Upload
aurelie-pols
View
401
Download
1
Tags:
Embed Size (px)
Citation preview
© Aurélie Pols 1
Amicus brief1: Should you measure when a user logs out? Table of Contents:
To the attention of .................................................................................................... 1
Objective of this document ........................................................................................ 1
Authors ..................................................................................................................... 2 Cited sources ............................................................................................................................................................ 2
Background information ............................................................................................ 3
Description of the data ecosystem ............................................................................. 5 Involved actors ........................................................................................................................................................ 5 Vocabulary ................................................................................................................................................................. 5
Legal jargon (borrowed from EU legislation) ............................................................................................ 6 Risk and potential liability ................................................................................................................................. 8 Type of content accessed (and logged-‐out from) ..................................................................................... 9 Reasonable client expectation .......................................................................................................................... 9 Minimal requirements to lower risk ............................................................................................................ 10 Doomsday scenario ............................................................................................................................................. 11
Conclusion ............................................................................................................... 11
To the attention of The Digital Analytics Association, more specifically Name Company Title Email Jodi McDermott comScore President XXXXXXX Bob Page HortonWorks Vice President XXXXXXX Jim Sterne Chair of the
Board XXXXXXX
Mike Levin DAA Executive Director
XXXXXXX
Objective of this document This amicus brief is intended to support the digital analytics community with the understanding of the implications of digital measurement practices from the angle of increasing Privacy, Compliance, Ethics and Security requirements. This document is not intended to hold any legal recommendations. The purpose of this document is to foster reflections and discussions within the digital analytics community about vendors’ measurement practices, ways to tackle evolving global Privacy legislation and increased feelings of lack of trust that is felt by Internet users all over the world.
1 Amicus brief or Amicus Curiae: A person (or other entity, such as state government) who is not a party to a particular lawsuit but nevertheless has a strong interest in it may be allowed, by leave of the court, to file an amicus curiae brief, a statement of particular views on the subject matter of the lawsuit. Source: http://www.merriam-‐webster.com/dictionary/amicus%20curiae
© Aurélie Pols 2
Authors Name Company Country Email Aurélie Pols OX3 Analytics S.L. Spain [email protected] Peter O’Neill L3 Analytics UK XXXXXX Benjamin Mercier
Barclays UK XXXXXX
Cited sources Name Company Country Email Simo Ahava Netbooster Finland XXXXXX Tahir Fayyaz Havas Media UK XXXXXX Doug Hall Conversion Works UK XXXXXX Date: January 12th 2015 Version: 5
© Aurélie Pols 3
Background information In October 2014, Simo Ahava from Netbooster Finland wrote an excellent blog post entitled “#GTMtips: Once userID, Always userID” about the use of Google Universal Analytics’ UserID across sessions. http://www.simoahava.com/gtm-‐tips/once-‐userid-‐always-‐userid/
The same day, Peter O’Neill from L3 Analytics in the UK bounced on the article and started a Twitter conversation about whether a visitor should continue to be identified and measured after having expressly logged-‐out from a website section or an application.
Current perception within the industry: As clearly shown through the feedback to Peter O’Neill’s tweet, digital analytics professionals tend to refer to vendor documentation and more specifically their Terms of Use or policy in order to define the legality of certain measurement practices.
When the question is raised to the vendors and nothing is found within the legal documentation, the next logical step is usually to assure that the client is “happy” with the tracking methods. By client we define here the party that is effectively using the vendor’s solution on their digital properties for eg. an ecommerce, bank, insurance company…
© Aurélie Pols 4
Digital professionals should however also take into consideration “reasonable expectations” of visitors of online properties. As they are recommending on measurement best practices either on behalf of their clients, as external consultants, or for their employer as internal digital analysts.
Which brings to the most important point for the digital analytics sector and other players within this data ecosystem such as vendors. While being considered as a competitive advantage, their visitor tracking methodology often lacks transparency, potentially harming their clients and in the process those consultants recommending their very tools. Additionally, while at the same time, vendors are engaged into new and parallel features races in order to assure adequate alignment with Privacy requirements, this lack of transparency often leaves actors second-‐guessing. Here is an example of how KissMetrics2 apparently auto stitches visitor’s data between sessions, independently of whether users logged out (according to Tahir Fayyaz from Havas Media UK).
It raises the question of whether a choice, the very feature, actually exists for the websites to define how the data about their clients’ behavior is being stitched together.
2 KISSMetrics Finalizes Supercookies Settlement by Wendy Davis, MediaPost, January 2013, http://www.mediapost.com/publications/article/191409/kissmetrics-‐finalizes-‐supercookies-‐settlement.html, last visited November 5th 2014
© Aurélie Pols 5
Description of the data ecosystem
Involved actors
Vocabulary • “Website owner” is defined in this document as the company collecting the
data about their clients in order to optimize their digital properties. Such a company could be a pure digital player like an ecommerce property or online retailer, a bank, a pharmaceutical or insurance company, etc.
• “Customer” is defined as the visitor to the digital properties or apps, which by interacting with the properties leaves data exhausts of preferences in ways of clicks and data introduced through forms and other logging methods.
• Actors in between this relationship are considered “intermediaries”, who hold their own legal liability within the data ecosystem, and are often either tool vendors &/or agencies.
More specifically, the eco system of actors looks like this:
Where data flows, through intermediaries, from visitors towards the company collecting the data, from the customer to the website properties in this case. Depending upon the type of data, sector and geography, the company collecting the data, the customer for digital analytics agencies and vendors, has certain responsibilities related to the data being collected (and the person this data might be coming from3).
3 Avoiding any debate here about data ownership in order to keep this simple
© Aurélie Pols 6
In between the extremes of these data flows and related responsibility, lay tools and agencies, which take part in the data flow and hence pick up some of the responsibility. In a word, they may be liable in case of issues. Such issues can be related to compliance, security or more vaguely Privacy issues. Tools or vendors typically waiver their liability within this data eco system through their Terms of Use or Terms and Conditions, where they stipulate correct and incorrect uses of their technology whenever possible. After all, technology is Privacy neutral and it would be impossible for vendors to imagine every case scenario. What vendors can decide is:
1. Under which legislation the data is stored. 2. Which functionalities are developed to support business needs, including
possible security, privacy and compliance requirements.
Legal jargon (borrowed from EU legislation) European Data Protection4 legislation attributes roles and responsibilities related to data flows. More specifically, EU Privacy legislation talks of “Data Controllers” and “Data Processors”, or sub-‐processors, in this data eco system.
4 Europe talks of Data Protection instead of Privacy legislation, which is more of a US focused topic. The UK sits in between as for now, it’s still part of Europe.
© Aurélie Pols 7
Intermediaries hold responsibilities in the data flow, using the legal term “Data Processors”, or “Data Sub-‐Processors”, in most cases for digital analytics5. The responsibilities of a “Data Controller”, the digital property collecting the data in the first place, is roughly outlined as follows6:
1. Inform participants; 2. Obtain informed consent; 3. Ensure that data held is accurate; 4. Delete personal data when it is no longer needed; 5. Protect against unauthorized destruction, loss, alteration and disclosure; 6. Contract with Data Processors responsibly; 7. Take care transferring data out of Europe; 8. If you collect “special” categories of data, get specialist advice; 9. Deal with any subject access requests; 10. If the assessment is high stakes, ensure there is review of any automated
decision making; 11. Appoint a data protection officer and train the staff; 12. Work with supervisory authorities and respond to complaints.
5 The main exception is Google Analytics, who acts as both a processor but also a controller, which is why they don’t want data that could potentially identify an individual within their tool cf. http://www.mindyourprivacy.com/english-‐us-‐role-‐playing-‐which-‐one-‐are-‐you-‐google-‐analytics-‐controller-‐or-‐processor/?lang=en 6 Note that in the case of a vendor’s website, the vendor then takes on the role of “Data controller” for it’s own digital properties
© Aurélie Pols 8
Risk and potential liability Getting back to the initial question of whether a digital analyst should continue to track and measure once a client logs out, the answer is best expressed in terms of risk. What is wrong about continuing to track visitors after a log out action? The first risk is legal, during the session, the visitor made an action like: “stop identifying or/& tracking me”. If the visitor continues to browse the site, he would expect to be treated as an anonymous visitor and not be tracked. In most digital properties, after logging out, the site doesn’t display the visitors name anymore, photos etc. but still remembers him and continues to track his actions as if no logout ever happened. Such risk can either be of a non-‐compliance nature and therefore the customer – the data controller -‐ could encounter financial fines for non-‐compliance with the legislation or such risk might be related to client feelings of creepiness. Indeed, a visitor who did expressively log out might “expect” not to be tracked anymore. Therefore if this visitor gets re-‐targeted with promotions related to unlogged navigation, it might damage the trust relationship that stands between the site and the visitor. This is what we call Creepiness. Additionally, risk is distributed between the actors within the data eco system as the data controller can turn against a data processor or sub-‐processor to claim for compensation in case of trouble. The initial data controller should go through the exercise of balancing its own risk by asking the following questions:
1. Is my company being non-‐compliant by still tracking an identified visitor even though the visitor did expressly log out? (an email address is considered to be PII in all US states so let’s consider we are talking about an individual as this is login)
2. If so, what is the probability of being fined and for which maximum amount?
3. If not legal issues, are there a potential brand perception issues that might arise from this practice if word comes out?
4. If so, what are the rewards from still tracking an individual after they expressly logged out compared to this potential feeling of creepiness?
For intermediaries like agencies mainly, they should ask themselves the same questions but in the light of their own liability. In fact, agencies should include as a mandatory step of their relationship with their customers, an explanation of what exactly does the tracking technology collects as data and how visitors’ sessions are delimited. According to the transparency principle and hopefully with the help of the vendors, the web sites will be able to make an informed decision about the best data strategy to take.
© Aurélie Pols 9
Type of content accessed (and logged-‐out from) A word of caution related to question 2: the probability of being fined. Certain sectors and geographies hold higher probabilities of fines &/or class actions. In Spain for example, Telcos are the favorite target for Data Protection Agencies while in Italy, credit agencies should be more careful. The US, unlike the EU (who has overarching Data Protection legislation for all sectors) holds specific Privacy related legislation per sector. The typical ones are related to health (HIPPA), children (COPPA) but also banking, energy, video rentals, etc. etc. and often talk of the use of “sensitive” data (health, financial, sexual orientation, political views, …) on top of the initial classification between the probability of identifying an individual or not. Typically pharma clients, banks and insurances, digital properties dealing with children, etc. should be extra careful with the choices they make related to their digital analytics infrastructure and measure practices.
Reasonable client expectation Even if “reasonable client expectation” could be argued to answer questions 1 and 2, for which legal analysis would be necessary depending upon country and sector, it’s mainly for question 3 and 4 that expectations and perception really starts playing an active role. As mentioned in the previous section about types of content, the question should be asked as to why a client would expressly logout of an application or online service. Certain industries would typically terminate sessions as the browser is closed like airlines while others, like banks, would often automatically log out after a defined period of time, if their clients don’t do it after finishing their transactions. On the other side of the spectrum, social sites like Facebook would keep the automatic login active even when a window is closed and opened up again within the same browser. Choices related to how to allow logout in the first place are therefore abundant and will depend upon each particular situation. Those logout choices will be influenced by the sector the company is operating in, security reasons and possibly analytics practices if not region. From there on follows that the choice of continuing to track a user even after they actively logged out is not a black and white answer as it depends, possibly even on more factors than those listed above. And while companies will certainly have internal discussions about how and when to close sessions and log out, the same cannot be said for analytics. The simple reason for the difference is because tracking can go undetected from the trained digital analytics eye. And you can’t really ask questions about what you can’t see.
© Aurélie Pols 10
It therefore often falls upon the underlying agency that is consulting related to the digital analytics set up of the customer to recommend best practices, with all the liability that this infers as discussed earlier.
Minimal requirements to lower risk While the #1 responsibility of a data controller is to inform participants, the question remains open as to whether a Privacy Policy should specify a data is being collected even if a user logs out. At the time of writing, it doesn’t seem common practice. While Privacy Policies are clearly evolving in terms of transparency, tone and focus, going this deep into data collection details is far from common practice. Another point to raise would be about the type of data being collected after logout as this data could remain linked to a uniquely identified individual or become part of a bucketed type of anonymous data, if the tools allowed for such a distinction. As an example it would be interesting for those companies to separate in the data governance guidance, the data that would be used by analytics to produce insights, improve the navigation, make a better user experience etc.. from the data that is used by marketing to (re-‐)target customers from the data that is used by the business to increase the sales. That way it makes more options for internal reflections when deciding about tracking data after logout. This functionality was actually described by Seth Romanow while at Microsoft at eMetrics in 2007 and he called it “Personamous”:
© Aurélie Pols 11
This set-‐up was reached through clever technology and the use of webtrends and Omniture at the time: 2 tools and a lot of databases in between.
Doomsday scenario Imagine a health insurer website where a visitor is logged in to request refunds. Let’s now imagine this visitor logs out and looks for a specialized physician related to prostate cancer. What would our industry do with this information? The current Big Data Privacy debate, initiated by the then French Data Protection Authority president Isabelle Falque-‐Pierrotin, is whether discrimination might take place due to excessive tracking. Would an insurance company increase its rates if you were to search for a prostate cancer physician and fall within the likelihood of having prostate cancer (because you’re male and are over 50 years)? Imagine you’re logged onto a health website, you log out and look for Viagra. Are you going to receive an automatic email with discount coupons for Viagra through some kind of Marketing Automation program on your family email address?
Conclusion There is no black and white answer to the initial question posed in this document: should you measure when logged out? The way data will be picked up, stored and later re-‐used should be seen on a case-‐by-‐case scenario basis where clearly the responsibility of our industry is to promote “Responsible Measure Practices” as pointed out by Doug Hall at eMetrics London. Not only the companies using the measurement technologies to better understand their clients should be aware of their responsibilities.in terms of compliance and consumer feelings of creepiness. The digital analytics vendors and the specialized consultancies also have a part to play in the liability of the digital data ecosystem. Agencies can hedge their liability by understanding the consequences of their recommendations and asking for more transparency from vendors as to how data is being collected, stored and shared. Additionally, they should not shy away from asking professional support in legal matters related to compliance with current and evolving Privacy legislation. Vendors have been limiting their liability typically through their Terms of Use and will continue to do so in order to assure technological neutrality. After all, they cannot be held responsible for the use of their products. Yet they should give the opportunity to digital analysts to have the right features in place that would allow for increased choice and safer ways of (re)using the data being collected.
© Aurélie Pols 12
Some actions can be taken to improve the data privacy without hurting the vision of analytics. A solution could be a reset of marketing related measurement after each logout keeping analytics live. Also, The Universal Analytics userID feature, as described by Simo Ahava in his blog post, is a great feature, it might be worth asking whether a second userID to support Microsoft’s Personamous suggestion would not be worth considering.