Towards a Web Privacy BenchmarkBy: Richard Beaumont | Friday, April 1, 2016 | Tagged: Data Privacy, cookies, privacy benchmark | Leave Comment
We have been providing cookie audits for customers for several years now, and we often get asked by clients how their website compares to others.
This is not a particularly easy question to answer objectively – there are a lot of contextual factors to take into account, and there are lots of different things you can measure to make the comparison.
However, is it time to start thinking about a web privacy benchmark? I think it is, especially when you consider that one of the principles supported by the EU General Data Protection Regulation is the idea of promoting ‘Privacy by Design’. Bring in the emerging idea of privacy as a competitive advantage, and it starts to make sense to have some kind of objective measure of ‘privacy friendly’ sites and services.
The Average Website
While nobody wants their website to be described as average, one of the simplest ways to compare them is by how they deviate from the norm.
By drawing on data from the websites that have used the Optanon auditor we are able to aggregate some of the key numbers to start to say what that norm is. It looks something like this:
So an average website has 23 cookies – the majority of which are third party persistent cookies, in fact 79% of cookies are third party – which is roughly consistent with the larger data set used by Cookiepedia.
You will also see from the top graphic that most cookies, 60% also fall into the Targeting/Advertising purpose category, and the large majority of these will be third party. It is this category that is considered most privacy intrusive as most are designed specifically to follow visitors across websites, and increasingly devices, to build a profile of their interests.
There is of course a lot of variation in what cookies do, but at its simplest each cookie can be seen as a potential tracking vector. So regardless of how they are actually used, more cookies, even those that might be necessary for functionality, translates roughly into more tracking capability. This could be in terms of granularity (more data points collected) or reach (data points collected over a wider range of sites/pages).
So we might say a higher number of overall cookies creates a greater tracking capacity. Then it is likely that large numbers of first party cookies indicate greater granularity of what can be tracked within a site, and a larger number of third party cookies, a greater reach of tracking of the individual beyond the site.
How Does Your Site Compare?
Although this is really only a partial picture, if your site is lower than the average for total number of cookies and the proportions of third party and Targeting/Advertising cookies – then you can generally think of it as likely to be less privacy intrusive, and the lower your counts for these the better you would score in a privacy benchmark. Of course the reverse is also true, particularly as higher numbers of cookies tend to be correlated with larger overall use of third party targeting type cookies.
However it is also worth pointing out that there is quite a wide spread, so smaller variations are not very significant. Nevertheless a site with around 65 cookies will be in the top 5%, and 100 cookies or more the top 2% of all sites in our sample, in terms of total numbers of cookies set.
How Many Tracking Organisations?
Another key indicator of privacy on a site is the number of different organisations that have direct access to information about visitors, and this can be measured by looking at the number of different hosts for the cookies found on the site.
We found an average site will set cookies from 7 different hosts (which includes the site itself as first party host). So again sites with a lower number would be less privacy intrusive.
These are fairly raw numbers. The average life span of persistent cookies, and the market reach of the particular third party hosts involved might be significant measures of relative privacy. Then of course there is non-cookie tracking, web beacons and tags which could be measured and added into the mix.
It may still be too early to start putting any kind of equation together to create an objective score, however I think the time is coming where the idea of such a score, and the ability to compare one website with another on privacy grounds, will gain some traction, both with site owners and visitors. We certainly plan to develop the idea further.
If you are interested in finding out about how your site stacks up against your peers or competitors, and you would like to explore the idea of web privacy benchmarking further, do get in touch.