You just run the usual online frameworks, with their extensive plugin range, CDN, Google Analytics, NewRelic, Twitter, Facebook and LinkedIn widgets, and the rest. Then, you display a notice to your users that your site uses cookies and passes some data to third parties (such as Google Analytics and NewRelic) “to enhance the user experience”.
There. Easy, right? You probably didn’t need to change anything at all. Most companies, sites and applications do this. Now tell me: given that you probably agree with at least some of the above, how come you display a notice to your users explaining how you respect their privacy? It can’t both be true.
So yes, this was a test. And most of us fail, including us. Why is this?
- Are you asking for and storing more data than you actually require for delivering the product or service that you provide? You can probably only test this by working out the minimum data requirements, questioning each item, and then comparing that list with what you currently actually collect. There’s likely to be a (large) discrepancy.
- Are you using multiple analytics and trackers? Why? It does in fact affect the user experience of your site, both in terms of speed as well as privacy. And you probably don’t actually use all that data. So think about what you actually use, and get rid of the rest. That’s a good exercise and an excellent step.
- Does your site deliver pixel images for Facebook and others? If so, why?
- Does your site show a “site seal” advertising your SSL certificate’s vendor? If so, why?
- Does your site set one or more cookies for every user, rather than only logged-in users? If so, why?
- Most CMS and frameworks actually make it difficult to not flood users with cookies and third-party tracking. They have become the new bloat. Example: you use a component that includes a piece of javascript or css off a vendor-provided CDN. Very convenient, but you’ve just provided site-usage data to that vendor as well as your users’ IP address.
- Respecting privacy is not “business as usual” + a notice. It’s just not.
So, privacy is actually really hard, and for a large part because our tools make it so. They make it so not for your users’ convenience, or even your convenience, but for the vendors of said tools/components. You get some benefit, which in turn could benefit your users, but I think it’s worthwhile to really review what’s actually necessary and what’s not.
A marketing or sales person might easily say “more data is better”, but is it, really? It affects site speed and user experience. And unless you’ve got your analytics tools really well organised, you’re actually going to find that all that extra data is overhead you don’t need in your company. If you just collect and use what you really need, you’ll do well. Additionally, it’ll enable you to tell your users/clients honestly about what you do and why, rather than deliver a generic fudge-text as described in the first paragraph of this post.
A few quick hints to check your users’ privacy experience, without relying on third-party sites.
- Install EFF’s Privacy Badger plugin. It uses heuristics (rather than a fixed list) to identify suspected trackers and deal with them appropriately (allow, block cookies, block completely). Privacy Badger provides you with an icon on the right of your location bar, showing a number indicating how many trackers the current page has. If you click on the icon, you can see details and adjust. And as a site-owner, you’ll want to adjust the site it rather than badger!
- If you click on the left hand side of your location bar, on the secure icon (because you are already offering https, right?), you can also see details on cookies: both how many and to which domains. If you see any domains which are not yours, they’re caused by components (images, javascript, css) on your page that retrieve bits from elsewhere. Prepare to be shocked.
- To see in more detail what bits an individual page uses, you can right-click on a page and select “Inspect” then go to the “Sources” tab. Again, prepare to be shocked.
Use that shock well, to genuinely improve privacy – and thereby respect your users.
Aside from the ethics, I expect that these indicates (cookies, third-party resource requests, trackers, etc) will get used to rank sites and identify bad players. So there’ll be a business benefit in being ahead of this predictable trend. And again, doing a clean-up will also make your site faster, as well as easier to use.