If the above title drew you in, good. Keep reading.
Thousands (millions?) of bloggers and other webmasters around the world use a free tool called Google Analytics to track website visitors and click-through metrics. I use it, and many bloggers I know also do. We’re all using it illegally.
Before installing the customized JavaScript code on a site, how many people read the terms of service?
Take note of section 7 (my emphasis in bold):
7. PRIVACY . You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.
But you can’t have just any privacy policy. The fallacy of the above text is it came from the U.S. terms of service. The international version is more precise (bold is mine):
8.1 You will not associate (or permit any third party to associate) any data gathered from Your Website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will comply with all applicable data protection and privacy laws relating to Your use of the Service and the collection of information from visitors to Your websites. You will have in place in a prominent position on your Website (and will comply with) an appropriate privacy policy. You will also use reasonable endeavours to bring to the attention of website users a statement which in all material respects is as follows:
“This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States . Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.”
8.2 You agree that Google may review your website at any time to verify that you have included an appropriate statement as specified above. You further agree to make such changes to the content or positioning of the statement as Google (acting reasonably) considers necessary in order to ensure compliance with this Section 8.
8.3 You agree that Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at http://www.google.com/privacypolicy.html , or such other URL as Google may nominate for this use from time to time), information collected in Your use of the Service (including without limitation Customer Data) for the purpose of providing web analytics and tracking services to You. Google will not share such information with any third parties unless Google (i) has Your consent; (ii) concludes that it is required by law or has a good faith belief that such disclosure is reasonably necessary to protect the rights, property or safety of Google, its users or the public; or (iii) provides such information in certain limited circumstances to third parties to carry out tasks on Google’s behalf (e.g., billing or data storage) with strict restrictions that prevent the data from being used or shared except as directed by Google. When this is done, it is subject to agreements that oblige those parties to process such information only on Google’s instructions and in compliance with this Agreement and appropriate confidentiality and security measures.
I don’t have that required privacy policy on my site. Not yet; I didn’t know I needed it because I never read the terms. I only have a short sentence in this blog’s disclaimer that is relevant: This website does not place any cookies onto your browser, but third-party systems such as QuantCast and Google Analytics may do so.
But, even if I had the GA statement, I’d still be violating your privacy because the Google text above (in both versions) lacks details about how third parties use your data.
While you can opt out on a browser level, is that the best Google can do?
Think about that for a moment…
Related posts:
Learn more about Ari and AriWriter by visiting 
{ 12 comments… read them below or add one }
The main reason for the difference between the Global TOS and the American TOS has to do, in large part, with the amount of changes going on in European online privacy laws regarding advertising methods.
If a cookie is being dropped that does track someone’s personally identifiable data, then I think that it is necessary to inform the user. It is a bit scary that Google can potentially extract or transfer people’s personally identifiable data from the widely used Google Analytics code. The browser opt-out seems like a great place to start for them. It gets tough for Google, as they have invested so much in online advertising, and they don’t want to compete against themselves, but they do have to show that they care.
As someone who’s in the business of cookie advertising (ReTargeter), I can say with utmost transparency that we gather no personally identifiable data. I’m not quite sure how it’s done with other services, but the main thing we focus on is adding value to a business by letting them show more relevant ads specifically to their audience.
Of course, we’d always want to comply with laws, and if the laws change in America, we’d gladly consult on proper user notification for any of our clients who drop cookies. I think that is the best that can be done on our level.
Browser-based cookie opt-outs seems to me as a good way for users to take charge of their privacy, but what more can be done on Google’s end? They surely won’t give up cookie advertising, but perhaps they can offer webinars and media that can educate users, on a mass scale, of the actual point of cookie advertising.
Anything browser-based with cookies only works as long as the cookies are not deleted. I delete cookies now and then, so I’d forget such actions.
I have a privacy policy in relation to Adsense, which does mention that the site uses cookies to collect information, but more for the ads than the Analytics. I should probably add in that bit too, as that is a very valid point. But let’s face it, there are tons of tons of tons of websites out there that are using analytics of some form and many do not have any kind of privacy policy. It seems like most people should accept that certain information about them is being tracked everywhere they go online.
From Kristi@Blogging Tips to you: Fetching Friday – Resources Mashup & Best YouTube Campaign Ever
If people “should accept” information about them is tracked, do they accept it? Do they even know?
I agree with what Kristi just said, people should accept the fact that when they go online, their behavior are being tracked!
But then again, its much safer to just post that privacy policy that google says. But, at some point, that privacy policy is like a warning to your visitors that most of the time drives them away from your site. Just my 2 cents.
From Ron@ dress up games to you: Lovely Pony Bella
How about giving those two cents to Google? They get enough money, they might be persuaded to change, no?
I agree as well. It is not only for this issue that our privacy is at stake. We are all fond of social networking. From that alone, we already share a part of our private lives online which is not totally safe. So it is really important that we limit the personal information that we share online. I guess cleaning our cookies and broser histories can also be helpful.
I have a “Disclaimer” Page in my blog, but will be adding a “Privacy” page soon. Although i am not using Google Analytics, but “Privacy” page is important.
Thanks for sharing this, never heard before.
From Bilal Ahmad@Tech Maish to you: 5 Fundamental Tips For Improving Your Alexa Ranking
I already have a privacy policy in place and don’t intend modifying it to include Google Analytics. People just fuss a lot about this privacy of a thing.
If you want to live a private life, don’t go online ever and of course don’t become a celebrity ;–)
From Udegbunam Chukwudi@Make Money Online to you: Quality Blog SEO Service Defined By Some ProBloggers
Luckily, I’m not using it illegally. When I learned we had to have it, I just copied everything Google said and created a page called “privacy”, and went about my business.
From Mitch to you: SMM Countdown – How Social Are You Ready For
Can you clarify if pages will have a way to check if data is being tracked or not? I would assume that if analytics data is not being logged the page could present limited functionality to the user.
Most webmasters do not have that notice on their blog or website. Well as you ask “how many people read the terms of service?” we can’t deny that most people don’t read the terms of services they just check on the check box and go on. You have a very informative article in this page. You explained how important to read the terms of services well this includes all not only in Google Analytics.