Web Analytics Code of Ethics

Eric,

Thank you for helping to start this process and thanks to the WAA for getting behind this from the start as well!!

My only question at this point is where do I sign? And after I sign, where do I get a web badge to display to show others I stand behind this?

Again, great work. I look forward to seeing this evolve and provide a great basis for all professionals in our industry to gain and keep the confidence of not only folks inside, but outside of our community as well.

-Rudi Shumpert
-@rrs_atl

Eric,

As a board member, I want to thank you for your great work to spearhead this effort. As a Certified Web Analyst, I am willing to sign this document wherenever it is finalized and published.

Regards,
Ed

I would add:

Anytime I produce statistics about web site visitors (e.g. a user, visit, page view count or engagement), I must break it down into multiple categories:

- fake users (Botnets, etc.): explain the methodology used to detect these clicks
- low quality users
- high quality users

If possible, break it down per country / education / gender / income levels.

Explain statistical methodology and define metrics used in BI reports. Aggregate data that has no statistical significance into one bucket.

Eric, as your business partner and a WAA board member, I commend this effort at what I believe to be a giant step for the web analytics industry. I hope that readers will commit to this code and I will work with the Standards Committee to see it through.

The WAA members and the industry at large have my commitment, that we will work diligently to define the ways and means by which individuals can endorse this Code of Ethics, so stay tuned.

In the meantime, help us to ensure that it meets your approval by leaving comments.

Looking forward,
John Lovett

Hi Eric,

Having just conducted an exercise reviewing the collection and use of PII at my own company this is very timely and something I would not hesitate to sign.

I also support Rudi's idea of a logo that can be displayed on sites that have signed (linking to the published code on the WAA). Presumably signatories would be reviewed annually to ensure continued compliance?

Kelly McClean

I would sign this.
I would get vendors to sign this.
I would ask my clients to think about this.
All in all a very good idea.

This looks like a good start - and we look forward to seeing it develop. I think if individual developers were signed up it would carry weight not only for the visitors to the end sites, but also the clients looking to have those sites developed - who may have concerns about accountability/liability once their site goes live.
A logo/stamp/link linking to a page which confirmed whether you were signed up or not would be a nice idea. It could just sit non-obtrusively in the website's footer.

A Code of Ethics will be huge positive step in the advancement of Web Analytics on many fronts. Elected officials will take note that the WA industry is taking action for "self-regulation" which should help their understanding of web analytics and, in turn, possibly cause them to favorably amend their positions on any legislation affecting the industry.
Thank you to Eric Peterson and John Lovett for taking the initiative, writing the first draft and playing an important role in making this happen.. It should also be noted that the WAA Board of Directors took swift action to approve and promulgate the Code to gain input from everyone in the industry. This is a great example of everyone working together on behalf of the industry.
I urge everyone to provide your comments and then make it a key part of your business practice once it is finalized.
Mike Levin, Executive Director, Web Analytics Association.

Eric,
Thank you for taking the time to put this together. I am certainly willing to sign as well as adhere to the policies outlined in the agreement. I appreciate your efforts in providing ethical standards to our industry.

ARJ

This is spot on Eric.

I think a critical component of this is visibility of the Code itself and that visibility has to reach far beyond the measure community.

For us to provide this with the proper visibility that it deserves, we all need to get past the "it's not my job" mentality and become advocates for our industry.

This Code provides us a framework so that we can all speak with one collective voice.

Hi All,

Both the original post and the comments have been a great read. Once we end up with a final version of the code, I will be pleased to have all our analysts sign on the line.

Sooner or later (most likely sooner), the perceived value to executives of WA is going to go through the roof. While this is great for analysts, it also means we are going to be asked some hard questions about what we can do, and should do, with all this business critical data we have been collecting. Being proactive on writing our own standards will let us answer the hard questions as they come up - and make sure we are respecting our site visitors as well as our bosses.

We had a meeting first thing this morning to talk about this post, and our thoughts are on the Napkyn blog. Let us know what feedback and support we can give to the process.

Cheers.

Jim

Very interesting. I'll have to read it in more detail, but I'm wondering if Eric Schmidt (CEO of Google) or Mark Zuckerberg (CEO of Facebook) would sign this? ;-)

Eric,

I think this is a huge step in the right direction. I like the idea of drawing a "line in the sand" and getting our community to rally around what we agree should and should not be done in our industry. It is much better to proactively control our own destiny than to let regulators do it for us! Something about an ounce of prevention is better than a pound of cure... Anxious to hear the next steps...

Adam Greco

This is an excellent start for anyone to adopt. It reads well and simply enough for anyone outside of the trade circles to read; which is the real point. It needs to be understandable by those we provide our services to. And, this accomplishes just that objective.

It reads well enough that it could almost be used for any situation dealing with sensitive data; like medical records, etc.

Nice work Eric! I really like this and think it's going to really help guide practitioners to act responsibly.

My only comment is that we should be mindful of the distinction between a company's data usage/privacy policy and the ethical actions of analysts.

I'm particularly thinking about point #2 as the way it reads might be a sticking point for practitioners that are afraid that it could put them at odds with their current of future corporate privacy policies. Personally, I think that point #6 is enough and that you could lose #2 altogether by strengthening #6 even further.

My reasoning is that, if disclosed and done responsibly, there are plenty of legitimate reasons to link usage behavior to PII as other commenters have noted. I'd hate to see the WAA take a position that casts judgement on those practices when it could take the lead in outlining exactly how to do so responsibly.

But I don't think that we should try to tackle that through this code of ethics as those issues are largely linked to corporate/company wide policy decisions.

If this code of ethics is about the analysts/practitioner then I think it makes sense for their to be a parallel WAA effort to develop a "data usage" code for companies to sign/adopt.

That initiative could put the WAA in a position to provide all stakeholders with a standard, easy way to distinguish between companies that properly disclose data usages/practices and those that do not.

It could also tie in with a company's use of P3P compact policy headers so it could be policed.

It might even be smart for the WAA to develop a set of "plain english" data usage policy pages that companies can just link to - much like rights holders do with creative commons licenses. That would sure beat everyone trying to parse the legalese of everyone's data usage/privacy policies - which I personally think is 50% of the problem.

Hope that helps. Thanks again for taking the lead on this important effort.

Peter

This is a great start, and I really like this effort.

I would add two things:

1) Consumers should be able to opt out of tracking for analytics. The current NAI opt out only stops targeted ad delivery, meaning that the consumer is still tracked. This is a worst-case-scenario privacy outcome: you are still being followed but you do not receive the putative benefit of the tracking. It's really strange that analytics experts think it is okay to track people even when they affirmatively take action to stop it. For example, this behavior should be out of bounds:

http://www.google.com/support/forum/p/Google+Analytics/thread?tid=05e7121884032c9a&hl=en

2) With regards to "anonymity," analytics companies should not use the term at all unless they promise not to reidentify, bump up, or otherwise enhance data to make it identifiable. Thus, I would change #2 to say something like:

I understand that the average consumer expects their online activity to be anonymous and I will work to keep it that way. Regardless of whether I have the ability to co-mingle personally identifiable and anonymous data, I will never connect the two unless A) I HAVE NOT MADE THE REPRESENTATION THAT DATA ARE ANONYMOUS customers have been directly appraised of this effort in advance and B) I am confident in my company’s ability to protect that data and keep it safe; C) I HAVE CLEARLY STATED THAT OUR POLICY IS TO COLLECT DATA AND CONNECT IT TO OTHER INFORMATION TO LEARN MORE ABOUT THE USER

My contribution:

http://christopherberry.ca/2010/09/a-code-of-ethics/

Great Idea and thanks Eric for taking the lead and putting this together. Maybe you can print it out and bring it to X Change next week for some initial autographs from all of us.

I think the logical place to postiion the WAA's ethical guidelines for practioners would be within the Standards Committee, an ethical standard comparable to our technical standards, giving equal weight to both. As we respond to questions about our ethical standards we'll inevitably deal with the resulting technical implications.

I suppose a case might be made for two separate committees addressing each issue independently but I think there's greater impact with treating the ethical and technical issues as two sides of the same coin.

Thanks to the WAA board for the quick action, Eric and John for leadership and to the community for great comments! Here are my thoughts:

I found the 10 points to be comprehensive but I would rewrite point #10:

#10: I will help spread and enforce these standards across the Internet. I recognize that we are far stronger as a community than one individual, and I believe that consistency in voice is important to communicating effectively about the work that I do. I will support the Web Analytics Association's efforts to safeguard consumer privacy by providing feedback, referencing this Code and other Association publications, and by advocating for adherance to these standards. When I observe a violation of these standards outside my organization, I will make reasonable efforts to notify the appropriate site owner. I will provide site feedback directly and privately to the website using any email links or feedback forms that are provided. I will provide the site owner with a link to this code.

I think this adds some teeth to the code, without being without requiring an unrealistic amount of effort or being unnecessarily harsh. This will help those outside the analytics industry believe in the code and the industry's ability to enforce it.

Consider this food for thought: If we want Association membership/certification to carry the weight of the Bar or CPAs, etc, our policies should carry some weight of enforcement. If member organizations are found to be in gross violation of these standards, we have some kind of remedial action. This isn't intended to be nasty, but instead to earn credibility for the Association. To continue the analogy, getting disbarred is pretty rare and is only done in pretty extreme circumstances and according to a strictly defined code versus loosely defined guidelines. It would look bad if we had our "WAA Privacy" badge on a bunch of sites making rampant use of FSO's...

My additional feedback is more nit-picky:

#6: add "clear and understandable" to "accurate and truthful". Most privacy policies I see are overly complicated. I believe consumers would be more comfortable if they could easily understand the privacy policy. I think woot.com does a pretty good job: http://bit.ly/wootprivacy.

#8: I would strike "if anyone asks". As previous comments suggest, we may need a tighter definition of what "transparent" means, but I think we can leave it to reasonable interpretation. "If anyone asks" almost sounds contrary to "forthright". Naturally, we're not going to publish obscure details unless asked, but I think there is a reasonable interpretation of "transparent and forthright" without requiring "if anyone asks".

There are certainly other ethical considerations we face as a community, as noted by other comments. We might consider a separate code of ethics around data presentation and interpretation as well, but this is a good start on the issue of privacy ethics.

In all, this is a great start! I think some of the language could be refined, either by a small committee, or maybe "Flash Mob" style using a shared (and tracked) editor.

Cheers!
Aaron

The only piece I would add would be in relation to 3rd party analysts, which I posted a piece on yesterday. The important piece (IMHO) being:

I will respect the privacy of each of my clients, and use my knowledge of their business goals, objectives, and methods to further only their cause. I will not leverage any gained experience in a way that unduly compromises a client, current, past or future, or jeopardizes their ability to maintain a competitive edge due to my work with them.

Hi Eric,

As one of the early reviewers of the WACOE, you already incorporated my input prior to publication, but here's my "imho":

1) "Express permission" needs to be defined.

2) Re: #6. Large companies, especially Internet-based companies, have too many technologies for a web analyst to "assume the responsibility for "starting" the conversation. Does this extend to tools for behavioral measurement deployed by agencies or by other teams, like, media teams or marketing teams in control of ad technologies? What about local market teams and their own marketing technology relationships across 60+ different countries? The conversation should have already been started when the legal contracts to deploy these technologies were negotiated with Procurement prior to deployment (before the web analyst may even be aware of the potential for deployment).

3) Re: #7. Large companies have too many systems for a web analyst to "pay close attention" to the list of individuals who have access. Expecting a web analyst to do so across all systems that contain customer, transactional, or behavioral data is unrealistic. In fact, Data Governance teams and teams in IT already do this access-checking and ACL purging as a best practice. Of course, for tools that the Web Analyst has control over, I agree.

4) Web Analysts are not the Privacy team, the Fraud team, nor the Compliance team. At the risk of sounding like I don't want to do extra work, I think it's unrealistic and a mistake to make the web analyst accountable for everything related to privacy that occurs everywhere by anybody in a company, especially in large, globally-distributed company. I agree, of course, we should have a seat at the table and do our best, but not be the singular "front line" - just part of a larger cross-functional, globally distributed team that is collectively together on the front line protecting customer and consumer privacy.

Again, as with most things in Web Analytics, it's a lot easier (but still hard ;) when talking about small companies. Things, as you know, get inordinately more complex at larger companies. And while I realize my experience, as we've discussed many times before :), isn't the normal case and the WA work I do tends to be more bleeding edge than simply adding GA tags to a site, it's worth ensuring use-cases for companies of all sizes are accommodated and realistically represented in the WACOE.

See you at X Change!

Judah

Pleased to see that the WAA is drafting a Code of Ethics. Agreed that this is a BIG step in the right direction. Also like the idea of those of us that are members, and agree with the Code of Ethics, that we can post a badge on our website with a link to the web page.

Helen Faber

This is great work, Eric and John, and I am also happy to see so many in the community jump in with thoughts. Obviously, it is something that is touching a chord with many of us, and probably also because we are able to see both sides of this, as analysts and also as consumers online.

I am glad Judah chimed in. In the large organizations that I have worked in, it would be impossible for me to carry out this agenda and feel confident that I could be successful doing so. I have had, on many occasions, to talk privately with junior analysts in other functional areas when I notice some mishandling of personal information. In one such example, I had to describe why we could not use responses to survey data to target individuals when subjects were told the results would be analyzed in aggregate and anonymously, This conversation was not taken well, and although I felt I had an obligation to protect 'my' consumers, it almost started a battle between the web ana and the market research team, who were more experienced in traditional data collection methods.

I like the proactive idea of working toward our own guidelines, but a few things I've read in the comments above seem out of scope. Again, I agree that a COE is a great idea and I am all for it, but I think we need to think more about how to implement realistically.

It might further my career by being on top of a needed solution for an issue in the org... or it could be detrimental as I am walking around policing everyone all the time. What we are stating above is no small task and would take a considerable amount of time to manage in a large enterprise org- especially for those not in senior management. I've been in meetings often in which I don't think we are putting our best foot forward in respect to consumer privacy, but I know that I have to play a little bit of politics to educate them and get those people to agree with me, but it doesn't always work. In terms of the COE, in this case, would I have done my job? Is the specific role to 'try' to change minds or am I successful only after the org, as a whole gets a passing grade? I think we need to re-work the wording to address the concept of being aware and involved in creating change and not that of being responsible for change. Also, of course this COE is always going to be in action, meaning we might only be able to move the needle every so often, but not win every fight. Am I then able to call myself ethical? I would hope so.

One roadblock we may have as a group to get this out, is that there are many sides to this issue; what one experiences and expects from partner/vendor side is quite different from that of a small org, then that of a large org, and as mentioned above, B2B probably has different concerns, or ways they use personal consumer data, then B2C. We know about these different needs by different players in our industry of course, and have been able to develop great conferences and such that address each of us, so let’s use this background to better anticipate acceptable guidelines for all.

I will ask first "how would I want my information and my identity to be treated?" and then act in treating others with the same regard, rights, and respect.