Chartbeat, HealthCare.gov, and Personal Information
Over the last couple of days, there has been a lot of talk about data privacy and specifically HealthCare.gov passing personal information (e.g., age, zip code, income) to third-party data sites. Chartbeat is paid by clients like HealthCare.gov to help content teams understand how people visiting the site engage with the content, so the folks behind these sites can create the best possible visitor experience.
With that in mind, I want to take a second to talk about what Chartbeat does and doesn’t do (since there are a lot of data providers out there and we all collect and measure different things), what happens when we inadvertently receive personal information in our data, and generally how anyone using data tools for their website can do so effectively while simultaneously taking care to protect their users’ information.
Chartbeat and the data we collect
First, there is a lot of legal stuff. I know, I know. But it’s actually all really important to know about us, what we care about as a company, and how we compare to other data providers out there.
When personal information is passed through to Chartbeat
But the last point (point 4 above) doesn’t always happen. So then what?
If there is a time when we learn that personal information may have been passed to us from a website, we do the following:
- Immediately get in touch with the client / owner of the site
- Identify the location of the personal data (e.g., what’s the URL)
- Advise the client on how to fix their code implementation issues in order to immediately stop the sending of personal data through to Chartbeat.
- Determine the best way to purge our system database of this data and purge that data accordingly
It’s a quick, efficient, and effective reaction. But being reactive isn’t good enough. We’ve also got to be proactive.
In light of the concerns raised this week, we’re also performing ongoing audits of our entire network of thousands of client sites to see if we can identify instances of personal data to alert clients and ensure they update the data they pass to us immediately.
How we can all get better at taking care of our users’ data
The above is all specific to Chartbeat and we take the data we receive incredibly seriously. If I’ve gotten nothing else across at this point, I hope it’s that.
However, it’s important that we all, as website owners and data users, do our part to be better shepherds of data of all kinds—personal or not. A few ways to do so (and I’m positive you all have more suggestions, so please email me with them and I’ll update this post accordingly):
- Never pass data in the URL itself. Because most analytics providers report at the URL level, the contents of the URL are likely to be stored by any analytics firm you work with.
- If your web pages are served via HTTP then consider moving them to HTTPS. HTTP is insecure and data sent over HTTP could be read by a third party on the network.
Chartbeat is in the business of building a better internet. As much as that means making sure the best content gets the most attention, it also means making sure we all, as users, fully understand the data that’s powering the web. We’ll do our very best to continue to be transparent about what we measure, how we measure it, and what that means for you.