25 June 2019
Just like a silent spy network, your website is tracking every user's movements in minute detail. Every move they make, including the time and location they made it from, is tracked and recorded by your web servers.
Although you were no doubt already aware of the undercover tracking network that exists on the backend of your web platform, have you done your due diligence on the front end?
Log data is the information recorded by your web server about when, how, and which visitors are using your website. Web server providers like Apache and NGINX commonly collect the following information about each visitor:
Once the log data has been collected, it will be organized by type so that the web server knows how to use the information. Log data may be organized according to its potential usefulness in categorical logs such as error logs, access logs, and server logs.
Log data can be incredibly useful for a wide variety of applications, both for programmers or administrators and for marketing analysis. Below are the ways that log data is commonly used.
For marketing purposes, log data is invaluable. Marketers delve into this information to analyze how visitors find their website, use their website, make purchases, and more.
Here are some strategies for analyzing log data to use in marketing:
Log data works as a forensic trail if ever your website is breached, hacked, or misused in any way.
Here are some ways that log data can be used for security purposes:
No code is perfect, and every online business will experience errors and system crashes from time to time. Log data can be crucial in correcting such problems. Here's how:
Although these are not all the possible uses for log files, this list illustrates their necessity in the day-to-day maintenance of a successful online business.
First of all, log data is not altogether anonymous, even if it is referred to as such. Some Privacy Policies do name log data as "anonymous" because it does not contain specific personal information like name or email address. However, most privacy lawmakers define personal information as any information that describes an identified or identifiable living individual, including contact information and information that, if combined with other data, can lead to the identification of a particular person.
In other words, even if information does not identify an individual outright, if it can be combined with other data to identify someone, then it must be considered and protected as personal information.
IP addresses, geolocation data, and other log data could potentially be combined with other information like username or online activity to identify a particular person. Therefore, log data can be considered personal information. For this reason, it must be treated as personal information under applicable law.
European documents reflect a similar view of log data. In the next section, we'll go over what this means in regards to privacy laws.
Within the past several years, most major privacy enforcement agencies have adjusted privacy regulations to include stipulations regarding log data.
Here are a few pertinent examples that will likely affect your business:
General Data Protection Regulation (GDPR) - The GDPR specifically names device identifiers and geolocation data as personal information, and so the following stipulations will apply to any business that collects log data from EU-based users:
Children's Online Privacy Protection Act (COPPA) - COPPA is designed to protect the personal information (including log data) of children. Depending on whether or not your business is targeted to children, you will either need to:
California Online Privacy Protection Act (CalOPPA) - CalOPPA requires the following conditions to be met for anyone collecting personal data from California residents:
Although these are not the only regulations and laws that apply to companies who do business on the internet, compliance with the statutes named above will generally cover other less specific regulations regarding privacy.
Below we've included some examples of how these categories can be written.
Although it goes by different names - anonymous data, automatically collected data, log data - all law-abiding Privacy Policies include a section that describes the types of log data they collect. This section should list out the different types of log data you collect in simple, easy-to-understand language.
Amazon goes into great detail, listing each log data category and touching on the reasons why each is collected. Listed within this paragraph you will see IP address, browser and operating systems information, geolocation, time stamp, and error reporting data, among others:
In addition to this, Amazon also includes a paragraph describing the log data collected by its mobile apps:
LinkedIn provides a good example of how to break the list down into shorter, more digestible sections of information:
In this example, LinkedIn breaks the information down into smaller paragraphs but still includes information collected about user activity, device and geolocation, as well as information collected via cookies.
Besides listing out the types of information you collect, it is essential to also list the ways you intend to use log data.
In this section, you must be thorough in order to avoid any potential misunderstandings with users.
It's common for online Privacy Policies to group all data usage information into one long list, which is permissible as long as you include the details of how you use log data.
Here's one such list from the staff management software provider Asana:
Some companies do choose to make the distinction between log data and other personal information, as Apple illustrates here:
Most major online companies, especially retail and SaaS platforms, outsource marketing analytics to third-party providers in order to better plan online advertising campaigns. This type of analytics requires that the company share customer log data with the third-party providers in order to receive accurate results.
Another reason to share log data with a third party may be for outsourcing programming or administrative work.
Marriott covers its third-party sharing of log data like so:
The Privacy notice goes on to describe the use of third-party advertisers, which collect log data via cookies:
Asana also combines its third-party sharing practices into one paragraph. Although this method is very concise, this section covers all possible reasons for sharing log data in a few quick sentences:
The Policy also mentions log data collected via cookies in the advertising section:
Using your website as an analytical spy can have great benefits, but as you can see, major online companies are very thorough and precise in listing the log data they collect, as well as how it is used and shared.
By following these examples, you can avoid any legal issues as well as potential privacy disputes with your users in the future.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.