Choosing a web analytics provider

Most New Zealanders are concerned about the collection and protection of personal information by online providers.

We know this because every two years, my office (Office of the Privacy Commissioner) undertakes an opinion poll on New Zealanders’ attitudes towards individual privacy. In the last two surveys, 80 per cent expressed concern about the security of personal information on the internet.

A corollary of this high level of awareness about the insecurity of online personal information is concern over how websites and mobile apps collect the information in the first place — information that can be used to hyper-personalise marketing and, in many cases, sold to or shared with third parties.

These third parties are removed from the direct customer-provider relationship from which the information is obtained. Once that information is passed on, the consumer effectively loses any control over the information.

Therefore, as a privacy regulator and watchdog, it is our aim to try and be as exemplary as possible about how we handle the personal information that our website collects.

Hence the dilemma we had last year when we moved to the Government’s Common Web Platform. We wanted to collect information about our web traffic while maintaining control over that information. We also wanted to allow people to opt out of being tracked on our website.

The website data helps us improve the delivery of our services and communications. But we want to collect only what is necessary for that purpose and only with the consent of our website’s visitors.

Google Analytics or Piwik?

The obvious option for web analytics is Google Analytics. It is the most popular tool for companies and governments that want to analyse traffic on their websites. But it doesn’t put users — that would be us — in control of the data.

Google Analytics allows Google to know all visitors to the site and what pages they looked at. But because 60 per cent of all websites use Google Analytics, Google also comes to know many other websites that a person visited in any given time.

Through Google Analytics and Google services like AdSense, Google is therefore able to build a very accurate picture of most websites and their users. Google can then use this data to build custom audiences that it sells via AdWords.

In light of this, governments, companies and individuals are using alternatives such as Piwik, which puts users in control of their own website data and never shares that information.

We did a privacy comparison of Google Analytics and Piwik. We checked out both against our information privacy principles and against the principles of Privacy By Design.

Piwik is an open source web analytics platform created by a New Zealand-based developer. Its point of difference is that website owners can self-host it. Web data can be collected, stored and analysed on the website owner’s server without it needing to be sent to a third party for analysis.

Using the cloud

It all sounded good. But we were not able to self-host Piwik because of our website’s Common Web Platform infrastructure. For us to use Piwik meant we would have to employ a Piwik cloud solution.

We consulted with our overseas privacy colleagues to find out what they used and why. We researched the privacy policies of Google Analytics and Piwik, particularly as to the ownership and control of the data collected, and how they might use the data for their own purposes.

We sought and received written assurances from Piwik that even with a cloud-hosted solution, the data would remain fully in our control, and Piwik would not make any use of it itself or share it with any other parties.

We chose Piwik because we decided it would offer us a higher level of privacy assurance for our users and our data. As it happened, our German and French privacy colleagues had assessed Piwik and likewise found it privacy friendly.

Here then are some of the steps we have taken in implementing Piwik:

  • We updated our website privacy statement to explain why we want to collect statistics about our web traffic, while providing an assurance that it is only aggregated, non-personally identifiable metrics.
  • We provided users with the ability to opt out of the tracking cookies that Piwik will use to generate the aggregated, non-personally identifiable metrics for us. This opt out option is prominently displayed on our website.
  • We are masking users’ IP addresses to make them non-personally identifiable.
  • We have configured Piwik to recognise and respect any “Do not track” setting that a user might have implemented in their own web browser.

We think with Piwik we’ve got the balance right. Forresters is predicting this to be the year business begins to make data security and privacy an important competitive advantage. The international business advisory firm says that in the battle to win and retain customers, data security and privacy will become a top business technology priority.

We think the same lesson applies to government agencies because people will have similar levels of privacy expectations across both the private and public sectors.

5 comments

  1. Comment #1. Paul:

    Interesting article, do you think this is something that is likely to come up as an all of govt recommendation next time they review the roadmap? or even be adopted as standard for new sites developed by particular Depts as a whole eg DIA.
    If it works we probably should be supporting homegrown talent.

  2. Comment #2. Danielle:

    Interesting point of view on the topic, it will be interesting to see how many people take up the ‘opt out’ option.
    Which website is this for?

  3. Comment #3. John Edwards

    Hi Danielle,
    this is about my office’s website – http://www.privacy.org.nz. I invite you to check it out and give us your feedback.
    John

  4. Comment #4. John Edwards

    Thank you, Paul. I can’t possibly say if an all of government approach is likely. But for our purposes, my advice – as set out in my post – stands. We also like the homegrown connection that comes with Piwik.
    John

  5. Comment #5. Nathan Wall

    DIA’s Digital Engagement Team has recently been approached by a number of different agencies with questions about analytics.

    It’s been really encouraging in my talks with these agencies, people are starting to think beyond “pageviews” and “unique visitor” numbers. There is a genuine interest in making analytics reports more meaningful. Agencies are looking at which tools are fit-for-purpose, and how they can resource the effort needed to get the most value for their decision makers.

    We’re currently exploring options for a more coordinated, possibly an all-of-government solution. Whatever we do will follow a customer-centred, evidence-based approach, and we’ll likely start with something small, iterating further as we learn more. This also gives us time to resolve questions such as what operating and funding models would be needed. There are pockets of analytics expertise spread across agencies, it makes good sense to leverage this and work collaboratively where we can too.

    We’re also talking with other government jurisdictions around the world, looking for examples of good practice, and opportunities to learn from and reuse solutions that have already been established.

Navigate Posts