-out method is more of a sledgehammer than a scalpel in that it doesn't allow for opting in, the added browser functionality has empowered internet citizens to control their own tracking as they see fit.

Unfortunately, browser opt-out functionality doesn't preclude your need to have a privacy policy.

You Need a Privacy Policy

There's no other way to put it: as a web publisher using Google Analytics — whether for a blog or for a commercial site — you need a privacy policy and a tracking opt-out process to be compliant with global internet privacy laws. You've got several options to help you with crafting your policy:

  • Your attorney: If your business employs a lawyer, by all means, ask them to draft a policy for you. If not, there are tons of privacy policies all over the web! You can start by reading Google's Analytics privacy policy.
  • Competitors: It's also a good idea to look at some of your competitors' sites and see what they've listed in their privacy policies as it pertains to your own business or blog category.
  • Privacy policy generators: You can also try out some online privacy policy generators. We have our own that we are proud of.

Whatever method you use, once you're happy with your privacy policy, you should probably get it reviewed by an attorney, just to be on the safe side.

How to Get Started on a Privacy Policy Right Now

It's easy to get started writing a privacy policy for your blog or website by following these steps:

  • Document how you already use Google Analytics data — and what you might use it for in the future.
  • Read a few privacy policies from your competitors.
  • Use a privacy policy generator to begin drafting your policy.
  • If possible, get your privacy policy reviewed by a lawyer who has experience with online privacy policies.

If you just want something quick and easy that you can feel fairly safe with, use our Privacy Policy Generator. It not only provides you with a privacy policy generator in HTML form that you can put directtly on your website, it also creates a "terms and conditions" page, which is very good to help.

Conclusion

Google Analytics is an incredibly powerful and helpful tool for managing your website. But it does have privacy ramifications. So it's a good idea to make sure that your website is very clear about its privacy policy. Even when it isn't a matter of law, it makes your website look more trustworthy.


Further Reading and Resources

We have more guides, tutorials, and infographics related to privacy and the law:

The World Wide Web & Internet Privacy

Check out our infographic, The World Wide Web & Internet Privacy.