We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back. -- Cory Doctorow
Privacy concerns have taken center stage in the ethics of technology discussion. Several user experience architects have spoken out about the need for prioritizing a user’s privacy when designing products and websites — including Privacy is UX by Alex Schmidt and Privacy and the User Experience by Alexander Dawson. However, in UX communities I still see a lack of importance given to the subject. As a result, the web is still fraught with insecure connections, irresponsible data mining and missing or obtuse privacy policies. The UX community has the ability to dramatically shift that.
Collect Only What You Need
The best way to protect someone’s privacy is to leave them alone. If you don’t know something about a person, you can’t divulge it to others. To take a minimalist approach to data collection, perform a data collection review. Ask the following questions of all data you consider collecting on a user:
- Who would be using this data?
- What would they use the data for?
- Would this data be required or optional?
- If it is required, what would happen if a user provides false information?
Pare Down Your Data
Like all things content related on the web, we most likely have more than we need. If you are already auditing your site on a regular basis, work a data collection review into the next audit. And if you aren’t, well you really should start :)
Make a list of all points of data collection on your site. These will include:
- Form fields
- Analytic tools configuration
- Content management system configuration
A nice byproduct of only asking for what you need is that you improve your user’s experience on the site. Removing unnecessary fields on forms leads to increased conversions. It also means less data you need to store, organize, analyze and protect. Once you’ve trimmed down form fields to the essentials, cull the unneeded data from your system. Have this done on a staging site and review it first to ensure you do not permanently delete information that is needed.
Analytic Tools Configuration
The purpose of analytics tools is to collect data. Products tend to collect as much data on users as they can, in order to make themselves marketable. Begin by listing all of the analytics tools your site uses. You can then review the data being collected by each one. Again, ask the four questions of these data points. If you find that a tools’ data collection is unnecessarily broad, consider moving to another tool.
Google Analytics and IP Masking
The most popular analytics tool, Google Analytics, does not collect any personal identifying information (eg: email address) from users, but it does collect the following by default:
- IP address
- What website they came from
- How long a user stays on each page
- What pages a user visits
- Operating System
The most contentious data point is a user’s IP address. This address is the unique id for the wireless network’s router the user is accessing your site through. While the IP address is not linked to a specific computer, the IP address can be traced back to a user’s exact location.
Thanks to Germany’s privacy laws, Google Analytics now has the option to mask users’ IP addresses, removing the last octet of the user's IP address when it is collected. Geolocation can still be derived, but it’s less accurate (though still approximate) and not traced back to a specific router.
Content Management Configuration
Your content management system (eg: Wordpress, Drupal) also tracks and stores data on users. Aside from the form fields you might have created through your CMS, there is data every CMS tracks by default—at the very least your users’ email addresses and passwords.
Make sure that the site is using HTTPS (see our advice on what your site needs in 2017). This encrypts user traffic so that others (eg: hackers, intelligence agencies) cannot track the activity of users on your site nor the information they submit (eg: usernames, passwords, credit card numbers). Google also uses it as a search ranking signal.
By respecting users’ privacy, we ensure that the sites we build are trustworthy and easy to use. In an age of mass surveillance this is more important than ever before.