Add google analytics to track plugin usage

[dankmitchell]

This change is to enable usage tracking of this component.

There is a disable option for services if they don't want to allow the tracking.

The readme gives this change some context

[edwardhorsford]

Definitely worth a conversation @nickcolley. There's plusses and minuses to do this.

@alicenoakes - thoughts?

[NickColley]

Speaking to @danmitchell- this seems to be adding tracking so that any service that includes this component will be tracked by us (and their users) most likely without their knowledge.

I really do not think this is a good idea, and I think there's some serious privacy concerns that would come back to bite us, we should explore other ways to find out about our users.

Which could include not is not limited to:

• Talking to services, ask people if and how they're using this component.
• Tracking npm installations, this component can be installed by npm which could be tracked.

[elliecraven]

Part of the process of adding this tracking includes updating the readmes to tell service teams about this, and how to remove it if they would prefer not to include it. All the wording, and the approach, has been approved by Joel Samuel, so that we can be confident that the data protection risks have been addressed and we're being open with service teams using the component.

We have considered the alternatives you mention and feel that this is the best mechanism, providing we update the text as indicated above.

[NickColley]

Based on the work we've done to try to make Google Analytics not impact users' privacy (for example https://github.com/alphagov/govuk_frontend_toolkit/pull/401/files), I'd strongly recommend you don't go through with this.

Putting Google Analytics tracking into services without their knowledge is effectively what we'll end up with here which will end up reflecting poorly on GDS.

There's a very strong chance people will miss this since people often do not read the entire README - if they did we could ask them to contact us about how they're using this component and avoid impacting end users.

[edwardhorsford]

It sounds like this is tracking to purely measure adoption. One for product managers to consider, but does take us down a new path. We don't for instance track usage of GOV.UK Template like this (though perhaps we might in the future, if this is a pattern?)

I presume services will need to update their cookie notices to mention our tracking. Have we made this clear? What do they need to say?

How does it work for services that can't use GA for not controlled by the team? Is default-on explicit enough? What do our data analytics people think of this? Presumably they may have had similar conversations in the past.

[alicenoakes]

I'll pick this up with @elliecraven and come back to this thread

[elliecraven]

we're planning to make this opt-out by default.

When we did the initial spike to see whether this was technically possible, the performance analysts did flag that this was something new and wasn't a conversation they'd had before.

The draft wording we've prepared to make this clear to services (which we may now need to tweak to reflect the default opt-out and advise services how to opt-in) is here:

We use Google Analytics software to collect information about how your users interact with this component. We do this to help make sure the component is meeting the needs of its users and to help us make improvements.

The Google Analytics cookie we set stores information about:

• how many users enter country data using the component the hostname of the service which the component is implemented within.

We don’t collect or store you or your users' personal information (for example your name or address) so this information can’t be used to identify who you are.

We don’t allow Google to use or share our analytics data. We've renamed this cookie to [add cookie name] so it won't clash with any Google Analytics cookies you set yourself to monitor your service.

If you're happy for this cookie to be placed in your service, you'll need to let your users know about this clearly and may need to update your cookie policy. We suggest adding some wording like the below:

One or more of the parts of this service were designed and built by the Government Digital Service (GDS). We may also send Google Analytics cookie data to GDS so that they can monitor and improve those parts of the service.

[dankmitchell]

@nickcolley opt out by default. Please re-review and provide feedback 👍

[edwardhorsford]

Thanks - much happier with this being an opt-in feature.

Two further thoughts: Should we be thinking about making this agnostic to analytics provider? Should it be tied directly to GA and our current analyticsId? I'm thinking we could use something like #alphagov/stageprompt to make it provider agnostic. That way services could configure it to work with their current provider, and optionally pass in GDS' analytics Id.

How does this scale if we end up with multiple components all potentially sending off analytics?

[dankmitchell]

This has been parked, for now.