Saturday, November 4, 2006

Web Analytics and Privacy

The heat is on again: an activist group is asking the US Federal Trade Commission to investigate the use of personal information, which, in my view, is already well governed by existing laws not only in the US, but in most countries, including Canada. The problem is this group mixes personally identified data collection and includes web analytics and anonymous data collection in the same bag.

The Web Analytics blogosphere is likely to have passionate views in regard to this opinion. So far, one of the most interesting post comes from the Web Analytics Yahoo group. The argument is simple, evident, and clearly expressed: there is already a user consent for anonymous data collection covered by privacy policies posted on any serious web site.

My contribution to this discussion is in regard to PIPEDA, the Personal Information Protection and Electronic Document Act, the Canadian law that governs the collection of private information. In a nutshell, that means the information must be:
  • gathered with the user's consent
  • collected for a reasonable purpose
  • used only for the limited purposes for which it was gathered
  • accurate
  • open for your inspection and correction
  • stored securely
This is expressed in 10 principles:
  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting collection
  5. Limiting use, disclosure, and retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual access
  10. Challenging compliance
It is worth to note these principles not only covers the collection of personal information, but also applies to anonymous information as well. We have to admit, however, the law is not strongly enforced. Still, those who try to comply have found it reasonable and it doesn't impact the ability to use web analytics tools to better understand their user audience and preferences.

The W3C also offers some guidelines in the form of "P3P: The Platform for Privacy Preference". Although not widely used so far, I think sites offering the information about their P3P policy have an advantage:
The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
P.S. Note the province of Quebec is governed by a similar act named "An Act respecting the protection of personal information in the private sector"