Guidelines for digital advertising and web analytics for University of Iowa websites and services

The University of Iowa maintains a number of websites used daily by visitors that include students, faculty, staff, visitors, prospective students/staff, and other non-affiliated guests.

Digital advertising and analytics by design transfers information about visitors to a website back to advertisers and/or analytics vendors. This information is used by both the website owner (to better understand the efficacy of their ad placement) and the advertiser (to better understand the advertising market). The protection and ownership of this information can often be confused.The university has a need to understand the way websites are used.  Website visitors have a need to understand what data is being collected, by whom, and for what purpose.  Various state and national laws place limitations on the collection and usage of website data.  To help balance these goals, the University of Iowa establishes general guidelines for the governance and use of this data.

Data types collected by digital advertising or web analytics

Regardless of an individual site visitor’s relationship to the University, the governance of information collected during a visitor’s access to University-affiliated websites follows the same structural framework as is used for similar institutional data.

Data Trustees can make determinations on the collection, use, retention, and disclosure of data types within their purview, within the bounds of existing regulation and institutional policy. Further, Data Stewards may be empowered by Data Trustees to manage governance processes for specific data types, including processes for authorizing the collection and usage of data.  These roles are defined in the Security Policy.

General guidelines

University objective

Data used for advertising or web analytics purposes must be used to achieve a university objective. Specifically, data must be used in the furtherance of a specified marketing, communications, placement, or advertising objective.

Minimum necessary

The sharing of collected data with advertisers or third parties based on a future possibility of use is not allowed. Only the minimum amount of data necessary to achieve the university’s advertising or analytics objective should be collected or shared.


Websites must inform visitors of the collection of data by linking to the university’s privacy statement at  Any collection of data beyond the scope of the university’s privacy statement must also be disclosed.

Third-party engagement

The University may contract with third parties to operate websites (including web-based applications) on our behalf. These websites may even be re-branded as University-owned websites, and share a common root domain with the University. In these situations, the control and management of collected data, mechanisms for notification, and other associated issues should be reviewed as part of the contractual agreement with the third party.

Security review

All technologies used for advertising and analytics are subject to the requirements of the university's Security Review.

Information collection & use

There are a myriad of vended solutions that may be used across University systems for these purposes. To provide clarity on what staff should expect from other vendors, the following examples are provided:

Google analytics

This is a service provided by Google, Inc., which uses persistent cookies to analyze how visitors use a website. The information generated from the cookie is transmitted from the visitor’s web browser to Google. Google then uses this information to compile reports on website activity and other associated services. Information collected by Google Analytics is de-identified, and does not associate to a specified person or IP address.

Facebook MetaPixel

This is a service provided by Meta, Inc., which uses JavaScript code within the website to identify how visitors use a website. This in turn helps ensure that Meta-based advertising is effective (ads shown to the right people, ad engagement feedback). Meta can log when certain activity occurs on the website, like when a button is clicked. The IP address of the visitor is also provided to Meta.

Specified restrictions

Many advertising or tracking services are highly configurable, allowing administrators to choose to provide more information than required to the advertising service. Because of this, there are some specified restrictions we maintain:

  • No submission of Protected Health Information
  • No submission of form field data (unless the user explicitly consents to sharing with the advertiser)
  • No restriction on website usage due to browser restrictions on ads, tracking, or cookies

Related policies and standards


Last updated 4/10/2023