Inspired by Eva PenzeyMoog’s new book, Jeremy highlights the widespread user tracking situation in this industry:
There was a line that really stood out to me:
The idea that it’s alright to do whatever unethical thing is currently the industry norm is widespread in tech, and dangerous.It stood out to me because I had been thinking about certain practices that are widespread, accepted, and yet strike me as deeply problematic. These practices involve tracking users.
And ends with zero minced words:
We should stop stop tracking users because it’s wrong.
I take notice here, as I’m largely complicit when it comes to some degree of user tracking. For example, I have Google Analytics on this site. And pertinent to the topic: I have for well over a decade. I mention that not to prove that it’s OK, but almost to question it more, because it’s such a widespread long-term industry standard that is rarely questioned.
Because I have Google Analytics¹ on this site, I can take zoomed-out looks at the long-term traffic on this site. Here’s a 10-year period:
Or I can see how year-over-year mobile traffic on this site has gone down nearly 6%.
I don’t send any personal information to Google Analytics. I don’t know who did what — I can only see anonymous aggregate data. Not only is it literally against Google policy to do so:
The Analytics terms of service, which all Analytics customers must adhere to, prohibits sending personally identifiable information (PII) to Analytics (such as names, social security numbers, email addresses, or any similar data), or data that permanently identifies a particular device.
… but I have a much clearer ethical line in my head there — that’s not something I’m comfortable with. Even when I’ve implemented user tracking that does tie a particular user to a particular action, it’s still anonymized such that it’s impossible for me to tell from using that tool who has done what.
But I understand that even this “anonymous” tracking is what is being questioned here. For example, just because what I send is anonymous, it doesn’t mean that attempts can’t be made to try to figure out exactly who is doing what by whoever has that data.
Switching the focus to email, I do use MailChimp to send the email newsletter on this site, and I haven’t done anything special with the settings to increase or decrease how much tracking happens when a newsletter is sent. As such, I can see data, like how many people I send to, how many open it, and how many clicks happened:
As I write this, I’m poking around in the reporting section to see what else I can see. Ughghk, guess what? I can literally see exactly who opened the email (by the person’s email address) and which links they clicked. I didn’t even realize that until now, but wow, that’s very super personally identifiable analytics information. I’m going to look into how I can turn that off because it does cross an ethical line for me.
There is also a brand new mini-war happening with email tracking (not the first, as I remember the uproar when Gmail started proxying images through their own servers, thus “breaking” the accuracy tracker pixel images). This time, it’s Apple doing more aggressive blocking, and companies like MailChimp having to tell customers it is going to mess with their analytics:
I’m interested not just in the ethical concerns and my long-time complacency with industry norms, but also as someone who very literally sells advertising. I can tell you these things are true:
- I have meetings about pricing where the decisions are based on the historical performance of what is being sold, meaning impressions and clicks.
- The vast majority of first conversations between bag-of-money-holding advertisers and publishers like me, the very first questions I’m asked are about performance metrics.
That feels largely OK to me. When I go to the store to buy walnuts, I want to know how many walnuts I’m going to get for my dollar. I expect the store to price the walnuts based on normal economic factors, like how much they cost and the supply/demand for walnuts. The advertising buyers are the walnut buyers — they want to know what kind of performance an ad is likely to get for their dollar.
What if I said: I don’t know? I don’t know how many people see these ads. I don’t know how many people click these ads. I don’t know where they are from. I don’t know anything at all. And more, you aren’t allowed to know either. You can give me a URL to send them to, but it cannot have tracking params on it and we won’t be tracking the clicks on it.
Would I lose money? I gotta tell you readers: yes. In the short-term, anyway. It’s hard enough to land advertisers as it is. Coming off as standoffish and unwilling to tell them how many walnuts they are going to get for their dollar is going to make them roll their eyes and move on. Long-term, I bet it could be done. Tell advertisers (and the world) up front, very clearly, your stance on user tracking and how it means that you don’t have and won’t provide numbers via tracking. Lean on supply and demand entirely. Price spots at $X to start. If other people have interest in the spot, raise the price until it stops selling, lower the price if it does. I bet it could be done.
To be honest, I’m not ready to tip my apple cart yet. I have a mortgage. I have employees to pay. I absolutely do not have a war chest to dip into to ride out a major income shortage. If I lost most of my advertising income I would just… fail. Close up shop. Be forced to make other dramatic life changes to deal with it. And I just don’t want to. It doesn’t feel like rolling the dice, because that implies I might win big. But if I were to take a hardline stance with advertisers, telling them that I provide zero data, “winning big” is merely getting back to the baseline for me.
I write all this just to help me think about it. I don’t want to sound like I’m being defensive. If I come across that way, I’d blame my own inertia for following what have felt like industry standards for so long, and being indoctrinated that those practices are just fine. I don’t feel like I’m crossing major ethical boundaries at the moment, but I’d rather be someone who questions myself and takes action when appropriate rather than tying a bandana over my eyes.
- I have tried other analytics services, like Plausible, that are more specifically privacy-focused.
As a publisher, I definitely understand the struggle.
But as a reader, I have to say a couple fewer ads on CSS-Tricks would be definitely welcome ;) Maybe you could find some advertisers more aligned with your vision willing to pay a bit more to make up the lost business?
And as a developer, I never have any time to look at all the granular data Google Analytics stores anyway. The only metric I’m interested in is who’s talking about/linking to my projects, and Analytics is positively terrible at surfacing that info anyway. So at some point if all that tracking doesn’t benefit me, and it doesn’t benefit users, maybe the only party that stands to benefit is Google?
Have you tried Fathom?
It’s privacy-focused, doesn’t require annoying cookie banners and integrates well with WordPress. They have got a 7-day free trial too.
Thanks for the recommendation! After reading, I added Fathom to a Drupal 9 site I have. It was easy and it’s awesome. Until this I simply didn’t have analytics because I found them so sickening.
Great that you think about this stuff. If only analytics where enough to keep sites going. I would never object to anonymize my visiting habits and use it for statistical reasons only. It’s the profiling and tracking that bothers me (a lot). That’s why I hope Europe will follow the EDPB’s advise
Plus (I forgot to add that) as far as Iḿ concerned, adds would not have been an issue if they were based on statistics about visitors, instead of on me.
Theoretically speaking, do you think it would be viable for a publication like CSS Tricks to partner with advertisers only as “sponsors” rather than selling impressions?
So for example, the article category X could be sponsored by company Y.
This would be more similar to the business model of some email newsletters, or even to offline advertising (think magazine spreads, podcast sponsors etc.)
You’re actually already doing this with Frontend Masters—and I feel that this is an actually relevant banner that also respects my privacy as a user.
Could this kind of stuff replace any behavioral advertising you’re doing on the site?
As a follow up here, I’ve gotten this tracking turned off in the CSS-Tricks newsletter.
The problem is not so much -you- (or any other inidivdual blogger) seeing some information about visitors or tracking who visits your website more often, etc. The problem is that the big tech companies (google, facebook and other advertisement trackers) follow us all over the internet. As soon as you or I or anyone places a google add or google analytics on our website, google tracks who visits that website. And which websites next. And next. Combined with other info of the same people.
That is way way worse then a single website tracking individual visitors. I have no problem if you could see I visited 5 articles on ccs-tricks this month or commented on 3. But Google or Facebook knowing about every single website I visit, every single search query, every place I visit, etc. is the real problem.
I agree with Matthijs. Personally it’s not an individual website tracking a user (me) that is bothersome, it’s the meta-cross-site, that gets linked on and on.
Really a user, when visiting a site is getting some kind of service. People come to css-tricks to learn, gather ideas, and such. They are provided a valuable something. If it did not provide some value, they wouldn’t visit, or repeat a visit.
There needs to be some form of return to the one providing the value. So some method of returning value needs to be granted to the originator.
Yet the meta-linking is providing value to others that are more and more distant from the site creator and the visitor.
Just some random thoughts on this issue.
.. Otto
As an online marketing consultant working mainly with Google Analytics, my views may be a bit biased here. But here are some thoughts I’d like to add to this discussion:
Here in the Netherlands we have some solid privacy laws with GDPR. The Dutch Data Protection Authority explicitly states that you can use Google Analytics without consent and still comply with GDPR. To me this is a clear signal that Google Analytics in itself does not harm privacy of our users when done right. (Note that you do have to do some work to get it to comply with GDPR: For example you’ll have to turn off advertising features, turn of data sharing with Google and you’ll have to turn on IP Anonymization)
I use Google Analytics every day to improve user experience and track down errors on the site. To me this is the most effective way to get a clear picture of what is happening. Without it I would go blind. The use of some tracking is actually in our users best interest.
Users that need more privacy protection can take measures on their end. For instance through browser add-ons like Google Analytics Opt-out Browser Add-on.
I think it would be helpful to talk about tracking in a less black and white fashion. Not everybody who does apply tracking is against privacy.
Privacy is important and at the same time tracking is needed for most sites to get their business ahead. In my opinion we should not be talking about if tracking is ethical, but how we can track in an ethical manner.
I wonder if the Dutch Data Protection Authority is going to revisit this in light of the recent ruling in Austria on GA and the GDPR. We live in interesting times.
We use Matomo for all our websites and have been using it for over 5 years (it was named Piwik before). It automatically anonymizes IP addresses and we host it on our own server, so nothing gets send to any third party. Check it out if you haven’t heard from them, it’s an awesome tool for SEO & Analytics!!