How many people here have read the Google Analytics Terms of service (TOS)? Anyone? Bueller? If you’re using GA you should know what you can and can not do with the tool, which is outlined in the TOS.
You can find the TOS, in all its glory, here: http://www.google.com/analytics/tos.html
The first part of the TOS is actually very interesting. It defines certain GA terms including:
- Page View: “Page View” is the unit of measurement for usage of the Service. A Page View is used when the UTM is executed on a web page accessed by a visitor, and processed as part of a Profile. A Page View will be incurred for each instance of the UTM on the web page, and for each Profile receiving information from the UTM for such web page.
- Profile: “Profile” means the collection of settings that together determine the information to be included in, or excluded from, a particular Report. For example, a Profile could be established to view a small portion of a web site as a unique Report. There can be multiple Profiles established under a single Site.
- UTM: “UTM” means the proprietary Google Analytics Tracking Code, which is installed on a web page for the purpose of collecting Customer Data, together with any fixes, updates and upgrades provided to you (collectively, the “UTM”).
I especially like the definition of a profile. Many people have trouble understanding that a profile is more than just a website. It’s business rules (filters) applied to a set of data.
But my favorite part is section 7, the PRIVACY section:
7. PRIVACY . You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.
I think there are two very interesting things to note about section 7:
First, you can not use GA to collect any personally identifiable information (PII). This means no names, email addresses, IP addresses, etc. One mistake that many people make, inadvertently, is collecting PII in the URL. If you have a form that collects visitor data, and that form passes data via query string parameter, then you may be collecting PII. If you’re unsure if you are collecting PII, just check the top content report. Look for any records that include an email address, name, etc. It’s easy to resolve this issue, just exclude the appropriate query string parameters in the profile settings.
Also, if you’re using any third party solutions make sure that they do not violate the GA TOS.
Second, you must post a privacy policy on your website that informs visitors that you are using a cookie to collect clickstream data. This was a surprise to me. I’m 99% sure that this blog has no posted privacy policy. Doh!
What are the consequences of violating this policy? Honestly, I don’t know. I’ve always advised clients to adhere to this policy as it is in the best interest of their customers. And happy customers are usually a good thing. There are options to integrate GA data with other information… but that’s a completely different blog post.
With GA being free and widely implemented (not always with the planning and care a paid solution would tend to bring), I would suggest that most sites haven’t taken the pain of defining a PP, or modified it to include the part about the cookies and stats.
But then again, who is going to enforce it? Google? The GAACs?
Hi Jacques,
You make a great point. Many of the smaller/mid-size companies that we work with do not have a PP.
As for enforcement, I’m not sure who’s responsibility that is. I know that, as a GAAC, we always advice our clients to follow the GA TOS. We can’t make them do that, but most do follow our advice. I think it makes sense for Google to enforce the policy in the future as GA is their product.
Thanks for adding to the discussion,
Justin
I have to say that’s a heck of a last sentence to leave things on. Here’s why: assume I’m using GA data to track offline conversions. Using custom code, GA cookie data is retrieved and submitted with the form data that drives the offline purchasing process. I’m doing this because I have a natural motivation to track what keywords and clickstream profiles are resulting in the most–and most profitable–conversions.
Problem is, the form data submitted to the offline conversion engine of course contains all sorts of personally identifiable information. Users know full well that they’re entering and submitting this information, and the whole process is voluntary; nevertheless, it is PII. Is there no way to then to use GA to marry keyword and clickstream data to individual transactions if the conversion takes place elsewhere? If the conversion process were entirely online, I’d be using the same data in the same way to the same end, but since GA would strip all PII, I’d never come into conflict with the TOS. The further irony is that I couldn’t care less about marrying clickstream data with individual identities–the only thing important to me is transactions–but identities are all that link the visitor who submits that form to the sale that takes place later, offline. I don’t want to wind up stuck just because my data could technically be reorganized to document clickstream data identity by identity.
The business for which this data is being collected sells products that amount to enormous capital investments. Transactions of this magnitude aren’t typically executed online, though they frequently start there. Am I right in perceving that the GA terms of service might rule out using the GA cookies to feed offline conversion tracking?
Excellent post, Justin.
For any GA accounts we set up for clients (in their name), we PDF the TOS at time of account setup and send it to the client, stressing that the GA account is their account and they have to agree and accept the TOS by using the GA script on their website. If they have any problems with the TOS, these issues need to be addressed ASAP before work proceeds to add the script, create profiles, filters, etc.
Aside from the privacy policy, organizations need to pay attention to section 8, Indemnification. This clause may cause angst with some legal departments.
Process, process, process :)
Cheers,
June
June,
What a great idea! I’m going to start doing the same thing with our clients.
Thanks for sharing.
Justin
Hi,
My question is in reference to section 7 of the TOS. It seems as though GA automatically tracks and/or collects user email addresses if you tag links in an HTML email. I found an article that outlines how GA does this. Here is the article:
http://www.campaignmonitor.com/help/topic.aspx?t=112#subscribers
By doing this, is GA violating their own TOS? Or is this dependent upon how the user has configured the tagged links?
If GA does not collect any identifiable information, then why does it collect the email addresses of users who click on a tagged link in an HTML email?