1 of 26

Putting the Spotlight on

Web Privacy

Transparency and Respect on the umich Web

2 of 26

Privacy at U-M

The umich Privacy Notice

Privacy Guidance for Websites

Discussion

Putting umich Websites to the Test

Christopher Billick

billickc@umich.edu

Klare Savka

savkak@umich.edu

Svetla Sytch

ssytch@umich.edu

3 of 26

Privacy at U-M

  • Privacy Officer appointment
  • Learning Analytics principles
  • Privacy community of U-M stakeholders
  • Privacy notice redesign
  • Best practices for website privacy
  • Cookie consent on Google Site Kit
  • ViziBLUE guide to staff and faculty data
  • GDPR program and toolkit
  • Privacy notice and cookie consent
  • Privacy education and engagement
  • Partnership with schools & colleges

Up to 2010

2011-2016

2017-2019

2020-2021

2022-2023

  • University privacy policies
  • Compliance with laws and regulations
  • Privacy protection during pandemic
  • Remote learning and research guidance
  • ViziBLUE guide to student data
  • U-M Privacy Office and website

The University of Michigan values the privacy of the university community members and its guests, and strives to be the leader and best in the ways we manage personal information.

4 of 26

Terms and Conditions May Apply

Journey of the U-M Privacy Notice

5 of 26

School of Information Student Project

Source: Survey conducted June 3-17, 2019

“Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information”

Pew Research Center

SI487: Privacy Notice Redesign

Create a redesign of the U-M Privacy Notice with a focus on visual appeal, accessibility, and increased comprehension.

Hard to find specific info quickly

Visually Boring

Long chunks of text

6 of 26

Project Prototype … and Published Result

Icons for visual interest

Streamlined

Privacy

Statement

Summary section with key takeaways

Shorter, better organized text

7 of 26

The Feeling of Being Watched

The State of Website Tracking

8 of 26

State of Website Privacy

At least 87% of the world’s most-popular web domains engage in some form of digital tracking without you ever signing in.

Source: The Markup

Out of 100,000 most popular web domains, only 13% of sites didn’t load any ad trackers or third-party cookies.

15% loaded session recorders and 4% logged keys you typed into forms and boxes without hitting submit.

74% loaded Google tracking technology.

Source: Surya Mattu website scan, September 2020

9 of 26

Blacklight

�Blacklight scans reveal:

  • Ad trackers
  • Third-party cookies
  • Tracking that evades cookie blockers
  • Session recording services
  • Keystroke capturing
  • Facebook Pixel
  • Google Analytics

10 of 26

Blacklight Results

Between June and August 2022, we scanned 80 U-M websites using Blacklight:

  • Top 50 most visited websites hosted by Information and Technology Services (ITS).
  • 30 most prominent and recognizable websites hosted by U-M units and departments.

11 of 26

The Social Dilemma

Privacy Guidance for Websites

12 of 26

Umich Web Best Practices

NEED ADVANCED ANALYTICS?

MINIMIZE DATA COLLECTION

PUBLISH A PRIVACY NOTICE

GIVE AND RESPECT CHOICE

13 of 26

PUBLISH A PRIVACY NOTICE

14 of 26

PUBLISH A PRIVACY NOTICE

15 of 26

Publish a Privacy Notice

  • Make it accurate and easy-to-understand
  • Use the template provided by the U-M Privacy Office
  • Place your privacy notice in a location that is easy and intuitive to find
  • Keep your privacy notice updated

16 of 26

MINIMIZE DATA COLLECTION

17 of 26

MINIMIZE DATA COLLECTION

18 of 26

Minimize Data Collection

  • If your site uses cookies, use the minimum necessary for functionality. Allow users to decline cookies that are non-essential.
  • Verify that the information collected when a user logs in or completes forms on your website is actually necessary.
  • If your site uses a service like Google Analytics, only turn the data collection on if you are using the data in some way.

19 of 26

NEED ADVANCED ANALYTICS?

20 of 26

NEED ADVANCED ANALYTICS?

21 of 26

Need Advanced Analytics?

  • Only deploy advanced analytics when necessary:
    • Audience segmentation
    • Screen recording
  • Think how advertising services may profile your users
  • Focus on good content and good will

22 of 26

GIVE AND RESPECT CHOICE

23 of 26

GIVE AND RESPECT CHOICE

24 of 26

Provide and Respect Choice

  • Allow users to make informed decisions about their data
  • Provide ability to update or delete user information on demand
  • Treat user information the way you would want your information to be treated

25 of 26

Questions and Answers

26 of 26

Thank you!

privacy@umich.edu