Privacy Considerations with Mixpanel People Analytics

Mixpanel just announced People Analytics. This service promises that, “you can tie any kind of data to your users to see exactly who they are and what they have done.” The analytics geek in my loves that idea. Directly tying everything you know about your customers including their name, photo, subscription information, etc. directly to how they are interacting with your site is really powerful.

It can give you insights into things such as how long a specific customer group spends on the site and what features they regularly use. Really great stuff, but the privacy professional in me gasped at the marketing pitch: “Now, you can empower your marketing team to take action on what they learn.” Yikes.

As someone said in the Hacker News post covering this: “I feel that this is one of those ‘great for data miners, terrifying for consumers’ moments.” There were a number of other posts expressing similar sentiments. It’s important to recognize that people are increasingly sensitive to how their personal data is being used.

Given that, if you plan on using this service make sure you get your “privacy house” in order first. While privacy laws are generally pretty lax, especially in the US, you still need to do as your policies say. If you say in your privacy policy that you do not share personal data with third parties then you can’t use this service. If you promise to restrict access to personal data to staff members then you can’t use this service. And so on.

Before signing up for this service, review your privacy policy and other internal policies to make sure you are complying with what they say. Nothing will make you more of a target for an FTC probe then not complying with your own policies. If you don’t believe me then just ask MySpace.

When reviewing your policies consider a couple of privacy best practices:

Be Transparent: Tell user’s exactly what you are doing and/or intend to do in with the data from this personalization feature. If you are going to behaviorally target users based on People Analytics data (which is probably the best use of this data) then tell the users that that is your intention.

Something simple like, “we may share personal information with our service providers in order to maintain, enhance, or add to the functionality of the Website” would suffice but something more explicit would be better.

This website uses Mixpanel to help analyze how users use the site. The tool uses “cookies” to collect standard Internet log information and visitor behavior information. The information generated by the cookie about your use of the website (including IP address) is transmitted to Mixpanel. This information is then used to evaluate visitors’ use of the website and to compile statistical reports on website activity for us. We further use the statistical analytics tool to track or to collect Personally Identifiable Information (PII) of visitors to our site including your account information and email address.

We will use this information in order to maintain, enhance, or add to the functionality of the Website. Mixpanel will not share your PII or associate your PII with any other data held by Mixpanel.

Opt-In: Allow the users to opt-in to the service. Your marketing folks are going to hate this, but it is a best practice that will get you compliance with laws protecting European and Canadian customers. If you can’t abide by the opt-in part, then you should at least let the user opt-out of People Analytics.

And as a last word, just to highlight how sensitive this area is, even Google doesn’t permit the type of tracking Mixpanel is offering.

You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.

Privacy is a growing concern among users and it is in your best interest to become privacy-sensitive.

 
13
Kudos
 
13
Kudos

Now read this

Privacy, GRCs Blind Spot

Governance, risk management and compliance (GRC), the functions within the organization that ensure it stays on the straight and narrow, are structured in variety of ways, but it generally breaks down into the following areas: Audit and... Continue →