Don’t do evil or follow the money?

So Google came up with an opt-out gimmick to allow visitors not to be measured by GA, huh? Ah, a browser based plug-in! Yeah, right. And why? Now?

As I read Eric’s blog post about why Google is really offering opt-out, it made me smile. As usual, he is controversial like no one can be – makes me kind of proud he’s our CEO: the guy’s got balls! – and I smiled because the underlying philosophy of Web Analytics Demystified is to allow for disagreement in order to push the market further. I don’t mind caring about different things: all three of use at Web Analytics Demystified have different backgrounds and praise the Lord for it, it’s a pleasure to be challenged and is, for me, the only way forward!
So Eric might have a point as to why Google decided to do this: a functionality that needed to be set-up and a box checked in order to broaden their impact, including governmental sites now. Possible, seems like a logical explanation.

However, just like Steve Jackson’s Kwantic commented, I also first thought that we were talking about a serious step by Google to respect European privacy legislation. Looks like I was wrong: we’re not talking about a link visitors can click on after taking a look at a companies’ privacy policy and choosing to opt-out. Nah, this is a browser based plug-in, something that actually already existed. So I have to align to the consensus of the market: nothing-new here, nothing to see, move along.

BUT I remain worried and I’ve been thinking about why I care about privacy ever since I had a discussion with a well know Google Analytics evangelist about data ownership the previous last time I was in Berlin, some months ago. Silly question! he replied.
So why do I care? Let me tell you a story.

At the turn of the century, 1900s that is, Dutch undertakers were committed to give proper burials to people of various religions. Hence, being pragmatic as they were, they decided to keep records of peoples religions: they mapped out the entire Dutch population. Guess what happened to these records in 1941 when the Germans invaded the Netherlands?
Ever wondered how, despite superb propaganda by the Dutch after WWII , so many Dutch Jews were exterminated? Anne Frank is a nice story and so is De Aanslag but fact remains that the extermination of – mainly Spanish and Portuguese – Jews in the Netherlands was highly effective thanks to Dutch pragmatism. Something that started as Don’t do Evil actually did.

For me, there are 2 things when it comes to privacy:

Choice: the possibility for website visitors to clearly choose not to be monitored
Clear data ownership: something not at all specified by Google one should note and if I missed that part, my sincere apologies and don’t hesitate to reach out!

As for the differences that prevail in Europe due to limited legal coordination, the following aspects need to be taken into account.

The rule of law that is applied in the various countries making up the EU is different. By this I mean that the basic principles and mechanisms that make up for example French, German and English law are not the same due to historical evolution. For more information, you might want to take a peak at literature about the rule of law such as for example in the Law-Growth Nexus by Kenneth W. Dam. Hint: the last chapter about China is insightful and anybody wanting to take a stab at China should read this first!
The EU doesn’t seem to move forward in this regard as the mechanisms underlying the way EU policy is taken up in national legislation’s works as follows: the EU sets-up a directive that needs to be translated into national legislation within a certain time frame.
Countries are therefore forced to at least take up the EU legislation but they can go further.
And when you take a country such as Germany, which is made up of multiple Länders, you actually add another step to the process. Decentralisation of decision-making has been at the forefront of Germany’s decision process ever since Hitler got democratically elected and even before. Unlike France or Spain, Germany’s history is not one of centralized kingdom but of multiple entities that at the time of Bismarck came together to form a coherent entity.

It’s interesting to note however that the browser plug-in pushed forward by Google related to the possibility of opting-out of measurement is actually in line with how the IAB interpreted the latest EU Telecoms Directive reform I blogged about some time ago.

“IAB Europe Vice President Kimon Zorbas suggests that consent could be given through users’ browser settings in much the same way some users already manage their cookies. That might enable users to express consent permanently, eliminating the need for pop-ups and other disruptions to user experience the directive might cause.”

But we’ll still have to see how this will be translated into national legislation and bodies such as the IAB are heavily lobbying in order to make sure that local interpretation will not harm our end their industry. As a reminder, the IAB stands for Interactive Advertising Bureau so while they do foster interest for online measurement, one has to recognize that web analytics is not their primary focus: theirs evolves around Advertising hence driving traffic to the website.

Last but not least, enforcement of the rule of law varies per country. Having lived, worked and sold the company I co-founded with my husband in Belgium, I certainly now better understand why some of our acquaintances advised us against setting-up shop in what they call the “Banana Republic of Belgium”. How law is being enforced depends upon the efficiency of the judiciary system which, to be quite honest, has huge deficiencies in certain European countries compared to others, such as Germany.
SO it’s not only about the fact that Germany uses a legal vocabulary to define what is allowed and what is not: they can also act upon it.
And it’s ONLY when money talks that things evolve, we all know that Thanks to eTracker for pointing that out at eMetrics Marketing Optimization summit in Munich!

So what does this mean for now? will you ask me. Nada as enforcement is for the moment not yet a reality.
Could it become in the near future? This depends upon how local legislation will interpret the ePrivacy Directive so more to come this summer.
For the time being therefore, please let us stop panicking.

And I’m sure the WAA’s members welcome the IAB’s initiative about educating the broader public on the benefits of really Understanding Online Advertising. The WAA welcomes collaboration with the IAB on this front as well, volunteering available resources through existing initiatives.

This is my take on this entire debate for the moment following the Privacy debate at the eMetrics Marketing Optimization summit in Germany. Please don’t hesitate to comment and share your thoughts.

Posted Tuesday, March 23rd, 2010 | 4 responses | Add a Comment | Share, Save or Email

Julien Coquet

Hi Aurélie,

nice post with a historical perspective

However, I cannot help but notice that all this talk about a browser plug-in is too little (and also both too soon AND too late) in a European context where opt-in should be the default and not opt-out.

Default also means it should not be set manually or be dependent on a visitor’s knowledge and understanding of visit data collection, cookie type and lifetime, as well as other related mechanisms.

Also, it’s silly to measure opt-in with cookies but hey, we’re stuck with that for now! And I still think mandatory opt-in is silly but hey…

Now of course a European directive always has a different implementation at the national level but it seems to me that more conservative countries such as Germany will focus on opt-in from the get-go : opt-out sites will be branded as sites that collect too much information about your visit already!

In that particular opt-out perspective, all you can do as a site owner is play ball and come clean with your web analytics data usage policy and minimize the amount of PII that’s being collected.

With a global americanization of judicial systems and the multiplication of Stella-award cases (where some old lady can sue your company for 2 gazillion dollars because she burnt herself with a piping hot cup of coffee), you can expect lots and lots of costly legal procedures ahead from visitors that couldn’t care less about data privacy but will still sue you because you track them with a cookie and they did not ask to be measured in the first place!

I, for one, find this shift in policy quite worrying because it stems from a lack of education about web analytics and privacy on the part of our governing bodies and our legislators.

As always, just my 0.2€ from sunny Provence

Cheers,

Julien

Lars Johansson

Website owners wanting to offer a site-specific, one-click, opt out for Google Analytics can use SakkTrakk from Mark Red.

The only way website owners who are concerned about data ownership can be 100 % at ease is if they host a WA tool in-house. I really don’t think it matters much which SaaS solution they use, be it GA, Omniture, Yahoo!, Webtrends or a differen tool. If your data is stored outside of your own firewall anything is possible *in theory*. I do, however, not have reason to suspect any of the aforementioned vendors.

Steve Jackson

@Aurelie;

I’m happy someone at least understands how EU legislation works!

The EU seems designed to make everything take years to get passed so in the near future (2-5 years) we don’t have too much to worry about. Certainly as you say no need to panic.

I think EU policy makers will follow the money in the end. They will probably find a way to charge Google taxes!

@Julien;

I hear the opt-in/opt-out concern.

I just don’t understand how the EU can justify it – it doesn’t follow the money at all. In order for it to work, you would have to opt-in to every site you went to via a pop-up or something equally annoying.

European companies would then argue that the EU is putting them at a worldwide competitive disadvantage.
You would see site hosting happening outside of Europe.
You might even see big companies establishing head quarters outside of Europe.

That might sound ridiculous but if Finland followed that kind of rule of EU law it might be the straw that broke the camels back and see Nokia switch its HQ to New York. There are a lot of reasons for Nokia to do that already – they stick around because leaving would hurt Finland and the majority of it’s owners are Finnish, but that doesn’t mean impractical EU laws wouldn’t make them take another look.

It’s also as Aurelie pointed out in a different post that it’s vague at best what the EU mean. My interpretation is that businesses have to provide clear information in privacy policies about what were doing. No real difference to what we do now. They even say “user friendly as possible” and say cookie tracking is legitimate. I would argue a pop-up isn’t user friendly and I’m pretty sure a lawyer could as well and as for cookies being legit, well the lawyer would have a field day if a country tried to bring a lawsuit because a visitor to some site claimed they were tracked by a legitimate cookie.

The unclear part is that they also say that enhanced powers should be granted. I read this to mean – if someone like Phorm comes along and tries something dodgy, governments need powers to enforce opt-in. They don’t say “you have to enforce these powers” anywhere. Remember that it’s people like Reding who have been deeply involved with passing this law and they know what cookies are and the difference between them and deep packet inspection/mirroring techniques tied to a cookie. I think the EU are simply trying to cover this.

So I don’t think we’ll ever see enforced opt-in except for when privacy is breached, whereby governments can intervene and force businesses to play fair. It just doesn’t make any sense on so many levels any other way.

Phil (from London, UK)

@Aurélie – I posted a comment on Eric`s blog which overlaps with some of the topics you mention above. Please read, as you may find it helpful.

I encountered a .gov sites that are not setting high privacy standards, thus an internal audit of these sites would be needed first, before an enforcement policy could be pursued.

To make a generalisation… I think the problem, is that most web analysts do not have an indepth understanding of privacy law (or the fines that they could be liable to as a result of non-compliance) and most privacy lawyers do not have a technical understanding of the web and thus they can not detect the more complex privacy holes or cookie mis-use when they see it.

I think training & education of this issue is needed on both sides. If you send me an email I can provide examples.

The addition of an automatic privacy auditing tools which scrap the website for potential errors and check the analytics database via API for accidental PII would also be a step in the right direction.

Additionally, integration an auditing tool into google webmaster tools that check for privacy statement, company number and accidental PII would be advantageous. Google have added the malware notifier, maybe they could add a privacy or legal compliance notifier aswell, to help improve the preventative measures.

@Steve – I also can not see how the EU eDirective law can be enforced locally. But I expect the existing off-line data protection laws may soon be applied to on-line.

For instance in the UK, the Information Commissioner (ICO.gov.uk) can impose a £500,000 fine as of 6th April 2010 for failure to comply with Data Protection Act 1998 which covers misuse of marketing databases:
http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

Add a Comment