First Draft of Customer Experience Digital Data Acquisition published by Customer Experience Digital Data Community Group
On 2013-05-17 the Customer Experience Digital Data Community Group published the first draft of the following specification:
Participants contribute material to this specification under the W3C Community Contributor License Agreement (CLA).
If you have any questions, please contact the group on their public list: public-custexpdata@w3.org. Learn more about the Customer Experience Digital Data Community Group.
Hi,
Firstly this is a very good start in a small space fo time, well done.
Secondly, here is my feedback…
I have converted the spec into an HTML file and CheatSheet here:
https://www.dropbox.com/s/l352srcmz52qx6o/W3C_DataLayer_Examples.html
https://www.dropbox.com/s/2cxq7tptf4kh9y1/W3C_DataLayer_CheatSheet_v0.5.pdf
Also I have converted the PDF to MS word and made corrections to the spec here. I have also added some text for the PII section:
https://www.dropbox.com/s/b23p16ouekizkf7/W3C_DataLayer_CustomerExperienceDigitalDataAcquisition_Draft_v0.5.docx
—- Naming conventions..
1. The case of the name values is this CamelCase or camelCase?
2. There is inconsistency in the spec with regards to the use of character case on related attributes for example, look at xxxMethod and xxxmethod below:
– cart_shippingmethod
– cart_items_price_shippingmethod
and
– transaction_total_shippingMethod
– transaction_items_price_shippingMethod
Note: Infact lowercase might actually be simpler/safer?
3. Also, is it pageID or pageId?
4. And is it pageIdentity or pageIDentity?
—- Syntax
5. “page[.]attribute” should be “page_attribute” in order to avoid JS error.
6. Rather than use nested objects, underscores might be simpler e.g. “page_attribute” rather than {“page”:{“attribute”:”value”}}
7. For numbers is it safer to use “” for null values e.g. “revenue”: “”, rather than “revenue”: ,
8. Personally, I prefer to declare null JSON values on a page rather than hiding these as the structure becomes the same on all pages.
9. Inorder to validate to JSON RFC4627 spec and avoid JS errors, I have encapsulated names in double “quotes”.
Useful links:
JSON spec summary: http://jsonlint.com/
JSON RFC4627 spec: http://www.ietf.org/rfc/rfc4627.txt
JSON validator: http://www.json.org/
—- PII
10a. profileID MUST be must be a number NOT a string e.g. “profileID”: 12345
10b. Use with caution “userName”: “phil.pearce”
11. Proposed digitalData object for visitor and user:
digitalData = {
“visitor”: {
“preferenceForDNT”: window.navigator.doNotTrack,// 1|0|”not-set”.Defaulted to “not set”
“anonymizeIp”: false, // hash last 3 characters of IP address in GA. Defaulted to off/false
“geoplugin_status”: geoplugin_status, // 403 error, 200 is look-up ok
“geoIPcountryCode”: geoplugin_countryCode, // geo-plugin JS variable
“geoIPcontinentCode”: geoplugin_continentCode // geo-plugin JS variable
},{
“user”: {
“profile”:{
“auth_isSignedIn”: true, // set on login or register page
“auth_userIDtoSessionIDoveride”: false // set on login or register page
“profileID”: 12345
}
}
}
12. Also I have some concerns about RECOMMENDING the use of these PII values pairs which can be access by external JS (e.g. online behavioral advertising scripts)
{“transaction”: {
“profileIDaddress”: {
“line1”: “673 Mystreet”,
…
“postalCode”: “78610”,
…
}
}
{“user”: {
“profile”: {
“attributes”: {
“userName”: “joe.bloggs”,
“email”: “somebody@somesite.com”,
…
}
}
}
}
{“user”: {
“profile”: {
“attributes”: {
“line1”: “673 Mystreet”,
…
“postalCode”: “78610”,
…
}
}
{“user”: {
“profile”: {
“social”: {
“twitter”: “username1234”,
…
“facebook”: “username1234”,
…
}
}
}
}
—- Additions
Also, I would like to see these added to the spec:
page_httpResponseCode: “”, // e.g 200 or 404 or 500
settings_ga_forceSSL
tagTypeBlacklist
visitXPurpose: preview
socialAction
socialpagePath
socialTarget
page_forumPosts: 25
page_lastModified: 20130522
page_createdDate: 20130502
settings_ga_id
settings_ga_id_secondTracker
setDomainName
conversion_Type
page_Grouping[n]
—- The importance of these two values need to be made clearer in the spec:
“environment_Identifier”: “dev”, // dev, staging or live
“page_attributes_SysEnv”: “desktop”, // Responsive CSS = desktop | tablet | mobile.
Thanks
Phil.
Hi,
I would like to pose a 3 more question for the group:
1. For PII values such as emailAddress, userName or zipCode – is there a way (or need) to set these JSON object to be a “local” variables rather than “global” variables?
Obviously this would need to be done in a way so that the TMS still functions.
Please also read this related article:
http://en.wikipedia.org/wiki/JSON#Security_issues
2. This maybe an edge case example, but… On a large UK dating website which is using iFrames, I noticed that they output a login token a JSON object onto account details page after login. This page also contains 3rd party scripts such as DoubleclickFloodlight, addThis, FBconnect etc.
Is it technically possible that a 3rd party script could read the login token, which is output via this JSON object and accessible via the DOM?
3. Should there be something in the spec to either warn about this JSON login tokens, or provide recommendations (e.g login tokens should only be stored in 1st party cookies, not as JSON objects).
Thanks
Phil.
Hi (me again),
Here are some more name value pairs to add to the spec…
// Debug mode – this can be triggered by environment_Identifier=dev but better to add a own variable:
“settings_ga_isDebugConsoleEnabled”: “true”, // Set document.cookie=”tag_debug=1″ on dev environment
// Use TMS to load jQuery
“load_jquery”: “1.10.1”, // Load jQuery version
// Add local currency variable for sale page, cart page and product pages
“transaction_currency”: “USD”, // Global currency rollup profile
“transaction_currency_secondTracker”: “GBP”, // Local currency profile
// Add more granular value pair settings for large websites:
“settings_ga_brandName”: “big brand”, // If using multiple brand in rollup use this field
“settings_ga_country”: “UK”, // Use 2character ISO Country list
“settings_ga_region”: “London”, // Only needed for large localised websites
// Add support for default Cross domain tracking settings:
“settings_ga_setDomainName”: “clientdomain.com”, // INSERT Top-level domain here
“settings_ga_externalCrossDomainlinksToDecorate”: “otherdomain1.com, mycart.com”,
// Standardise JS plugin functions names to load:
“settings_ga_isExternalLinkTrackingEnabled”: “true”, // Exit links to other websites
“settings_ga_isDownloadLinkTrackingEnabled”: “true”, // PDF tracking
“settings_ga_isMailtoLinkTrackingEnabled”: “true”, //
“settings_ga_isHashUrlFragmentsTrackingEnabled”: “false”, // Append location.hash within page_virtual#url
“settings_ga_isScrollTrackingEnabled”: “false”, // Blog content pages customHTML script
“settings_ga_isYoutubeTrackingEnabled”: “false”, // Youtube API auto-tracking customHTML script
“settings_ga_isFacebookAndTwitterButtonTrackingEnabled”: “false”, //Auto-social button tracking
// enable GApremium specific features e.g. 21-200 customDimension/customMetrics
“settings_ga_isGApremium”: “true”, // Set document.cookie=”tag_debug=1″ on dev environment
// Custom Variables with 3digit number for 0-200 customDimension or customMetrics
“user_cd001_isNewRegistration”: “”, // customDimension001
“user_cd002_isUserNewCustomer”: “”, // customDimension002
“user_cd003_isLoggedIn”: “”, // customDimension003
“user_cd004_class”: “”, // customDimension004
“user_cd005_ID”: “”, // customDimension005 – aka Universal auth.user.getId
“user_cm001_visitorLifetimeValue”: “” // EventValue or CustomMetric value
Thanks!
Phil.
P.S. I am hoping that Adwords dynamic re-marketing which uses fix naming conventions will re-map to digitalData equivalents. I can manually map these in GTM, but auto-mapping to digitalData names is preferred.
“ecomm_pagetype”: “”, // home|searchresults|category|product|basket|purchase|other
“ecomm_prodid”: “”, // e.g. 123
“ecomm_totalvalue”: [“”], // e.g 100.00 pounds
“ecomm_pname”: [“”], // optional – use arrays for multiple products on same page
“ecomm_pcat”: [“”], // optional – use arrays for multiple products on same page
“ecomm_rec_prodid”: [“”], // related productID e.g. shoe shine
Forgot to add this (from the TPE spec)…
serverSide_httpResponseToDntRequest =
1. obeyDNT
2. ignoresDNT
3. inProgressDNT
4. notSpecified
Here is a JSON example.
Note: I have separated analytics-TRACKING and behavioural-TARGETING as this was missing from the DNT Preference Expression Spec status-representation example:
http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#status-representation
{
“targeting”: “yes”, // IsOnlineBehaviouralTargeting for Publishers OR onsite remarketing for Advertisers enabled?
“tracking”: “yes”, // Is AudienceMeasurementTracking enabled
“qualifiers”: “afc”, // external “A”udit + “F”raud prevention + ad-frequency “C”apping
“controller”: “http://www.yourdomain.com/privacy.html”,
“same-party”: [{
“google-analytics.com”,
“stats.g.doubleclick.net”,
“api.youtube.com”
}],
“third-party”: [{
“googleadservices.com”
“ads.doubleclick.net”,
}],
“audit”: [{
“http://policy.cookiereports.com/caf4f823-en-gb.html” // e.g. w3.org/P3P/validator.html
}],
“policy”: “/privacy.html#cookies”,
“edit”: “http://www.yourdomain.com/user-dashboard/edit-your-data”
}
Hi Phil,
I just finished documenting the Privacy and Security objects.
Any data stored in this data standard is subject to any script the site owner deploys, unless the site owner adds privacy and (optionally) data security metadata to the object, and employ a technology configured prevent any script from accessing the data standard.
The way to prevent access would be to add the source domain of the script to the “Categories” for the site, and either:
1) Add a privacy technology to prevent the script from firing.
2) Add a security technology and configure .Security nodes to prevent script access to any PII-containing JSON within the data standard.
I think the ways this standard can handle the cases you identified should be clear. If not, please submit more comments, and I will be glad to help.
Best wishes,
Mark
Hi Mark,
Thanks for the reply, thats really interesting. Do you have a URL example of security module or security meta?
Sounds similar to the field type=password which encodes field values when they ate entered in the browser.
New JSON object request for the spec: JS whitelists:
https://developers.google.com/tag-manager/devguide#security
Thanks
Phil.
P.S. ping me an email/tweet if you reply, as your last comment got stuck in spam.
Hi
Please add new JSON object for “server_isDeviceFingerPrintTrackingEnable”: ,
So that the TMS can change tracking deployed on the page.
Thanks
Phil.
digitalData = {
“visitor”: {
“returningStatus”: “new”, // new or returning visitor: used to only trigger consent
message for new visitors
“preferenceForDNT”: window.navigator.doNotTrack, // yes|no|”not specified”. MUST
defaulted to “not specified”
“anonymizeIp”: false, // hash last 3 characters of IP address in GA. Defaulted to
off/false.
“geoplugin_status”: geoplugin_status, // 403 error, 200 is look-up ok
“geoIPcountryCode”: geoplugin_countryCode, // geo-plugin JS variable
“geoIPcontinentCode”: geoplugin_continentCode // geo-plugin JS variable
},
{// Server-side USER values on login or registration
“user”: {
“profile”: {
“auth_isSignedIn”: true,
“auth_isNewRegistration”: true, // used to only trigger consent message on
first registration
“server_isDeviceFingerPrintTrackingEnable”: false, // ADDED
“auth_userIDtoSessionIDoveride”: false,
“profileID”: 12345
}
}
}
}