Use of Third-Party Web Analytics Services

Web site developers and owners need usage data on their web sites to evaluate site effectiveness, plan development, and make other strategic decisions. A number of analytical applications are available for this purpose, delivered as both traditional packaged software as well as third-party "software-as-a-service" applications. Some providers charge for their software/service while some offer free services (ex. Google Analytics).

The purpose of this document is to identify some of the risks involved in using third-party analytics providers where the collected web site statistics reside on the provider's servers rather than on servers hosted by the university.

Potential Exposures

Security and privacy exposures

Credentials and other information can be unintentionally exposed when carried by or passed through site URLs. While this is largely a coding/development issue, and important to eliminate even for internal web sites that keep their logs and statistics locally, it is vital to eliminate these issues if web site traffic statistics are to be maintained externally by a third-party.  See the Quick Guide for the Use of Third-Party Web Analytics Services for more information.

Privacy concerns

Sharing personally identifiable information with an external party over which one has no control with regard to the retention or secondary uses of that information carries risks.

  • Does the provider have a privacy notice detailing the collection and use of the information used to provide the analytics?
  • Is the notice clear?
  • Should the information be shared with an external party at all?

Site visitors cannot be adequately informed of privacy practices if those of an external provider do not exist or are unclear. This could result in a lack of compliance with privacy laws and/or with a university web site's own privacy notice.

top

Recommendations

  1. A third-party provider of analytics may be used without a contract, ONLY for web sites that do NOT handle or collect critical information
  2. If a third-party provider of analytics must be used, and the web site handles critical information, then a contract must first be established with the provider through university purchasing that covers acceptable uses of the collected information
  3. Any use of a third-party analytics provider must follow the provider's and all other applicable terms of service documentation and be fully disclosed in the web site's privacy notice

top