Benign Analytics - Why I think the sky is not falling in for web tracking

Like many in the privacy advocacy space, I have been following the Planet 49 case with interest - as I am sure Google et al have been. For reference: Case C-673/17 (Planet49). Below is my considered opinion as a privacy advocate and web analytics expert - though note it is not legal advice.

A lot is being made of the implications of the Court of Justice of the European (CJEU) ruling - that is, visitor data can only be collected if the visitor explicitly confirms. That is, an opt-in only. No pre-filling of checkboxes is accepted - I actually thought this was already pretty clear in law, but obviously not.

The clarity provided by the CJEU is a good thing. However, many are making the leap from opt-in being the default, to this rule also applying to *ANY* cookie being set or any data being collected. (Note privacy law is tech agnostic but cookies is the tech most often used so that is how I will refer to it).

But...

Visitor Profiling != Web Analytics

Visitor profiling is not the same as benign web analytics. There are major differences between visitor profiling, ad targeting and so forth that EU privacy laws are rightly focusing on, versus benign and aggregate tracking that legitimate businesses wish to perform - for example using tools such as Google Analytics, in order to provide essential metrics. BTW, the word essential is important here and I use it deliberately. More later on.

I encourage all users to go down the benign tracking route, then seek visitor consent if they want anything more than anonymous and aggregate data. However, at present it seems as though the law is lumping these major differences together under the same thing i.e. cookie consent.

The Jigsaw Effect

At a higher level there is of course the question of what do the tracking platforms themselves (e.g. Google, Facebook, Twitter etc.) do with all of the collected data. Because they have offered such analytics tools for free, data collection is now ubiquitous. At the all-seeing "platform level" this is scary, as they able to triangulate disparate anonymous data across the web. That is, identify anonymous people via a jigsaw effect.

My analogy for this is the Six Degrees of Kevin Bacon or "Bacon's Law". Combine such jigsaws with the mashup of personal data that Facebook and Google et al have, and there is genuine reason for concern.

What Is Benign Analytics...?

I am deliberately separating out platform i.e. en masse, privacy concerns from website privacy concerns. Specifically, when a website simply wishes to benignly track their essential website performance.

Benign metrics include: Knowing how many visits came; How long did they stay; What pages did they view; What campaign or search query did they click on to arrive on the site etc.

These types of metrics are benign because they are aggregate by design. Grouping data in this way means it is not possible, or required, to profile an individual, let alone try to identify them.

These types of metrics are essential for any business in a competitive market - you would not survive for very long without them! The basics of growing a successful business beyond a small number of customers, relies on being able to predict stock levels, staff requirements, opening times, prospect interest, knowing how/when to recognise an existing customer, and so on. Consumers expect and even demand that businesses are on top of this type of fundamental and essential data. And your staff need job security!

We Need to Challenge Tech Platforms

It is very important that we challenge the tech platforms and providers of web tracking technologies to be transparent with what they do with the vast data they hold. Google et al, will argue this is their competitive advantage and therefore it cannot be transparent. That is not good enough and I strongly advocate for much better regulation of the tools/platforms in terms of data governance. However, penalising a legitimate businesses for using benign website/app tracking is not the way forward.

Of course there are bad business practices with plenty of tracking examples that are not benign, with little or no respect for user privacy. These need to be routed out. However, my principal of benign/anonymous/aggregate web tracking not requiring consent is still valid in my opinion, even after this CJEU ruling, as such metrics are fundamental and essential to running a successful business.

A Solution: Use benign tracking as a default

The challenge is that businesses need to have a benign/anonymous/aggregate tracking model as a default tracking standard. This type of analysis is highly relevant and valuable in itself - and you get all the numbers without profiling your visitors, or interrupting them with a banner for consent!

If needed, politely ask your visitors for consent by explaining the benefits of what that sharing extra data can bring to them - the value proposition. If you have a strong value proposition and strong brand trust you should be able to convince your visitors to share their privacy with you so that you can do more personalised tracking.

Try my FIVE-point test to ensure you are tracking users with their best interests at heart.

Summary

The CJEU ruling is great for clarity and is in line with the direction of travel for privacy in the EU - so no surprises. However, my takeaway is that there are still legitimate reasons for using web analytics tools without the need for consent when it involves only benign and essential metrics - its just that very few websites do this! So change is needed. However, it remains to be seen if a strict definition of benign data collection can be considered legitimate to collect without the need for consent.