If you always feel like you're being watched online, you are. You know this because you go to your favorite website to buy shoes and then you see the shoes everywhere across the web. If you don't like this as a consumer, then maybe your business needs to consider a privacy-first website.
What's wrong with the status quo?
So much so that the European Union created the General Data Protection Regulation (GDPR), which went into effect in 2018, to increase the online privacy and security of its citizens.
That's why you started seeing so many "cookie banners" and privacy policies around the web, to give members of the EU a way to opt out of the invasive nature of ad tech website tracking.
If you use an ad blocker like AdBlock Plus or Privacy Badger, and websites like Forbes ask you to disable it to read an article on their site, it's so you'll give them access to your private information for the purposes of selling to you.
Depending on how important the article is to you, you might decide to hand over your private information in exchange for a free article.
In addition to GDPR, California passed the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA) which amount to roughly the same requirements as GDPR for business owners.
Policies to protect personal information also extends into South America, with Brazil's Lei Geral de Proteção de Dados (LGPD).
Like the other consumer privacy policies, LGPD is aimed at protecting personally identifiable information and restricting data transfers of that information (e.g., Brazilian citizens' information leaving Brazil's servers and being stored on US servers without consent).
If you're troubled by the data you're collecting as a business owner, continue reading.
Google's Privacy Problem
The rise of privacy legislation (and litigation) are a tremendous headache for small business owners because websites are global.
Although you could block traffic to the EU, California, and Brazil, it's not practical to block millions of potential customers; and, citizens travel and the protections travel with them (e.g., a Californian on vacation in Oregon continues to be protected by CCPA and CalOPPA).
It's also challenging for small business marketing consultants.
For years, adding Google Analytics has been standard practice. It's free, and it allows you to track website visitor information. It also collects a ton of information your small business probably doesn't need or use, while enhancing Google's data mining capabilities.
Here are a few of the things Google collects (good for business, bad for privacy): browser, operating system, cell phone carrier (including carrier name and phone number), search terms, videos you watch, purchases, ads you interact with, location, storage devices, demographic information, who you communicate with, and more. (Source: Boldist)
You don't own the data you collect, Google does. So even if you're not using it for your business, Google is.
Google Analytics is the classic example of "if you're not paying for the product, you are the product."
Trouble may be on the horizon for Google.
In January 2022, an Austrian court recently ruled that Google Analytics is illegal and breaks GDPR regulations because it sends information from the EU to the US.
In February 2022, CNIL, a French data protection watchdog also found Google Analytics to be illegal. CNIL found, "although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services." Long story short, the data is still available to be mined.
If you have a US-based business and not a lot of EU customers or website traffic, that's probably not a big deal. Yet.
It probably helps that Google is a California company so it may take a while (if ever) for the EU litigation decisions to affect US-based small local businesses. That's not to say you don't have a responsibility to protect website visitors. It only means it's unlikely all US-based customer data will be held to the same standard.
And although Google stated it was removing third-party cookies in 2023, what they're replacing it with makes everyone, including privacy experts, nervous.
Considering Google made $53 billion in advertising revenues in Q3 2021, it's doubtful the machine is going anywhere.
If you do a lot of business in the EU, California, or Brazil, you may need a privacy action plan sooner rather than later.
Reflect on your business values and whether Google's privacy approach aligns with your business.
Getting Started with a Privacy First Website
Here are a few reasons to consider a privacy-first website approach:
- Increases customer and audience trust
- Privacy expectations and concerns are on the rise in the US
- Being compliant with laws like GDPR, CCPA, LGPD, etc. out of the box may be easier than creating systems of compliance
Step 1: Website Analytics
The quickest and easiest way to unhook from Google is to start with Google Analytics (GA).
A Few Caveats:
- If you run Google Ads (now or in the future) understand that hooking your Google Ads account to Google Analytics will help with ads reporting, including conversions (but it does not prevent you from running ads)
- Privacy first Google Analytics alternatives provide less data for analysis than Google because it's compliant with international laws
- GA alternatives are not free
- It does not prevent some ad blockers from blocking web tracking
A Few Benefits:
- You (the business owner) own the data
- Your data privacy liabilities decrease
- Plausible, Fathom, and Simple Analytics have an easy-to-understand interface
- Because GA is blocked by more browsers and ad blockers, alternatives tend to return more accurate information
- Your website will likely speed up because, unlike GA, alternatives tend to use simpler code
Top 3 Google Analytics Alternatives
- Plausible: European company, open-source, you own the data, and fully compliant with GDPR, CCPA, and PECR. Pricing starts at $9/mo. (or less with an annual plan)
- Simple Analytics: European company, you own the data, and are fully compliant with GDPR, CCPA, and PECR. Pricing starts at $19/mo. (or less with an annual plan)
- Fathom: Canadian company, uses servers in Germany, climate-friendly, fully compliant with GDPR, CCPA, ePrivacy, and PECR. Pricing starts at $14/mo. (or less with an annual plan)
As with any software, test these options out to find what best suits your needs. This website is using Plausible.
You will need to communicate how you care for website visitors' information and what you collect. For example, if you're using a Google Analytics alternative, you might say you use cookie-less, privacy-based website tracking that does not collect personal information.
Step 2: Website Platform
You'll want to review the privacy policies of your website platform. Depending on the website platform, compliance is relatively easy.
What you're looking for is not only how the platform protects you as the consumer, but also how it helps you the business owner comply with privacy laws.
Here are a few references:
WordPress is custom, and much trickier to research. Kinsta does a good job of breaking it down for you, including the need to consult an attorney.
When it comes to privacy compliance, it's substantially easier to comply when you're using a hosted solution like Shopify or Squarespace rather than WordPress.org.
Step 3: Plugins, Hosting/Servers, and Other 3rd Party Considerations
Understand that every plugin and integration you use potentially decrease website privacy. The exact thing that makes WordPress so appealing — flexibility — is also what makes it so difficult to reign in from a privacy perspective.
What's a business owner to do?
- Review GDPR compliance for the website hosting company you use (if it doesn't have one, that's a red flag)
- Direct web developers to use as few plugins as possible
- Understand that connecting anything that collects information (e.g., email marketing, appointment schedulers, website analytics, pop-ups, etc.) increases your privacy liability
- Research the GDPR compliance and privacy policies for third-party companies you use
- 3rd party tracking 'pixels' like Facebook, Pinterest, and LinkedIn are just as invasive as Google Analytics (and also slow down your website)
Now is the best time to start shifting to enterprise-grade tools like MailChimp, rather than cheap knockoffs that may be less likely to care about privacy laws.
Conclusion: What it Means for Your Marketing
The purpose of this article is to get you thinking about the broader issues at play. And, to understand a growing movement (and laws with substantial enforcement and fines) requiring businesses to provide consumer information privacy.
Privacy compliance isn't necessarily difficult, but it will take time and the assistance of an attorney and (likely) technical/developer help.
As for what it means for your marketing, my take is privacy first = customer first, and from there it's natural to look at your marketing through a customer-focused lens.
McKinsey found that 2/3 of customers have a negative or neutral view of how companies handle their privacy/data. McKinsey also found that the majority of people are willing to share their information. What we're really talking about, then, is consensual, honest marketing.
And the best, low-cost way for small businesses to embark on this is through content. Get rid of the pop-ups based on mouse actions (e.g, exit intent), pay attention to how long and how many pages people visit on your website, and create great content that resonates with your customers.
The future of marketing (it's already here) is building customer relationships, rather than dealing in volume.