Author:

At last month’s Analytics New Media Breakfast at the Tower Restaurant in Edinburgh an interesting question about the privacy aspect of using ClickTale was asked.

The Power of ClickTale

Ever wonder how customers browse your website? see with ClickTale
ClickTale is a tool that allows website owners to “watch” users as they are interacting with their websites in real time. It compliments Google Analytics beautifully and it’s a tool we recommend highly.

Watching the interactions occurring can be much more enlightening than statistics alone.  It also allows the webmaster to monitor how visitors react to any site changes or improvements without waiting for hours or days to get the result.  One of its many powerful features is allowing website owners to watch users interacting with their forms.

Such “monitoring” though does flag up a concern with regards to the protection of personal data.  Euan Duncan, a solicitor at McClure Naismith and an attendee at the breakfast, rightly raised concerns in regard to the data being shared with a third party (ClickTale) and the data being personally sensitive.

In response to putting this question on Twitter, Shmuli Goldberg, Director of Marketing and Communications from ClickTale, gave us a call to discuss their approach to privacy.  Whilst we can’t claim to be privacy experts the approach seems pretty robust.

For those who do not know, ClickTale tracks mouse moves, clicks and keystrokes. This tracking generates videos of the customers’ browsing session as well as heatmaps and behavioural reports, that in turn provides the user with a powerful tool to complement traditional web analytics like Google Analytics to answer the “why?” questions.

Sensitive Information

ClickTale’s privacy policy states that ‘The information collected by our Service may include any mouse movements, mouse clicks and keystrokes on the visited website’ but it does not collect any keystrokes ‘that happen in fields that the website’s owner has marked as “sensitive”’.

That seems very good, but a website owner is not legally obliged to mark fields that contain personal information as sensitive so there is no guarantee that sensitive information they type in are not passed on to ClickTale. However, ClickTale demands that people using their services comply with their terms of use and mark all sensitive data; if they don’t their contract will be terminated immediately and they will lose access to all previous collected data.

If some data is still not marked as sensitive Shmuli said: ‘As well as requiring the website owner to mark personal information such as credit card details or social security numbers as sensitive, we have a system in place which ensures that information such as passwords or hidden pin numbers are never stored, even if they haven’t been marked.’

He goes on to say, “unlike some others operating in the online analytics space, keystroke data is only stored if and when a customer presses the submit button on the website.’ The rational here being that by pressing the submit button, the user has consciously decided to share their sensitive information.

Restricted Access to Data

The issue remains though that the user is probably not going to be aware that data is being passed to ClickTale.  Their Privacy Policy states that they do not disclose any personal information or share it with third parties except when it relates to security issues like fraud and the like. Shmuli also told us that ‘No one, except a few developers, has access to the data, but even they are not able to search for specific data so it is not possible to aggregate information on a specific individual. Also, Such employees are members of the founding team, undergo background checks, are under legal agreements with the company and must comply with state laws regarding information rights and data ownership.

The Opt-Out

ClickTale also believes it was the first major analytics company to provide an easy opt-out option for any user (something that Google Analytics is only slowly starting to offer now).

If a company makes use of ClickTale’s services, ClickTale requires the company to amend their privacy policy and clearly state that they are using ClickTale’s services, what they use it for, as well as provide the link to the opt-out.

Your Privacy Policy

So what should companies put in their privacy policy?

We had a conversation with Euan Duncan and went away with a lot of knowledge. However, to make this information as easy as possible for non-privacy experts we boiled this conversation down to the following (we will post a more elaborate discussion on privacy policies in due course).

In order for the processing of personal data to be fair and compliant with the Data Protection Act, website operators who collect personal data directly from their website forum must always ensure that individuals are made aware of the following:

  • the identity of the person or organisation responsible for operating the website and anyone else who collects personal data through the website;
  • the purposes for which they intend to process personal data; and
  • any other information to ensure the processing of personal data is fair taking into account the specific circumstances of the processing.
  • If the website operator requires using personal data for alternative purposes the individual concerned would need to consent to such alternative purposes.

Whilst we’re no privacy experts, we were suitably impressed by Shmuli Goldberg and his company’s commitment to data protection.  ClickTale is a very powerful tool for analysing online consumer behaviour, but in using it, don’t forget to give privacy concerns due consideration.

ClickTale Sign-up

Why don’t you try out ClickTale for yourself here – or give us a shout & we’ll help you out with the setup.

Tags: , , ,