Published on by Pat Ramsey, Director of Technology
2022 got off to an interesting start when it comes to website privacy. Two court decisions in Europe made the news because they ruled the use of Google Analytics and Google Fonts might be illegal in certain circumstances. One case ruled that Google Analytics’ storing of IP addresses violates the privacy of European citizens, the other said roughly the same when it comes to using Google Fonts the standard way, with the fonts being hosted at Google. These are common services for much of the Web so what are the implications for your site?
First, the best position to take for privacy is to not collect personally identifiable information (PII) unless you absolutely have to. And when you do, be transparent about it and gain consent. Collect as little as possible and anonymize as much of it as you can. Treat your visitors and customers with respect. Given these cases and their impact on European visitors to your site, your next decision is how to achieve the same goals without violating the rulings. There are alternative analytics services which aren’t subject to the same conditions as Google and Google Fonts that can be used without linking to Google’s servers.
Defining Personal Information
”PII” … refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In the recent court decisions, a visitor’s IP address is considered personal information.
This is where I stop and remind you that I am not an attorney. You should visit with your attorney(s) and determine what your legal requirements are. Each business is different and you may be under different requirements than others. The legal landscape is changing. There are already several laws in the US at the federal and state levels that address the handling of private information. Other nations and regions will have their own laws like the GDPR which might impact you or your audience. You should start with these laws before making decisions.
Website Privacy: Start Here
Do you know how much information your site collects? Go to The Markup’s Blacklight tool and scan your site. It’s free and can be very revealing. If the results are a surprise then you have some work to do. Do you need to update your privacy policy? Did a new script get installed? If it’s been a while since you last reviewed your site, it’s worth taking a look to make sure your site is aligned with your legal direction.
- Know what information is required. Document this so you can confirm this is the case.
- Review your site regularly. A tracking script gets added or a plugin is updated and now you’re collecting information you previously weren’t, so stay on top of it.
- Look at third-party services that are integrated like email marketing platforms and analytics.
There are tools that can help
Some of the software you may already be using has some privacy settings available. If you use WordPress, it has support for handling personal information built into it, following a “privacy by design” mindset. This makes it easy to manage and remove personal information if required and to create and update a privacy policy page. Developers are also able to extend this functionality into their plugin code.
You can use Google Fonts locally on your site without linking to Google’s servers. This will take some developer assistance, but if you have customers or an audience subject to GDPR, it is worth investigating. Google Analytics can be replaced by one of several non-US based alternatives such as Matomo, Plausible, and Fathom. All three are robust for most analytics needs such as events, visitors, audience segments, and more. Matomo also appears to have a tool that can import your current Analytics reports, allowing you to keep historical and current data in one place.
Don’t forget about checking your policies and notices to make sure they are current. If you’ve recently added a new script or a new court decision was released, you may be gathering PII without realizing it and your privacy policy page will need to be updated. This is where a service such as Termageddon can be useful. They make it easy to keep your privacy policy up-to-date with changing laws. Through one location you can create and manage your site policies, then through a single embed, integrate those on your site.
By using the right tools and understanding the space you are in with regards to privacy and legalities. Tt does not have to be difficult to handle the privacy of your customers and visitors. Your legal team can help you with the law and compliance, while a good technical team can help make the changes to the site.
Crowd Favorite has a long history of helping our clients overcome technical challenges and we’d love the opportunity to talk about how we can help in this area, reach out to us today!