Bob Page Answers Questions About Web Analytics Ethics

What is the very least every website owner can do?

The very least is to understand the laws for the places where you do business. But that’s eventually going to get you in trouble. If your bar is the law, and the law is fuzzy in some area, it’s possible to break the law unintentionally. You want the bar to be high enough so that if you unintentionally dip below the bar, you’re still above the law. In my mind, that means setting enforceable policies for how you use the data. This is roughly where many web sites think they are today: they disclose their privacy policies. However these policies are generic and usually incomplete – they just haven’t thought about the problem enough. For instance they rarely disclose their data retention policy. And I suspect it’s a rare web site that can say with certainty they know who is using their data and how it’s being used, because the policies are voluntary and not supported by technology. Data will escape if you don’t lock it down.

I’d like to see the minimum be an internal dialogue where the website owner asks “what are our values around how we use this data?” and then builds a set of practices to live those values. Having values will naturally mean having a higher bar than just having policies.

Do you think the Web Analytics Association is doing enough?

That’s a trick question. The WAA is its membership, not its board of directors. I suspect the board is more than willing to champion an ethics effort, but if the membership isn’t interested, why bother? I don’t have any inside information on how much interest there is, but if my email is any indication, there’s not a lot. Maybe it’s because the field is new and we’re still trying to figure out how to get the most out of our tools and data.

You could argue that the WAA, being an industry association, shouldn’t worry about this. It exists to further its members interests — and customer data isn’t part of that, beyond squeezing every drop of value one can get from it. But if you scratch the surface, most will agree that protecting customer data protects the currency that allows the organization to exist. So I believe it’s important to the industry.

Just the fact that the WAA exists is a huge step forward, because it provides a focal point where discussions can take place.

What do you think the situation will be like in three years time?

I think the low bar — the law — will be raised through new legislation. I suspect it will be raised higher than the current (voluntary) policies at many web sites. How high, I don’t know. The most disruptive would be a ban on collecting personally identifiable information, and we as an industry will be forced back to operational metrics like counting page views. I don’t really think we’ll need to go there, but that’s worst-case. It’s not inconceivable that we’d see data accountability legislation similar to the U.S.’ Sarbanes-Oxley act, and have whole industries (like advertising, web analytics and direct marketing) change in order to meet it. On the least scary side of the future, we’re all meeting at Emetrics 2010, everyone’s using the same privacy policies, the world governments have bigger issues to worry about than data protection, and we’re still talking about users deleting cookies.

I think in the next three years, the WAA will put ethics on its public radar. What comes of it will depend on the WAA membership.

Bob Page works with Yahoo’s central data team since October 2004. He was at one time co-founder, CTO and VP Product Development at Accrue Software. You can read his presentation about ethics from Emetrics 2006.