When you subscribe to Analytics you can collect various types of information that at varying degrees can be related to specific individuals and these individual's actions. Due to this any user of Analytics should consider two questions:
- Which level of user identification will you apply?
- How will you let your users know?
This document provides a best practices guide to you as a Analytics user. We will help you decide which answers fit your organization best. Further we will provide templates of e.g. paragraphs to add to your EULA. Finally we’ll show examples from Adobe's implementation of their application analytics program in Adobe PhotoShop.
Is it legal to collect usage information? What is required to respect the law? What if our users are located all over the world? Questions like these are natural to pose.
- If you ask and get permission from your users your data collection will be legal.
- If the data you collect is collected anonymously, then the collection will typically be legal. As an example, anonymous data collection is not covered by the Danish Data Protection Act, so anonymous data collection is allowed in Denmark. Further, legal entities (e.g. companies) are in general not - except for a few provisions - protected by Danish data protection legislation.
- If you can correlate data with specific individuals and/or you collect person sensitive data then you may break legislation and you should consult your legal advisor.
The Analytics service can be configured to collect data at four levels of identification:
- Anonymous. No identification whatsoever is collected. No data can reveal anything about the user.
- IP-address. The IP-address of the usage is registered. This can e.g. be the global IP-address for a company or the dynamic IP-address of a home user. This information will sometimes point to a specific identifiable computer device.
- Cookie. The Analytics service can issue globally unique ID’s that will separate individual usage without knowing anything about who the user is.
- Installation ID. This ID can contain any information that you as a Analytics user provides. It can e.g. be anonymous information that you want to relate to the data collected, it can be department ID’s, customer ID’s or social security numbers.
Level 1 can most likely be used without breaking any legislation.
Level 2 is considered confidential personal information in Denmark by The Danish Data Agency if the IP addresses belong to personal individuals. Company IP-addresses are substantially not covered by this interpretation and, as such, can be collected without breaking any legislation. Note: IP-addresses are collected by web servers all over the world without asking the user for permission.
Level 3 can most likely be used without breaking any legislation if the cookies are used without other means of identification.
Level 4 can easily be used to break legislation. Hence, you should carefully avoid confidential or personal sensitive data, or you should ask for the user's permission.
If you use level 1, 2 or 3 you most likely won’t break the law.
If you use level 4 you should know that you could break the law.
Most of our Analytics users use a combination of 1, 2 and 3 (as 3 significantly improves data quality), but quite a substantial number use level 4 too. A majority of those using level 4 run large IT-installations that are used within a company to run the company’s internal business processes. All users are thus employees and it will under most circumstances be both legal and acceptable to collect data that is related to e.g. employee IDs. In some countries it may be necessary to inform the employees of the data collection in advance.
We use the terms “most likely” and “under most circumstances” to indicate to you that legislation may differ from country to country. We cannot give definitive answers but collection of usage statistics as provided by Analytics is today a well-known and growing service within the software industry.
Most Analytics users find it easy to select the appropriate level of user identification described above. It is harder to decide the right level of user involvement.
User involvement can be categorized as follows:
- A: No involvement. The user is not informed in any way. The usage data collection cannot be disabled.
- B: Indirect consent. The user is informed through the end-user-license agreement (EULA) and/or through a notice in the software application and/or other types of information channels. The usage data collection cannot be disabled.
- C: Direct consent. The user is asked for permission to collect usage information. The usage data collection can be disabled and enabled by the user.
If you use Analytics to optimize software you are using for your business internal processes and this software is used by employees alone you will typically select involvement A. Unless you publish a software application that has a very large and public audience you will typically select involvement B. However, if do you publish software like FireFox, Google Picasa, iTunes and the like you will definitely choose involvement C.
User involvement C can typically be used if the planned data collection is in the scope of a specific data protection act, such as the Danish Data Protection Act. But C is not required if the data collected is anonymous and doesn’t contain confidential or personally sensitive data.
Please be aware that the Danish Data Agency (and the Art. 29 EU work group) recommendations also apply to collection of personal data via internet.
What do you write in your EULA. Here are three examples that you can use for inspiration or copy directly:
includes functional usage tracking capabilities that allows to collect general statistical information about usage to improve the product. This information is collected on an anonymous basis.
uses a unique identifier to track usage for statistical purposes. The purpose of a randomly assigned numeric identifier is to allow to improve its offerings without knowing anything about who you are.
- When you install
, it will automatically assign to you a globally unique identifier ("GUID") that is associated with your installation. The GUID will never be matched with any personally identifiable information about you. The GUID allows us to analyze unique usage patterns on an anonymous, aggregated basis.
It is our experience that nobody complains about collection of usage data if they are presented with a valid reason. Depending on your business a short description in your EULA and/or a web page as described above might be sufficient. None of our customers that have chosen the “indirect consent model” have experienced any problems.
If you believe you need to provide more visible information without going for the “direct consent model”, we recommend that you e.g. in a newsletter add a section like the following:
In order to better serve our customers, and to enable our products to meet our customers ongoing and growing needs, we regularly engage in various kinds of methods to gather client feedback, including our receipt and direct response to support and problem requests, as well as various other comments and queries. We encourage our customers to participate in order to get the most out of our products and our customer's experience with them. However, given the large scope of our customer base, it is impossible to reach out to all our customers directly.
Our Customer Experience Improvement Program (CEIP) is a new way to allow all our customers to contribute to the features, design and development of
products. This program enables our customers to provide us with various information, including information about the hardware configuration, the features you use most (and least), and the nature of the problems you face. Based on this information, we will be able to improve the products and the features you use most often.
We will not collect any personal data, like your name, address, phone number, or keyboard input. We are convinced that the CEIP will provide valuable anonymous information that will lead to software improvements and enhanced functionality to better meet the needs of our customers.
We use the service Analytics to provide the technology needed to implement our CEIP program. You can read more here: http://www.telerik.com/analytics
All of the biggest software manufacturers in the world have implemented their own application analytics program under many different names. Following is an example from Adobe PhotoShop. Adobe's approach is very thorough and straightforward in letting the user know what they are doing and why – while they let the user choose to participate or not.
During installation the user is not informed of Adobe's application analytics program. In their EULA the program is indirectly mentioned in a section on “Internet Connectivity and Privacy”.
When the user is running the software the following dialog pops-up after a while:
The dialog can also be found in the “Help” menu:
Adobe has implemented application analytics in all their programs:
They offer a webpage with extensive explanations on any question the users may have:
You’ll find that Google, Microsoft, Apple etc. implement similar programs. The level of detail varies but they all cover the essential aspects.
Much less can do though. Our customers typically do one of the following:
- Nothing – their software is used internally in their company
- Note in the EULA – all data collected is completely anonymous
- Ask for permission during software installation with an opt-out checkbox. The description emphasizes the fact that the program in the end is to the users benefit – better software
We have never heard from our customers that their approach wasn’t accepted by their customers.
Analytics customers may use the service to collect usage data from client software applications (“Data”). Telerik will not review, share, distribute, or reference any such Data except as provided in the subscription or other agreement, or as may be required by law. Individual records may be viewed for the purpose of resolving a problem, support issue, or suspected violation of a subscription or other agreement, or as may be required by law. Customers are responsible for maintaining the confidentiality and security of their user registration and password.
Telerik has implemented security measures to help protect against the loss, misuse, and alteration of the Data under our control. Analytics is hosted in a secure server environment that uses a firewall and other advanced technologies to prevent interference or access from outside intruders. Telerik provides unique user names and passwords that must be entered each time a customer logs on. These safeguards help prevent access that is unauthorized, maintain data accuracy, and ensure the appropriate use of Data.
We are always interested in knowing whether you need extra information or not. If you have experiences that you feel other Analytics customers may benefit from please let us know, so we can improve this document.