Website analytics are a key part of understanding whether a website “works,” and how to improve it; they arose almost at the same time that companies began using websites to transact business. For the most part, and for a long time, website analytics were seen as benign – a way to track information without trampling on an individual’s privacy rights. But the multitude of ways in which companies collect information on websites without a user’s knowledge make it more and more likely that a website owner can find itself in violation of privacy laws.
More than that, analytics have become a security issue. The tools used to collect visitor data – cookies, pixels, beacons, and other technologies – have created a risk surface that can allow bad actors to identify targets and breach defenses. At the same time, the nature of these tools makes them one of the risks that companies can manage, allowing them to comply with privacy mandates and reduce cyber risk.
In the Beginning . . .
Originally, analytics were limited. Cookies and other devices allowed a website recognize a user, and to smooth the operations of the website. This little piece of code on your computer made it easier to log on to a website, to complete a purchase, and to see the information you look for. Although cookies did allow the website to recognize a user – essentially, to collect personal information – they were generally limited to the website; they were also typically “session cookies” used to facilitate a single user session, or “persistent cookies,” allowing the site to differentiate a new visitor from a prior visitor.
Since then, the tools used to identify website visitors and their actions have exploded in both numbers and potency, creating opportunities and challenges for website owners.
How do Analytics Work?
The point of website analytics is to collect, report and analyze data generated by visitors who interact with a website. This allows website owners to measure user behavior, optimize the user experience, and gain insights to meet business objectives – most often, increasing engagement, conversion, or sales.
A good example is the Facebook (Meta) Meta Pixel. As Facebook describes it:
“The Meta Pixel is a piece of code on your website that can help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart. You’ll also be able to see when customers took an action after seeing your ad on Facebook and Instagram, which can help you with retargeting. And when you use the Conversions API alongside the Pixel, it creates a more reliable connection that helps the delivery system decrease your costs.”
This is a long road from the session cookie. Now, analytics can be deeply intrusive and collect significant data: operating system, browser type, geolocation, internet protocol addresses, first- or third-party cookie IDs, proprietary digital identifiers, bounce rates, page views, e-mail open rates and links clicked, actions taken on pages, referring/exit pages, user agent string, and other device metadata.
What are the Risks?
When a website collects data, that data is often “shared” and “sold” (under the broad definitions of the California Consumer Privacy Act). Website owners are required to disclose that fact and give consumers the tools to opt out of the sale and sharing of personal information. When a website owner fails to do so, they face potential exposure to claims by consumers and regulatory authorities.
Regulators and plaintiffs’ attorneys are increasingly creative in making claims where information is collected and shared without appropriate disclosure and consent. And, even where the claim may be invalid, the website owner will be forced to spend time and money to defend their actions.
What’s on Your Website?
To be clear, there is no prohibition against collecting and sharing data, so long as the website owner complies with laws and rules governing the use of personal information. Some website owners are deliberate about their use of analytics, and take steps to manage and actively disclose their use of the information they collect.
Many website owners, however, aren’t aware of what’s happening on their sites, and they might not know all of the data collection tools embedded in them. Website designers often include analytic tools that help the function of the site without the website owner’s knowledge, and when a website adds links to other, third-party sites (including social media sites), the result can include placement of third-party pixels, cookies, and beacons for the benefit of others.
Because of this, website owners should monitor their websites; there are a variety of tools that identify the data collection tools on their site, their function, and what is being done with the information. With that knowledge, the website owner will know how to control and use the tools and to minimize their exposure to legal claims.
Website owners also often advertise on social media, and those advertisements collect data for the website owner – that has to be accounted for, both in privacy policies and in compliance with data.
Action Items
Website owners should take action to address both regulatory changes addressing the collection and use of analytics data, and technological changes in how data is collected, aggregated, and shared:
- Put your house in order. Identify the cookies on your site and your agreements with analytics firms like Google. Understand what information is being collected, the purpose of collection, and how the information is shared. Remember that analytics firms give you choices, and you can modify what information is collected and shared.
- Disclosure. Review and revise your privacy policies to describe accurately and completely how you collect and use the personal information you obtain through analytics. This is more than just a “cookie policy” – it involves understanding, in full, all of the uses you make of this information.
- Analytics Agreements. Review agreements with analytics companies to ensure that they are not misusing data and that they fall within the safe harbors provided under the various state privacy laws.
- Do Not Sell/Do Not Share. Consider whether you need a “do not sale/do not share” option – if your use of analytics does constitute sharing or selling, you’ll need to offer opt-out and consent options to comply with state law.
- Cookie Banners. Cookie banners – the initial statement letting website visitors know you use cookies to collect data – are an essential “notice at collection” required under most state privacy laws. Review them carefully to ensure they meet the requirements of state law and regulations. For companies subject to the CCPA, the recent regulations adopted by the California Consumer Privacy Agency have specific requirements that need to be addressed.
Michael A. Gold is the Chair and Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Mike and Bob help clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. They develop and implement data breach response plans, and respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331 and Mike at MGold@jmbm.com or +1 310-201-3529.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.