UW Privacy Office

Online Monitoring

Overview
European Union’s General Data Protection Regulation (EU GDPR)
Digital Analytics

Overview

Monitoring online activities is important to protect institutional information, ensure the reliability of services, and create meaningful relationships with our community. In certain instances, monitoring online activity may be required or essential to the UW’s mission. However, the benefits and risks associated with online monitoring require careful review to ensure that such activities don’t compromise the UW’s valuesacademic freedom, privacy-related policies, or privacy principles.

In general, online monitoring activities should be conducted in ways that:

  • Enable innovative uses of data and technology in a secure manner;
  • Respect privacy and uphold trusted relationships with the individuals the UW serves in the state of Washington and beyond;
  • Negate harm or conflict as result of the monitoring activities;
  • Establish a clear, concise, and transparent approach for articulating and evaluating the benefits and risks associated with online monitoring in a public academic institution; and
  • Coordinate online terms of use, privacy statements, and other notices or consents needed for online monitoring activity.

Online monitoring should not occur in the following situations:

  • Systems or services that the UW requires an individual to use in order to receive information or a service from the UW, when the UW does not provide an alternative medium for the interaction or any notice or choice to the user about the monitoring of their information.
  • Systems, services, webpages, or communications that are directed to or collect information from individuals under the age of 13.
  • Systems, services, or webpages that collect or exchange information about which individuals may have a reasonable expectation of privacy. Examples may include, but are not limited to, communications and webpages associated with safe campus, scheduling sensitive appointments (e.g. medical appointments), or hardship withdrawal.

See Online Monitoring Guideline (requires employee authentication) for more information.

European Union’s General Data Protection Regulation (EU GDPR)

Under EU GDPR, if your UW organization’s website is configured to actively or passively collect personal data or information that can be used to identify persons who reside in the EU, including their online behaviors or interests, then your organization is required to:

  • Ensure your online monitoring activity (e.g. monitoring, tracking, marketing, analytics) is consistent with and limited to what is described in the UW Online Privacy Statement.
  • Refer to the UW Online Privacy Statement and obtain consent from individuals who reside in the EU before you collect data from/about them. This may be achieved through a pop-up on your website.
  • Clearly identify, on your website, the name and contact information of the individual who is the Controller and thus, responsible for overseeing and making decisions about the collection, use, and protection of the personal data.

Standard Pop-Up Language to Obtain Consent

Note: This language is for the collection of personal data that requires consent for online monitoring.

By choosing to continue to use this UW website, you agree to the UW’s collection and use of personal information and non-personal information as described in the UW Online Privacy Statement.

Yes, I Agree
No, I Do Not Agree

Digital Analytics

If you use Digital Analytics you should carefully review the information published by the vendor on the use of its product in relation to and in compliance with EU GDPR.

If your organization’s website collects digital analytics that include personal data in URLs, IP addresses, or other information that can be used to identify persons who reside in the EU, then under EU GDPR you are required to obtain consent from users, store that consent with a date stamp, and only use the data as described in the Online Privacy Statement.

For example, here are suggestions to help you balance the benefits and risk related to the intersection of your UW organization’s website, EU GDPR requirements, and the use of Google Analytics:

  1. Keep personal data out of URLs.

Do not collect any information that can identify a person in Google Analytics. This can happen in a few ways, most notably, through URL parameters (&netid=johndoe) or a unique URL (unit.uw.edu/personalmicrosite/johndoe).

  1. Keep personal data out of reports.

Do not collect personal data in URLs assuming you can filter the data out of the report thereby avoiding EU GDPR requirement to obtain consent.

  1. Turn on IP anonymization.

Users’ IP addresses, and their online behaviors and interests, are protected by the EU GDPR. Anonymizing IP addresses helps reduce risk to the UW and individuals’ personal data.

  1. If your organization’s website uses Google Analytics advertising features, then under EU GDPR you must obtain consent from individuals.

Because Google shares data with third parties, you must obtain consent from your users: https://support.google.com/analytics/answer/2700409?hl=en

EU GDPR provides certain rights to persons who were/are residing in the EU when data were/are collected. To the extent allowed by law, individuals may request to have their data corrected or erased. If you receive such requests, there are additional factors to consider before you process or fulfill the requests. Google has promised a way to delete analytics information at a per user level. The UW Privacy Office and its UW partners have not seen the tool to do so yet.