Guide for using third-party web analytics services

Web analytics can help you assess and improve the effectiveness of a website. Third-party web analytics services can provide cost-effective collection and analysis; however, you need to address data security and privacy concerns when using these services.

Indiana University's major objective when using third-party web analytics services is to protect Critical data.

Considerations and related reference materials include the following. Since Indiana University has adopted Google Analytics as the default third-party web analytics service, many examples reference Google documentation.

• No Critical data is being collected or displayed on the page:

  In such cases, using third-party analytics presents little risk. The typical procedure is explained in Google Analytics Help; see Set up Analytics tracking. In short, your page includes a JavaScript file from Google, you add JavaScript to the page, and then change a few variables within the JavaScript. When the page loads, the JavaScript runs and sends data to the third-party server.

  Be aware that:

  • The data passed to the third party might include the client's IP address. Google Analytics 4 does not store or log client IP addresses by default.
  • A cookie is likely set by the third party.

  Although that violates neither US law nor IU policy, the European Union considers IP addresses personal data and requires that users be given the option to opt out of cookies. Consequently, techniques have been developed to employ third-party web analytics services without the client IP address or cookies. These techniques can be leveraged for other purposes.

• You are collecting or displaying data that is not classified as Critical, but for privacy reasons you would like to control what is being passed to Google:
  1. Implement a server-side solution (php-ga)

     The primary benefit is that you control the code rather than downloading it from the third party every time. Even if you have examined the JavaScript, it could change to gather more data than you expected. Another result, which could be either positive or negative, is that you can control the IP address sent to the third party, and no cookie is involved. Google describes a PHP option for doing this at https://github.com/thomasbachem/php-ga. Also, the connection to the third-party server is from your server and not the client.

  2. Implement a client-side solution that does not use ga.js or php-ga

     Control of the code is also the primary benefit in this case. For an example using ColdFusion with Google Analytics, see Tracking Javascript disabled in Google Analytics with ColdFusion. In short, server-side code is used to create the URL to the third-party server. The URL is then embedded in an image tag. The third party gets the data needed, but without JavaScript, cookies, or your server connecting to the third-party server.

• Mobile devices that cannot execute JavaScript:

  A variant of the client side solution is Google Analytics for Mobile Websites. Viewable code is provided in PHP, JSP, .NET, and Perl.

  Note:

  The Google Analytics for Mobile Websites code has been deprecated, and Google recommends using the Measurement Protocol.
• Opt in or out of cookie-based analytics:

  To offer the ability to opt in or out of cookies, see User Opt-out.

• Pages slowed by third-party analytics:

  To address the problem of pages slowed while waiting for connections to the third-party server, Google provides an object in the JavaScript file (ga.js) that can queue server requests; see Adding analytics.js to Your Site.