[UPDATED SEPTEMBER 2020] If you are a healthcare business owner, you are probably well aware of the Australian Privacy Principles and your obligations relating to these. All private health service providers, irrespective of size, must have a Privacy Policy describing how they manage people’s personal information. Your policy will state how you comply with the areas covered by the 13 Privacy Principles. For example:

  • What personally identifiable data are you collecting and for what purpose?
  • How do you collect this data?
  • How do you keep it secure?
  • When do you share or disclose personally-identifiable data?
  • What measures are taken to ensure the accuracy of data?
  • How your customer can access the data you hold about them and ask for corrections to be made.

Use of Google Analytics requires additions to the Privacy Policy

You may be less familiar with the need to update your Privacy Policy when you start using analytics on your website. Google Analytics is the tool of choice for most people who want to start understanding website traffic and whether the website is achieving its goals.

Your Privacy Policy is about being transparent with your audience but also about compliance, so this article provides an overview and includes links to source documents. Please get a legal opinion to clarify the requirements for your specific situation.

The Google Analytics terms of service specify that you need to post a Privacy Policy. It needs to cover:

  • You must say that you are using cookies (Google Analytics places cookies on the user’s browser to track visits to your website).
  • You must say that you are using Google Analytics and how it collects and processes data. Google suggests pointing to their own description of this by linking to their article “How Google uses information from sites or apps that use our services”.

Advertising Features

There are extra requirements if you have switched on Advertising Features within Google Analytics. In this case Google Analytics is collecting data about your visitors from advertising cookies on their browser, if those cookies are present. This enables extra advertising-related reporting. The Demographics and Interest Reports fall under this ‘advertising-related’ category.

Remarketing is another Advertising Feature (separately enabled), and allows you to create remarketing audiences within Google Analytics based on people’s behaviour on your website and their demographics and interests.

If you have enabled Advertising Features, your Privacy Policy needs to include:

  • The Google Analytics Advertising Features you’ve implemented.
  • Information about how cookies and identifiers are being used – including advertising cookies or other cookies set by your partners when someone visits your website.
  • How visitors can opt-out of Google Analytics Advertising Features. For example, through Ads Settings on their browser, Ad Settings for mobile apps, or through Advertising opt-out services.

See Google’s Policy Requirements for Google Analytics Advertising Features.

Google also encourages website owners to link to their information on Google Analytics opt-out browser add-ons. These can be installed by anyone to prevent their data from being used by Google Analytics.

Personally-identifiable information

You are not allowed to send any personally-identifiable information to Google Analytics. This might occur in a scenario where a person fills out forms or logs on to your website, and the page URL subsequently includes a name or other personally-identifiable information. This kind of information must be removed before the data is sent to Google Analytics.

Google Analytics terms of service also requires that you “will comply with all applicable laws, policies and regulations relating to the collection of information from Users”. this means not just local privacy laws, but also any other applicable laws. Some of these can be far-reaching …

What about GDPR?

Things get more complex if you are an Australian business that either collects personal information from residents of Europe, or has a website that is accessed by residents of Europe. In this case, the GDPR (General Data Protection Regulation) applies to you.
GPDR applies for countries in the European Economic Area (EEA). The UK also enacted very similar laws after Brexit.
GDPR has additional compliance requirements, both in terms of the consents you obtain from website visitors (including opt-in consent when your website sets cookies on the user’s browser) and your Privacy Policy. Make sure you understand your legal position.
I have seen it suggested that, if you do not want to do business with people in the EEA, it is a good idea to include statements on your website saying that you do not offer services to people in these countries and you do not accept sign-ups to your email list from them.

Where should I display my Privacy Policy?

You’ll need to display your Privacy Policy on your website if you are using website analytics. It could be a menu item or a link from your header or footer.
Make sure your staff are familiar with your Privacy Policy and understand what it means for their day-to-day job roles. It’s a great topic for a staff meeting discussion or training refresher.