Why agencies shouldn’t add tracking technologies to websites without telling their clients and vice versa

At Termageddon, we have taken thousands of clients through complimentary onboardings where we help them set up their policies. Prior to each call, we visit the client’s website to see if it has any forms (e.g. contact forms or email newsletter sign up forms) or any trackers (e.g. Google Analytics or Meta Pixel), as those items affect the client’s Privacy Policy. During the call, when it comes time to select what functionalities the website has, we’ll inform the client of these features. Clients are frequently surprised that their website has these features and they’ll often tell us “I had no idea that my website has Google Analytics and that it collects personal information and tracks website visitors.” Awkward. 

A lot of agencies use SOP’s when building websites that include installing trackers such as Google Analytics, Hotjar, or the Meta (Facebook) Pixel by default, regardless of whether the client actually needs them. Many agencies do not even tell their clients that these tools have been installed. In this article, we will discuss why agencies should inform their clients of any tracking technologies prior to installing them on client sites. 

If a client does not know that a tool exists, they are not likely to use the tool 

The purpose of certain trackers such as Google Analytics is to provide insights on how people use the website so that the website owner can make changes or improvements to the site. If your client does not know that analytics is installed on their site, they will never access that data and thus will never use that data to make changes or improvements to their site. Thus, this entirely defeats the purpose of them having these trackers on their site.

Privacy laws state that personal information should be collected only when there is a specific purpose for doing so. If a client never uses the data collected by the trackers, then there is no purpose for collecting it. Should these trackers be placed on the website in case the website owner may want to access this data a few years from now? No, if there is no purpose for the trackers at this time, then the trackers should not be placed on the website. If the client does actually want to see this data a few years from now, the trackers can be installed on the website at that time. At that time, you can also speak to your client about privacy-friendly alternatives such as Independent Analytics or Fathom Analytics. In addition, if your client has finished using the tracking tool (e.g. they used Meta Pixel for an advertising campaign that was concluded), you should remove that tracking tool from the website as it’s no longer needed.

Missing or false information in Privacy Policies 

When trackers such as Google Analytics, Meta Pixel or Hotjar are installed on a website, they collect personal information. For example, they may collect IP addresses, device identifiers, information about the type of browser that a website visitor is using and how people interact with the website and any advertisements. If a client does not know that these tools are being used, they will not include this information in their Privacy Policies. For clients that we take through onboardings at Termageddon, we do inform them of these tools. However, clients who are writing or generating policies themselves will not include this information in their Privacy Policies because they are simply not aware that these tools are on the website. 

Privacy laws specifically state that the Privacy Policy must be accurate as to the business’ actual privacy and business practices. In addition, privacy laws require that Privacy Policies include certain disclosures such as what personal information is collected, how it is used and they may require the business to disclose who that personal information is shared with. A client that is not aware of these tools will not be able to provide this information in their Privacy Policy in an accurate way, thereby putting them at risk of privacy-related fines or even lawsuits. 

In addition, using these tools may subject the website owner to additional privacy laws. For example, Google Analytics could track website visitors from the EU, subjecting the website owner to GDPR. If a client does not know that these tools are present on their website, they may assume that they are not tracking residents of the EU, and thus may assume that they do not need GDPR compliance. If they do not include GDPR disclosures in their Privacy Policy, they may also be out of compliance and at risk of fines. 

Missing consent banner 

Tools such as Google Analytics, Hotjar, and the Meta Pixel track website visitors and place cookies and pixels on their devices. This may subject the website owner to several privacy laws such as GDPR, UK DPA, and the California Invasion of Privacy Act. Unfortunately, if they are not aware of the fact that these trackers have been added to their site, they may assume that they do not need a consent banner and thus may skip adding one to their website. 

As we have seen more and more small businesses being sued under CIPA for not having a consent banner and thus tracking residents of California without consent, this can lead to a very costly problem for your client. It is extremely important that you inform your clients of any tracking technologies that you add to their website so that they may avoid this issue. 

How to handle this with new website builds

As you can see from the above, failing to inform your clients of the tracking technologies that you are installing on their websites can lead to very costly and cumbersome compliance issues. To avoid these issues, when building new websites for clients, you should take the following steps: 

1. Create a list of all of the tracking technologies that you would like to install on the website, along with the name of the technology (e.g. Google Analytics), the provider of the technology (e.g. Google) and what the technology does. Feel free to recommend privacy-friendly alternatives in this list as well; 
2. Share this list with your client and ask them whether they would like you to install any of these technologies on their website. If a client tells you that they do not need the tool (e.g. they do not intend to run ads so they do not need the Meta Pixel), then do not install that tool onto their website; 
3. Have the client sign off on the fact that these technologies should and will be installed on the website. Also, inform them that these technologies collect personal information and track users and thus they should look into obtaining a Privacy Policy, Cookie Policy and consent tool for their website.  You should state that you are not an attorney and thus are not providing legal advice. This should be done in writing to avoid any misunderstandings. Consider having the client sign the Website Policies Waiver, which makes it clear that they (the client) are the ones that are responsible for the compliance of the website, and not you (the agency). 

How to handle this with existing clients 

If you have been building websites for clients for a while, it is possible that you may not have informed all of your clients of the tracking technologies that you have placed on their website in the past. This is as good a time as any to let them know what tools are on their site. You could frame this as a housekeeping item (you are going through client sites to see what tools they have installed), a reminder (you are reminding them that these tools are on their sites so that they are informed), or you can always blame the fact that privacy laws are getting more strict so you want your clients to be aware. 

For existing clients, you can: 

1. Create a list of all of the tracking technologies that are on the website, along with the name of the technology, the provider, and what the technology does; 
2. Ask the client whether they would like to keep all of the tools on their website, switch to privacy-friendly alternatives, or remove any of the tools; 
3. Make sure to charge for your time if the client would like you to make any changes to their website; 
4. Inform the client that these technologies collect personal information and track users and thus they should look into obtaining a Privacy Policy, Cookie Policy and consent tool for their website. You should state that you are not an attorney and thus are not providing legal advice. This should be done in writing to avoid any misunderstandings. Consider having the client sign the Website Policies Waiver, which makes it clear that they (the client) are the ones that are responsible for the compliance of the website, and not you (the agency). 

Conclusion

Whether you are building new sites for clients or maintaining existing sites, it is always a good idea to inform your clients of the tracking technologies that you are adding to the sites so that the client can be fully informed and can take appropriate steps to ensure that they avoid the risk of privacy-related fines and lawsuits. If you currently have an SOP that you use for website builds, you should update that SOP to include the items above so that your clients are not left in the dark.