Some dumb objections I have heard when discussing privacy in the context of analytics
Don’t laugh too hard—you probably also said some of these things at some point!
For context, I cut these to keep my forthcoming article “GDPR and overall privacy compliance, the TL;DR version” (link coming soon!) short and very TL;DR. You might want to read that one too!
Needless to say: I represent only myself and the tone is intentionally a bit snarky. I however do not apologize for opinions nor the factual statement that privacy is a dumpster fire and you and I and everyone else should do better.
Without further ado…
Objection #1: “Are you trying to say that Google Analytics is illegal, as in non-compliant with GDPR, ePrivacy Directive and so on…?”
In short: No, Google Analytics as a tool and processor is not “illegal”.
The longer answer is that the default configuration is not compliant (also see Piwik’s blog post). There is also a significant piece that is sometimes missed in discussions like this, and the missing part is about the responsibilities of the “data collector” or simply put — the person/team/company that build the website or app or whatever the context for the use of GA is. Given that it’s a breach of contract (See “Analytics customers are prohibited from sending personal information to Google”) to place Personally Identifiable Information inside of Google Analytics at all, it is your job to also ensure and enforce that anything that is collected there is by the book.
What about the new Consent Mode in GA?
Not going to unfuck this mess, as it’s mostly a technical feature rather than a pure consent management feature. Simo Ahava does have a good article on it though.
Objection #2: “Aren’t you over-reading the law and making it seem harsher than it is?”
For brevity, more than one client (and even some colleagues of mine) believe the sharper, more painful details I tend to bring up when discussing compliance are somehow beasts of my own making. In fact, the European laws surrounding privacy are indeed rather strict and leave little to the imagination. While your own details and specific implementations may not be clear-cut, actually getting the overall picture and an A/B comparison with current practices should not be too hard. I’ve never seen one of those done that show 100% compliance, and I expect I won’t see one for quite some time. When looking at anything, err on the side of caution and give yourself some room to breathe. Don’t play on the edge if you can’t face the consequences.
Objection #3: “But we just want to follow how everyone else is doing it, and your way seems too convoluted and pedantic! It’s impractical and useless!”
This one is dumb to the point of pure idiocy. Why? Because most of the web is a complete privacy dumpster fire, so don’t go comparing with that. While numbers and sources may differ, you only need to check for basic compliance on your own and take a look in the network inspector to witness this first-hand on pretty much any given website. Many sites will be catapulting away your data no sooner than you press the return key and start rendering the page. That’s not how it should be.
Unfortunately, yes, I really do keep hearing this objection. I do my best at keeping face and immediately nag my colleagues for ultra-clear legal contracts that holds our company indemnified. It’s clearly the asshole way, but if all else fails, someone else’s legal failures will certainly not be ours.
The nice, professional way will obviously be to politely explain that it’s not super smart to build a virtually illegal solution because most others are doing just that for any variety of reasons. This is one of the areas in which I have yet to find a single client who truly has a serious commitment to understanding and driving privacy as an issue. It’s very easy to get into “Greta Thunberg mode” when you encounter companies that don’t spend any time or money on being better than the bottom-drawer players.
Objection #4: Various complaining in the tradition of “But Marketing has always used Google Analytics!” or “We can’t afford a non-free solution” or “We will lose the capability to work with remarketing/multi-site tracking/any other invasive tracking”
I’m sure you:
- Possess financial capability in the typical range of $5–$50 per month to put on a paid service (that also does not “steal” the data that you collect).
- Have staff that is competent enough to learn a new (often marketed as “simple”) tool.
- Are lead by C-level folks who can appreciate a strong privacy profile and legal compliance as a Smart Thing® to get right.
- Agree that there are a lot of meaningful analytics and events you can do without resorting to invasive and extensive data collection practices.
- Are in a company that likely agrees that the day-to-day risk of a minimal (or no!) data leak is better than running the risk of a severe and large data leak.
Objection #5: “It’s not too important; there is no enforcement; we will take our chances”
Love this one. Go ahead and read for some nightmare fuel, then, I challenge you. Admittedly, some countries enforce this more than others, but with the Internet and most companies doing business globally, well, that suddenly matters a whole lot less.
Feel free to add your stories in the comments!