Internet privacy: insights for website owners
This post focusses on the battleground that is internet privacy, and its implications for website owners. We're going to take a quick look at things like how the data protection rules apply to cookies; and how your website might be invisibly leaking user data without your knowledge.
Because every good story has a beginning, a middle and an end (at least, that's what they taught me at school!), I'm going to start with some background. But if you want to skip the context and get straight to the implications for you, go right ahead.
Background
Why is internet privacy important & how did we get where we are?
Human beings are pretty clever beasts. We invent all sorts of things to make life better, and to make money. However, sometimes we do it so quickly that it takes laws and ethics some time to catch up. A bit like the wild west, the internet started out lawless and we’re gradually figuring out how to impose order. It's a slow process.
Online privacy is a good example of that. Technology and business got ahead of ethics, and we’re now faced with needing to claw back basic rights – mainly the right to not have our personal data taken, recorded and traded without our permission.
More specifically, there were three main factors that have led to internet privacy being the issue it is today: market forces, lack of regulation, and to some extent, consumer apathy. Market forces - or rather, advertising dollars - powered the growth of Facebook, Google and Twitter. These platforms offered fantastic free services such as search and social networking, which most of us gleefully hopped aboard. But the cost was that users were tracked from site to site and personal data became currency: welcome to the data economy!
It wasn’t an open trade, though. Google and Facebook didn’t exactly ask if they could have our personal data. They just took it - mainly because they could, and used it to help make money, by selling increasingly targeted advertising. The technology enabled it, and the legislation of the time – which was somewhat outdated and weak - didn’t forbid it, at least in any meaningful way. And besides that, many people didn’t care.
For a long time, it seemed that, given the power of market forces vs consumer apathy and poor regulation, internet privacy would never be a real option.
Things start to change?
Roll on to 2018 – the year of the Cambridge Analytica scandal and the time that GDPR became enforceable. GDPR attempts to update privacy legislation for the internet age. New rules and definitions were provided that were at least somewhat up to date with modern data usage. And, more importantly, fines of up to 20m Euros or 4% of turnover could be imposed for careless or deliberate misuse of personal data.
Against that backdrop, the Cambridge Analytica scandal surfaced: where it was revealed that the data of up to 87million Facebook profiles had been harvested for political gain. The financial penalties brought against Facebook were not exactly crippling (the company was fined $5bn in a year when its turnover exceeded $55bn), but the tide of public opinion began to turn. Are we okay with them taking and using our data however they want? No, maybe we’re not!
Where are we now?
Going into 2022, internet privacy is still a problem in need of a solution. We’ve seen a proliferation of gross and deliberate misinterpretation of the rules, which has resulted in the ghastly cookie pop-ups that get in your face every time you try to browse the web. Most don’t prevent you being tracked, often by making it insanely difficult to opt-out.
And the data economy still exists; although there is increasing appetite for change. The tech giants – arguably where the power for change really lies – are making their own plans. They can see the writing on the wall regarding personal data as currency, and are looking for new models to allow advertising dollars to continue to flow. Other models, such as Brave – a privacy respecting browser, search and ad platform - have sprung up. And if the advertising spend can be shored up without exploiting user data in the way it has been, perhaps we will see meaningful improvements to how personal data is handled.
Meanwhile, enforcement of privacy laws gathers pace. To date the biggest fines have been levied at the tech giants (Amazon Europe:746million Euros; WhatsApp: 225m Euros), and although the internet suffers with jurisdictional issues, in some regions we’re seeing increased commitment to policing the spirit and the letter of the laws.
The biggest and most news-worthy GDPR fines usually relate to data breaches, where vast numbers of personal records are leaked by large organisations. However - and this is what website owners need to be aware of - we are starting to see fines imposed for violations of other aspects of data protection, such as marketing emails sent to email addresses obtained without consent, and even (not in the UK but overseas) for violations around the dreaded cookie consent, and personal data moved without consent ‘behind the scenes’ from a website to a third-party server.
And here’s where it gets interesting for you, the website owner.
So, what does this mean for your website?
Now we get to the crux of the matter for anyone who owns, runs or manages a website. There are things going on here that – with the best will in the world - the average website owner doesn’t understand.
It’s easy to understand that data breaches are bad, and leaking people’s home addresses - or worse, credit card details - onto the internet will result in a bad day for all concerned. It doesn’t require any technical knowledge to know that you shouldn’t send marketing emails to lists that you haven’t permissioned properly.
But are you aware of how the data protection rules apply to cookies? And do you know if your website exposes users’ IP addresses? The fact is, many website owners won’t know what an IP address is and what it’s used for, let alone how it constitutes PII under current data protection laws.
So, first off, here’s some hopefully fairly simple facts:
- Firstly, you are responsible for any data that your website collects. Websites collect data in a bunch of different ways – visibly via forms, and invisibly via cookies and scripts and other mechanisms.
- Not all data is PII (personally identifiable information). But anything that is ‘personally identifiable’ as it relates to a human person can get you into trouble. That includes obvious ones like credit card numbers but also extends to IP addresses.
- An IP address is a unique series of numbers that identifies a device on a network. It’s not as simple as one IP address always equals the same computer; but put together with other information, knowing an IP address would be enough to track activity back to an individual. That’s why IP addresses are PII.
- Your website almost certainly uses third party services – i.e. it talks to other websites in order to do all the things it does. Or to put it another way – all the code that makes your website work isn’t always contained within your website. The website is probably subcontracting parts of the functionality to someone else. In doing so, it may pass visitor IP addresses to those other websites or services. Since IP addresses are PII and subject to GDPR laws such as consent, this is a problem.
- Examples of third-party services that may be quietly ‘leaking’ visitor data in the form of IP addresses: Google Analytics/Tag Manager & co, Google Fonts or Typekit, CDNs, Social Media embeds/share buttons, Hubspot tracking, YouTube or Vimeo video embeds, ReCaptcha spam protection and live chat/chat bots – and this list isn’t exhaustive. Ironically, even some cookie management scripts aimed at GDPR compliance may leak IP addresses.
So where does that leave us? Well, it’s complex and each site is different in its requirements, but here are some suggested starting points:
- Run an audit of how your website is handling PII, so you know where the risks are. That includes auditing third-party services such as the leaky ones mentioned above. Your web team should be able to do this for you.
- Assess and categorise those risks from heavy fine for data breach at the highest level down to slap on the wrist for using Google Fonts at the lowest.
- You might also want to think about your approach in terms of how it fits with the ethos and ethics of your organisation. Does your organisation have values around respect, privacy and security which impact decisions on what’s acceptable?
- Also think about your audience, your website visitors. What would their preference be? Perhaps there are reasons to be particularly careful, such as if your website has content aimed at any of the ‘protected classes’ of people such as children.
- Consider what tracking you actively need for your marketing effort. For many websites, parting company with detailed analytics isn’t feasible. For others, Google Analytics is simply installed by default. Could you run without tracking entirely? Or could you invest in privacy-respecting alternatives to the almighty Google surveillance suite?
- Fit your site with a genuinely GDPR compliant cookie control banner. To be clear, that means that no cookies containing PII are set until consent is given, and that it’s as easy to opt OUT as it is to opt in. We’ve all been forced to hit ‘accept’ because figuring out how to switch off every damn cookie individually would rob us of the will to live – but does that feel okay?
- Consider asking your web team to self-host third-party services where possible. Many third-party services, such as Google Fonts, can be hosted within your own website, meaning that no data is passed externally to Google & co. This can also have benefits to performance of the site.
The steps above won't guarantee complete data protection compliance, and all advice should be reviewed by your own legal team. But hopefully this post will start the right conversations inside your organisation to help you take ownership of your website's data management, and make purposeful decisions about how you'll manage other people's personal data.