First Impressions of New OMB Guidance on Web Measurement

I was overseas when the guidelines on the use of web analytics and measurement on Federal government web site was published on June 25 and then spent a few days tromping in the woods with my son, so I haven’t had a lot of time to digest the OMB’s final memos. Yet after reading through the memos pertaining to web site measurement (M-10-22) and use of third party websites and applications (M-10-23), like Facebook and
YouTube, I feel optimistic about options and opportunities if you’re running a Federal agency web site or using web analytics on a Federal web site. When I last wrote about this on May 4, I expressed doubts as to how friendly the policy would be for Federal agency web managers and web analysts.

Here are the biggest wins for conducting web analytics and measurement on Federal agency web sites:

1. Using persistent cookies is ok. This had previously been a major sticking point for Federal web managers and web analysts who had only been able to identify visitors at a session level. Remember, unique visitors in web analytics means only that you are identifying the computer from where the visit originated…there is no Personal Identifiable Information (PII) being made available. Now you have the opportunity to use your web analytics tools to create segments based on unique visitors, such as first time and repeat visitors. You can apply these segments to referral sources such as search engines, search terms, geographical origination and domains. Now, you’ll be able to observe how your content, applications and marketing are used by groups of visitors. With this information, you’ll be able to understand more clearly the requirements and usage that visitor groups have based on behavior and be able to develop new content and applications that are more focused on specific user groups. For example, if you can now tell that first time site visitors are most apt to exit the home page, you could consider providing a web site tour specifically for first time visitors and promoting this on the home page; or if you find that you get multiple visits to your search engine from visitors who have been to your site more than 2 times within a month and are using the same terms, you could perhaps use this information to provide more visibility to the desired content. What you need to do: You can not start using persistent cookies today or tomorrow, or next month for that matter. You’ll need first to alter your Privacy Policy (see discussion below) to enable visitors to opt out.
2. Using free software that depend on persistent cookies is ok. You can now consider using Google Analytics and Yahoo Analytics! to be viable site measurement options. Use of these tools has been considered off limits or in a grey area at best because of their reliance on persistent cookies. While both provide methods for disabling or minimizing the use of persistent cookies, neither gained much traction within the Federal government. What you need to do: The same rules apply as described above with regard to Privacy Policy. If you do want to go with the free software approach, please, please, please, spend time considering how you are going to enable access to the web analytics, who is going to use analytics, how are they going to use it, how to train and educate folks on the use of GA or YA, as well as how to interpret analytics data. I strongly suggest too that you determine the important metrics to track and how you’ll use this to support decision making. I can assure you that if you don’t plan your deployment of GA or YA with any sort of plan you’ll create more headaches for yourself than you have now without any web analytics in place and quite possible damage your management’s and peer’s buy-in to the value of web analytics for a very long time.
3. You’ll be fine as long as you don’t collect PII.The guidelines are relatively easy to accommodate as long as you don’t want to collect PII, such as names, email addresses, postal addresses. This is classified as Tier3 – multi-session with PII data. Most of you will be concentrating only on Tier 2 data – multi-session without PII. What you need to do: If it is only Tier 1 and Tier 2 data you are collecting, you need to be in compliance with what is outlined in M-10-22. If you do want to collect Tier 3 data, you’ll need to work with your Senior Agency Official for Privacy (SAOP)and then put out for public comment as to why you need to collect such data and then a review by the CIO. This will likely to be a long process.The only exception is getting written permission from your agency CIO to this process if you can make a case for a delay causing serious public harm…which in most cases is not going to happen.
4. You need to evaluate the data collection practice of third party sites, such as YouTube and Facebook.This is one of the most interesting aspects of the guidance…as long as a third party site does not share the PII that they collect with your agency there appears to be no issue, and as long as the third party site does not use their data on behalf of a Federal site, there also appears to be no issue. It also appears that you can use baked in analytics tools, such as YouTube Insight, or blog packages such as WordPress, as these collect Tier2 data. What you need to do:If you are using third party social media sites, you’ll need to consider risks as outlined in OMB’s memorandum providing Guidance for Agency Use of Third-Party Websites and Applications that can be found in M-10-23 and prepare a Privacy Impact Assessment (PIA). You will need to work with your agency Senior Agency Official for Privacy (SAOP) for approval of the PIA, so find out the process and expectations of documentation you will be required to provide.
5. Data retention is flexible.There are guidelines for retention of web data, but it is not an explicit mandate. According to the policy, agencies should limit the retention of data to one year or less. However, it would seem that there can be reasonable arguments made for keeping data for longer, such as wanting to understand year over year trends.What you need to do: Consider your current data retention time. Is it necessary to keep analytics data beyond a year? While many agencies keep data for years, it may not have business value. I’d suggest that you start planning your data archiving and expiration strategy, if you don’t already have one.
6. Web site measurement opt-out options focus on Privacy Policy communication. You need to make it easy for site visitors to opt out of web site measurement. Fortunately, there are a number of options at your disposable, and they do not require you to work with your web analytics software vendor to make them happen. The good news is that as long as you’re in compliance with what is outlined in M-10-22 and make your privacy policies very clear and easy to find, you will have fulfilled the OMB requirements. Attachment 3 in the M-10-22 document provides a check list of items that need to be addressed in the privacy policy. The caveat here is that it may take multiple rounds of revisions and approvals to get privacy policies approved. What you need to do: You should understand the process for revising your agency privacy policy and who or whom provides final approval. While the OMB policy sounds relatively straightforward from a content perspective, the actual process in your agency may not be quick nor easily deciphered. On the content side, here’s what you can do to provide the opt-out measures:
   

• Use web analytics software that enables visitors to opt out, such as Google Analytics, Omniture, Yahoo! Web Analytics and Webtrends. The caution here is that if you allow the GA or YWA opt-out, you’ll be providing visitors with the option to opt-out of Web wide measurement for these solutions. Read my post on CMSWatch for a more detailed description of this issue.
• Provide clear instructions to visitors on how they can opt out of web site measurement on your site. From my perspective, this is clearly the better option to take. USA.gov provides a nice central location with instructions on opting out of measurement on popular desktop and mobile browsers. This is a great reference, although there needs to be a bit more added to be a complete reference.

So with all of this seemingly good news are there any downsides to the policy. Well, it may depend how you read it. I think the biggest grey area is around the Privacy Policy discussion in Attachment 2. The memo states that you can use web measurement and customization technologies for Tier 1 and 2 as long as the agency is in compliance with the Memo, there is clear and obvious notice in the Privacy Policy citing the use of technologies and there is compliance with internal policies governing the use of such technologies. Some may see this as needing to get permission or needing to amend the Privacy Policy to maintain even their current web measurement. I don’t think this is the intention of the policy and I certainly wouldn’t recommend approaching implementation of the policy in this way. However, a quick review of about a half dozen Federal agency web site Privacy Policy statements tells me that there are no policies currently in full compliance with the new additions described in Attachment 3 of the memo. What you need to do: From a practical perspective, it wouldn’t make sense to shut down web analytics across the government, however, to really beat home this message, if you are in charge of web analytics at your agency or are using web analytics within your agency, you need to make it a priority to determine how your Privacy Policy needs to change, the process for enabling the change, and who you will need to coordinate with in order to make this change possible.

Final Take: While the policy itself looks like it is fair and provides Federal web site managers and web analysts with long awaited flexibility, we know that implementation of the Memorandum, may not be smooth sailing. As the cornerstone to much of the flexibility is derived from rewriting web site Privacy Policies, swift realization of the Memorandum’s benefits could get hung up in long rewrite and review processes. I suggest taking a pro-active approach to determining how your site Privacy Policy needs to be revised and understanding who is involved in approval and the process for obtaining approval. These will be the most challenging aspects to making the Memorandum guidance real.

Post reprinted from Web Analytics Management