Over the last couple of days, there has been a lot of talk about data privacy and specifically HealthCare.gov passing personal information (e.g., age, zip code, income) to third-party data sites. Chartbeat is paid by clients like HealthCare.gov to help content teams understand how people visiting the site engage with the content, so the folks behind these sites can create the best possible visitor experience.

With that in mind, I want to take a second to talk about what Chartbeat does and doesn’t do (since there are a lot of data providers out there and we all collect and measure different things), what happens when we inadvertently receive personal information in our data, and generally how anyone using data tools for their website can do so effectively while simultaneously taking care to protect their users’ information.

Chartbeat and the data we collect

First, there is a lot of legal stuff. I know, I know. But it’s actually all really important to know about us, what we care about as a company, and how we compare to other data providers out there.

1. Chartbeat ONLY shares data about a specific client site or the visitors of that site with the owner of that specific client site. Under no circumstances do we share or sell that data to third parties, advertisers or otherwise. Specifically our Privacy Policy states: “Except as expressly provided otherwise herein, we will not sell, lease or exchange the personal information of our Customers or any end user (to the extent that we obtain such information) to third parties without first obtaining their express consent, unless required by law or to protect their status as a Customer.”
2. Our JavaScript pings, which report information, only do so via HTTPS when client sites are HTTPS, to help prevent third parties from intercepting that data in transit.
3. We do not ever intentionally collect personal information. As our Privacy Policy states: “Chartbeat does not collect any personally identifiable information from users of Customer Websites, provided that (i) Chartbeat does collect IP addresses from visitors to Customer Websites in order to show geolocation information, and (ii) the Customer configures the Chartbeat code on the Customer Website in accordance with the instructions and documentation provided by Chartbeat, so that URLs containing personally identifiable information of end users are not captured by the Service.”
4. In our client contracts and Terms of Use, we specifically state that our clients need to scrub any personal information before passing it through to Chartbeat.

When personal information is passed through to Chartbeat

But the last point (point 4 above) doesn’t always happen. So then what?

If there is a time when we learn that personal information may have been passed to us from a website, we do the following:

• Immediately get in touch with the client / owner of the site
• Identify the location of the personal data (e.g., what’s the URL)
• Advise the client on how to fix their code implementation issues in order to immediately stop the sending of personal data through to Chartbeat.
• Determine the best way to purge our system database of this data and purge that data accordingly

It’s a quick, efficient, and effective reaction. But being reactive isn’t good enough. We’ve also got to be proactive.

In light of the concerns raised this week, we’re also performing ongoing audits of our entire network of thousands of client sites to see if we can identify instances of personal data to alert clients and ensure they update the data they pass to us immediately.

How we can all get better at taking care of our users’ data

The above is all specific to Chartbeat and we take the data we receive incredibly seriously. If I’ve gotten nothing else across at this point, I hope it’s that.

However, it’s important that we all, as website owners and data users, do our part to be better shepherds of data of all kinds—personal or not. A few ways to do so (and I’m positive you all have more suggestions, so please email me with them and I’ll update this post accordingly):

• Never pass data in the URL itself. Because most analytics providers report at the URL level, the contents of the URL are likely to be stored by any analytics firm you work with.
• If your web pages are served via HTTP then consider moving them to HTTPS. HTTP is insecure and data sent over HTTP could be read by a third party on the network.
• Get to know your data partners. They are the experts in the data they collect, the way they collect it, how they store it, where they store it, and how it’s used. Ask them about it. Make sure you completely understand the terms of use, privacy policy, and any contractual language before putting their code on your site. And when you’re at the point of implementation, make sure you’ve checked with them to ensure you’ve done so properly. If you have any questions about Chartbeat implementation, our Chartcorps team is your go-to.

Chartbeat is in the business of building a better internet. As much as that means making sure the best content gets the most attention, it also means making sure we all, as users, fully understand the data that’s powering the web. We’ll do our very best to continue to be transparent about what we measure, how we measure it, and what that means for you.