Global compliance of GLOBALcookie-bassed COMPLIANCEweb analytics oactivitiesf cookie-based web analytics activities
Finding a cross-border compliance solution [Version 3.0 (April 2012). for cookie-based web analytics activities should be on the agenda of every company doing business online, as well as web analytics software vendors, online content publishers and online advertisers. This paper focuses on EU cookie regulations, US-based Do Not Track initiatives and other worldwide privacy initiatives, in search of a series of steps to aid us in achieving global compliance. INDEX
1 The technical and business need for 5 cookies
A world built on cookies 5 Cookie types and threats 6
2 The social dilemma 9
3 A short history of worldwide cookie- 11 related privacy protection
4 The EU regulatory challenge 15
Opt-out vs. Opt-in 15 Yes I do, Don´t I? 16 Calling a spade a spade: national 17 implementations Which law applies to you? 19
5 Technical and legal solutions for 21 cross-border compliance of web analytics activities
A proposed approach to the new 21 A document by legal framework Divisadero. All rights reserved. 21 www.divisadero.eu Building a minimum common denominator Author Technical and practical solutions 23 Sergio Maldonado
Design by ANNEX: Cookie inventory and 25 Alexia Méndez 6 classification audit form
Global compliance of cookie-based web analytics activities 3 1. THE TECHNICAL AND BUSINESS NEED FOR COOKIES
sessions, registrations and logins, online banking sessions, electronic government applications… and virtually every online action that goes beyond user-dissociated displays of information.
But cookies are also used for other purposes: by allowing us to tie multiple page visualizations to the same anonymous browser, they enable online audience measurement concepts such as “visit” and “visitor”. By statistically analyzing visits to different website sections, products or services, an online business manager is able to A world built on cookies choose the most efficient content, Cookies are essential to the way format, structure or delivery options. the web is used today. They These efforts fall under the realm of enable retention of information “web analytics”. for successful shopping cart
Global compliance of cookie-based web analytics activities 5 1. The technical and business need for cookies
Furthermore, by analyzing visits and Cookie types and threats When depth of storage is “zombie” cookies. These consist of visitors, an online service provider is Cookie variations have, since their considered, cookies can be retained a combination of regular, FlashTM able to isolate the most successful creation, been extremely complex1 in a temporary (cache) browser and HTML5 cookies, as well as sources in the promotion of his and we must now also consider their memory, or persistently archived database systems that allow website or her own offering, evaluate key more sophisticated alternatives, in the user’s file system for a operators to keep track of users even points of failure in a checkout or which have been created to achieve defined period of time (the latter, after cookies have been expressly registration process and make a the same objective. for instance, prevents the need for removed from the user’s file system. match between, for instance, the repeated user logins every time Although “supercookies” have so most common search terms used by “Traditional”, HTTP2 cookies a browser window is closed or a far only been found7 in conjunction consumers and products sold. This (consisting of text files stored in the session timeout is reached). with the provision of legitimate also falls under the scope of web user’s browser file system), can be services (such as MSN.com, Hulu. analytics activities. classified under two criteria: level Cookies can be replaced by com or Spotify), they are cleary in of relationship with the end user alternative systems that will be breach of expected standards of Well beyond the service-enablement and depth of storage. Under the considered equal under the law transparency, depriving the end user and service-optimization fields, former, cookies can be first-party in terms of compliance issues of clear understanding about the cookie-based services have and third-party. Whereas first-party (“non-traditional” cookies). These nature of information-retention by become a key building block in cookies are directly served by the range from FlashTM: “Local Shared the service provider . the evolution of Digital Marketing. very website the user is visiting (this Objects” (available when the Thus, for instance, an “ad server” is mostly true for shopping carts, multimedia Flash technology is at Finally, so-called “spyware” cookies8 is able to avoid displaying the registration and web analytics), play), to the HTML 54: “local storage” are files akin to regular cookies, same “banner ad” to a specific third-party cookies are linked system, which has far greater which differ in that they do not user more than a given number of to third-party domain names or possibilities in terms of memory and respect the storage specifications times (thus preventing saturation), external suppliers specialized in life span5. determined by browsers. Whereas and an internal promotion on campaign management, behavioral “spyware” cookies cannot contain the advertiser’s home page may targeting and personalization, Extreme usage of cookies has come programming or carry viruses (they automatically display the design but also to some web analytics to be known as “supercookies”6 or are still flat text files), they are able which performs best for a given services. While first-party cookies to retain browser history without the traffic source out of a group of tested are unanimously supported, some org/html/rfc2109), determined that they would have user knowing about it. to be either not allowed or at least not enabled by alternatives. browsers disable third-party cookies default. Although the later scenario is still in place by default3. with Safari (Apple) and Opera browsers, the IETF’s latest specification, dating from April 2011 (http:// tools.ietf.org/html/rfc6265#page-28), takes a more Cookie-based flexible approach. 1 Cookies first appeared in the 1994 4 HTML stands for Hyper Text Markup release of Netscape browser (Internet Explorer could Language. The various versions of this content services have support cookies in late 1995). Their appearance description standard (5 being the latest) have marked a technical milestone, as it removed the accompanied the evolution of the web since its very major obstacle preventing the development of inception. It is the base and standard for all resources become a key electronic commerce applications. deployed on the web (and available through a 2 Hyper Text Transfer Protocol, a W3C standard browser). building block in standard which conforms to the “sustaining 5 HTML 5 Local Storage can pile up to 5 MB communications protocol” of the World Wide Web. of information, whereas Flash Local Shared Objects 3 A working group within the Internet are limited to 100 KB and traditional HTTP cookies 7 See http://online.wsj.com/article/SB1 the evolution of Engineering Task Force originally identified third-party cannot exceed 4 KB. 0001424053111903480904576508382675931492. cookies as a privacy threat and, in its first specification 6 See http://ashkansoltani.org/docs/ html#ixzz1VN0Zmq4b Digital Marketing. for their browser implementation ((http://tools.ietf. respawn_redux.html 8 http://en.wikipedia.org/wiki/Spyware
6 Global compliance of cookie-based web analytics activities 7 2.The Social DILEMMA
control of their own personal data. Worse, in many cases individuals cannot tell how much behavioral information is being collected about them, and whether this is being tied to personally identifiable information.
Albeit countless business models are built on free services and the exchange of content for a small fraction of personal or even anonymous behavioral data (often collected by third parties in charge of monetizing advertising space), It is only natural that website users this trade-off is not always stated rebel against an invasion of privacy clearly9. Furthermore, as consumers that they do not understand nor control. As online content and 9 The inevitable, competitive nature of electronic commerce services have business is mainly to blame for this lack of clarity. Where there is a lack of enforcement, companies can become more sophisticated, users find tremendous competitive advantage in avoiding compliance. In an analog scenario, it is well known may feel they are irreversibly losing that stricter safeguards for the acceptance of website terms and conditions (“clickwrap” contracts) result in
Global compliance of cookie-based web analytics activities 9 2. The social dilemma
we have become accustomed abandon the website if he or she (perhaps naïvely) to accessing a does not agree with its terms? Must large collection of resources at a specific agreement be obtained? no cost. In this regard, some have Is such agreement the only possible compared websites to “private evidence of sufficient prior notice gardens” where a visitor must of those terms? Should users bear respect their owners’ rules if he is to the burden of informing themselves 3. A SHORT enjoy the promenade10. adequately and adapting their browsers’ preferences prior to adventuring into the unknown? In HISTORY OF Websites have these questions lie the key differing interpretations of the international WORLDWIDE been compared to legal framework. private gardens COOKIE-RELATED where a visitor must respect their PRIVACY owners’ rules. PROTECTION Of course, if, when entering a new “private garden” (the boundaries between separate gardens not always being so obvious), users were able to clearly understand and accept its privacy rules, they would not feel compromised. They would understand that the information would be used solely in the Privacy concerns are not contained cradle of the first ever self-regulatory agreed manner, in both aggregate to a particular region. However, scheme for cookies and privacy: P3P (anonymous) fashion and where the those which have traditionally (“Platform for Privacy Preferences)11, information identifies the user. This favored a culture of higher citizen officially issued as a W3C standard is called “informed consent”. tutelage and public intervention through a 2002 Recommendation. have naturally led the current trend With the initial support of Microsoft, But informed consent could take in privacy advocacy. Cookie-related Internet Explorer 6 browser’s P3P many forms: Can a user not simply concerns have been no exception. compliance had the direct effect of preventing the permanent storage The World Wide Web Consortium lower conversion rates (of visitors into customers). of first-party cookies, as well as 10 See Baekdal, Thomas: “What is a (W3C), hosted by the Massachusetts violation of privacy?”http://www.baekdal.com/ opinion/what-is-a-violation-of-privacy/ Institute of Technology, was the 11 See http://www.w3.org/P3P/
10 Global compliance of cookie-based web analytics activities 11 3. A short history of worldwide cookie-related privacy protection
blocking third-party cookies unless collecting personal data on-line” Such legislation would later be proven hard to abandon a traditional a P3P-compliant policy (in itself an was issued by its Data Protection complemented by what came approach to privacy and implement XML “machine-readable” file) could Working Party (“G29”) in 200115. to be known as the E-Privacy any policies beyond the scope of be found12. The standard did not Among other things, it clarified the Directive 200217, establishing legal protecting citizens from government succeed, and even attracted a good manner in which the Data Protection and technical requirements on bodies. share of criticism from all sides13. Directive had to be applied to online the processing of personal data in activities, including data collection electronic environments. During The simple consequence of such P3P was a neither surprising through online form fields, and the the formation and voting period of wide coverage is that most countries nor inappropriate Internet-born way compulsory information had the Directive an opt-in regime for will impose certain obligations on response to a myriad of regional and be made available to users. More cookies was discussed18, threatening businesses that store personal data national initiatives taking off at the importantly, it specifically imposed the imposition of a whole new within cookies. These obligations very time, threatening the integrity an obligation on businesses to system of information. In the end, could take the form of registration and global appeal of the web. The disclose the names of companies it limited itself to requirements for with a local agency, prior permission, main source of this concern was, serving third-party cookies on their appropriate notification of the usage notification, user access, cancellation without any doubt, the European website16. and purpose of cookies, as well as by user request, minimum Union’s regulatory framework. the consequences of disabling them. data security or ulterior usage Privacy legislation debate is not obligations. Of course, the limits The EU had first come up with its In 2001, an EU restricted to the EU but is found of “personal data” or “personally first major data protection initiative Recommendation worldwide19. In cases as recent identifiable information” vary across in 199514. Then, with the advent as China’s20, privacy legislation is countries (eg. a simple IP address of the Internet and electronic sets forth the need already addressing Internet-specific would be sufficient to qualify in 23 commerce, a Recommendation “on concerns. In Australia21, and other Germany) . certain minimum requirements for for businesses to common law countries22, it has What had never been seen, until disclose the names the E-Privacy Directive arrived, is a 17 Directive 2002/58/EC of the European 12 P3P aimed to allow end users to dictate Parliament and of the Council of 12 July concerning piece of legislation that applied to the amount of information that a website could of companies the processing of personal data and the protection of gather about them through cookies without the need privacy in the electronic communications sector of 12 a particular set of data processing for interpretation of complex legal disclaimers. By July 2002. practices, independent of whether delegating the negotiation of acceptable terms to serving third-party 18 An initially approved amendment by the machine-readable files, users could always be certain European Parliament along these lines was eventually those practices involved the storage that their own user-defined barriers would not be cookies on their discarded in the EU Council of Ministers, shortly of personal information. In this surpassed. before receiving its final go-ahead. 13 See http://en.wikipedia.org/wiki/P3P. 19 In particular, civil law countries in South regard the E-Privacy Directive was While other browsers quickly chose to stay clear websites. America with legal systems rooted in the same of P3P, favouring their own alternatives (or simply grounds as those shared by most EU members, have alone, until Do Not Track appeared in ensuring that an optional plug-in remained available been quick to follow. This is the case in Argentina, the United States. for users to turn their own systems into P3P- Chile or Uruguay, which in the process have enjoyed compatible environments), Internet Explorer ended 15 See http://ec.europa.eu/justice/policies/ being considered countries with “adequate” personal up turning to its own proprietary solutions (this was privacy/docs/wpdocs/2001/wp43en.pdf data protection levels by the European Commission the case of InPrivate Browsing and InPrivate Blocking 16 It also said “If a cookie is placed by an (this facilities the transfer of data to such countries). in IE8). organization through its own website and only this 20 The Economist: “The long march to Canada (as it also follows civil law and boasts the 14 On October 24, 1995, the Council organization can access the content of the cookie, privacy” http://www.economist.com/node/5389362 most comprehensive personal data protection and Parliament of the European Union adopted a there is no additional requirement for information 21 The Australian National Privacy Principles legislation in the country). Directive 95/46/EC on the protection of individuals identifying the organization responsible for placing (set out in Schedule 3 of the Privacy Act 1988) extend 23 See Peter Scharr’s declarations at the with regard to the processing of personal data and on the cookie to be given, provided that the organization data protection obligations to businesses with a helm of the Data Protection Working Party (January the free movement of such data. This would come to hosting the website has already been adequately turnover of more than A$3 million. 2008) and the recommendations that followed in be known as the “data protection directive”. identified.” 22 Québec would be the exception in each EU Member State.
12 Global compliance of cookie-based web analytics activities 13 3. A short history of worldwide cookie-related privacy protection
Commission decided to endorse24 What had never the initiative. By April 2011, Internet been seen is a Explorer 9, Firefox 4 and Apple Safari were already supporting it. At that 4. The EU Regulatory piece of legislation point Google Chrome was singled out by the FTC as the only browser CHALLENGE that applies to a lagging behind25. particular set of On top of this, the United States data processing may be heading for its own piece practices, of legislation on the subject, with current plans by House independent of Representative Cliff Stearns to introduce legal provisions that whether those would be enforced by the FTC practices involve the along with Do Not Track (based on the existing Consumer Privacy EU amended the E-Privacy Directive storage of personal Protection Act26). in 200927 to address the need for information. permission when cookies are served or read. Specifically, under Run by Stanford University article 5 (3)’s new wording, users academics in California, the Do Not must be provided with ‘‘clear and
Track initiative aimed to provide a comprehensive information’’ about technical and legal solution which the storage of information, or access replicated the idea of the “do not to stored information, on their call” list, which prevents unsolicited terminal equipment, and users must commercial communications over provide their specific consent. the phone. Once a user has installed a Do Not Track plug-in in his An exception to this requirement is browser, websites that comply with provided by the article itself- 5(3), the initiative would be prevented 24 See FTC Staff Issues Privacy Report, from serving cookies. Of, course the Offers Framework for Consumers, Businesses, and Policymakers http://www.ftc.gov/opa/2010/12/ 27 Directive 2009/136/EC of 25 November problem with self-regulation is that privacyreport.shtm 2009 amending Directive 2002/22/EC on universal 25 See http://www.wired.com/ service and users’ rights relating to electronic it requires mass adoption if it is to be epicenter/2011/04/chrome-do-not-track/. Google communications networks and services, Directive effective on a large scale. has released its own technical solution to ensure 2002/58/EC concerning the processing of personal the implementation of an opt-out approach: Google data and the protection of privacy in the electronic Chrome’s Keep My Opt-Outs plug-in blocks targeted Opt-out vs. Opt-in communications sector and Regulation (EC) No Do Not Track received a serious ads produced by a group of companies and ad 2006/2004 on cooperation between national networks that have decided to abide by this scheme. Moved by fresh social concerns in authorities responsible for the enforcement of boost in December 2010, when 26 See http://arstechnica.com/tech-policy/ light of new technical and business consumer protection laws. Its full text can be found news/2011/03/congressman-to-revive-2005-online- here: http://eur-lex.europa.eu/LexUriServ/LexUriServ. the United States Federal Trade privacy-bill-with-new-feedback.ars developments (see chapter 1), the do?uri=OJ:L:2009:337:0011:0036:En:PDF .
14 Global compliance of cookie-based web analytics activities 15 4. The EU regulatory challenge
as amended: “permission will not be inclusion of web analytics activities28, cookies (where these have not been has had a very discouraging effect required when cookies are deemed from the outset, France’s equivalent disabled). Instead, consent would on industry professionals, prompting strictly necessary to the operation of body 29 has done the opposite. require a specific “positive” action on widespread talk of a complete the services.” This concept has proved the part of the individual. disconnection between the policy controversial: Does “operation” and the reality of business. mean “service-enablement”? Does While the UK’s On the other hand, the EU it rather encompass “service- competent body Commission Communications Unfortunately, express permission at optimization”? Whereas the former Committee, which was set up website level can only be obtained would only include those cookies has expressly to advise Member States on the through pop-ups or graphical used in shopping carts or registered Directive’s implementation, has alerts that prevent the user from sessions, the latter would be wide discarded the suggested that browser settings or making progress on whatever enough to include web analytics, inclusion of other application settings could be tasks he has chosen to complete commonplace maintenance tasks sufficient as a form of consent. For online. This goes directly against all and non-crucial cookie-based web analytics this reason, browser manufacturers usability and user-centered design features (such as remembering a activities, France’s have now been dragged into principles33. As there are no half- language selection or geographical discussions with national authorities. way solutions and this seems a high location). equivalent body price to pay, making a more precise The former line of thought inspired distinction between different levels has done the the initial interpretation of the new of intrusiveness prior to seriously Permission to opposite. rules by the UK’s ICO31. According hampering the very purpose of an read or write to it, express permission requests online service would be sensible. Yes I do, Don´t I? would need to be made every Discussion of this distinction will cookies will not Much has been written about the time a new cookie is served. To follow. be required extent of the consent required. In demonstrate how this solution light of a recent Opinion issued by could be deployed successfully, Calling a spade a spade: when cookies are the EU Data Protection Working the ICO applied to its own website. national implementations Party30 (“G29”): when dealing with Sharing its impact on the website’s Of course, speculation on the 32 deemed strictly online behavioral advertising (built unique visitor count (90% drop) Directive’s general terms is useless necessary for the on third party cookies), appropriate when the 27 EU members were obliged to implement it into consent cannot be assumed to 31 Through its guidance paper on the operation of the have been given where users are new framework for cookies (see http://www.ico. specific national law by June 2011. gov.uk/for_organisations/privacy_and_electronic_ After much feet dragging, things services operating within browsers which communications/new_regulations.aspx), even provide options for disabling providing as examples the use of specific text have started to settle down in the displayed to users, either in pop-ups, footers or past few months, with the one- As was rightly feared, the elsewhere. 32 See The ICO’s response to a public year moratory in its application interpretation of this exception has 28 See http://www.ico.gov.uk/ request by our Digital Analytics Association colleague for_organisations/privacy_and_electronic_ Vicky Brock, referenced IRQ0397602 (“ I would like differed across countries. While the communications/new_regulations.aspx to request information regarding to the recorded UK’s Information Commissioner’s 29 The Commission Nationale de levels of traffic to the ICO website before and after also be found here: http://www.research-live.com/ l’Informatique et des Libertés (“CNIL”) the cookie opt in message was placed on the ICO news/analytics/cookie-refusal-leads-to-90-drop-in- Office has expressly discarded the 30 Opinion 2/2010 on online behavioral website.”) measured-visits-to-ico-site/4005538.article. advertising. (http://ec.europa.eu/justice/policies/ http://www.ico.gov.uk/about_us/how_we_comply/ 33 Vid. KRUG, Steve “Don’t make me think”, privacy/docs/wpdocs/2010/wp171_en.pdf) disclosure_log/201106.aspx. A full account can Que, 2000.
16 Global compliance of cookie-based web analytics activities 17 4. The EU regulatory challenge
coming to an end in the United • Government websites in the expressing a “soft consent” based Kingdom and the arrival of national United Kingdom are not expressly on appropriate notices (in many implementations in other countries. requiring permission when ways akin to an “opt-out”) or In particular, the United Kingdom analytical cookies are in use. allowing acceptance through has been rich in developments, browser settings without further with two of them particularly Spain’s recently enacted law brings considerations. significant: Both ICO’s “Guidelines another perspective, with an on the new cookies regulations” and additional element thrown into the Which law applies to you? the Government Digital Service’s mix: According to its newly enacted Unlike other EU legislation, which “Implementer Guide to the Privacy law37, permission can be validly applies the national law of the and Electronic Communications obtained through browser settings, end user´s physical location, the Where applicable laws conflict, we Regulations for public sector albeit it must involve a positive legal framework of personal data assume that enforcement rationale websites”34 providing useful action on the part of the user protection is based instead on the would determine the action taken frameworks. The following important (through an initial wizard during national law where the service against any violation of legislation. conclusions can be drawn from a installation or upgrade). This throws provider is established or, if located Albeit any company could be review of both documents: some hope into the future, although outside of the EEA (EU plus Norway, potentially sued by end users in any it is not enough to alleviate today’s Liechtenstein and Iceland), based other country, a website operator is • A criterion of intrusiveness is needs. on the national law of the nation mainly at risk in the countries where gaining ground, allowing websites where the service provider hosts it is headquartered or domiciled to classify cookies into separate At the more lenient end of its personal data storage hardware due to the difficulty of enforcing groups35 the spectrum, we can find (data processing “equipment”). compliance and distributing other countries that have now However, since cookies make punishments. Of course, for non-EU • Web Analytics activities and implemented legal changes: The use of the end user’s personal multinational companies with offices other first-party cookie uses are Czech Republic, Finland, Hungary, computer for storage purposes, the throughout the EU this would mean not considered a priority in the Ireland and Sweden are all either Communications committee has having to comply with up to 27 enforcement of prior permission interpreted them as data storage different laws. requirements36. facilities operated by the service and gain their consent. In practice we would expect providers. This interpretation would you to provide clear information to users about 34 http://alphagov.files.wordpress. analytical cookies and take what steps you can to seek mean that any EU country could Non-EU com/2012/03/gds-cookies-implementer-guide.pdf their agreement. This is likely to involve making the 35 The UK Government Digital Service has argument to show users why these cookies are useful. see its national law applied to a used a three level classification: Although the Information Commissioner cannot website run by a U.S., Australian or multinational 1) Moderately intrusive: embedded third-party completely exclude the possibility of formal action content and social media-plugins; Advertising in any area, it is highly unlikely that priority for any Indonesian company (unless access campaign optimisation. formal action would be given to focusing on uses of companies with 2) Minimally intrusive: Web Analytics/metrics; cookies where there is a low level of intrusiveness and is blocked for residents of said Personalised content/interface. risk of harm to individuals. Provided clear information country). offices throughout 3) Exempt: Stop multiple form submissions; Load is given about their activities we are highly unlikely to balancing; Transaction specific. prioritise first party cookies used only for analytical 36 The ICO’s “Guidance on the use of purposes in any consideration of regulatory action. the EU would have cookies and similar technologies” incorporates the 37 by way of a Real Decreto-ley which following clarification: “The Regulations do not modifies the Ley de Servicios de la Sociedad de distinguish between cookies used for analytical la Información y de Comercio Electrónico 2002, to comply with up activities and those used for other purposes. We do itself a transposition of the Electronic Commerce not consider analytical cookies fall within the ‘strictly Directive, with a change in the Ley General de to 27 different laws. necessary’ exception criteria. This means in theory Telecomunicaciones 2003 that implemented the websites need to tell people about analytical cookies ePrivacy Directive expected shortly
18 Global compliance of cookie-based web analytics activities 19 5. TECHNICAL and LEGAL SOLUTIONS for CROSS-BORDER COMPLIANCE of Web Analytics Activities
A proposed approach to the Building a minimum common new legal framework denominator Although the climate remains A number of sources set precedent uncertain, with many national and can act as guidelines for the said laws pending enactment, and a minimum standard: majority of data protection agencies struggling to cope with the technical • Guidelines issued by those implications of the Directive, we will countries which have already now summarize a website operator’s implemented the EU Directive into current options for the definition of national law a minimum common denominator • Recommendations of the EU to safeguard against the different Communications Committee national laws involved. • Opinions of the EU Data Protection Working Party (“G29”) • Recitals to the new ePrivacy Directive • The United States FTC report on Do Not Track38.
38 See http://ftc.gov/ os/2010/12/101201privacyreport.pdf
Global compliance of cookie-based web analytics activities 21 5. Technical and legal solutions for cross-border compliance of web analytics activities
It is by looking at these that we can effort to stick to first-party cookies Technical and practical a) Analytical cookies reach the following conclusions: for web analytics activities would solutions b) Other internal usage cookies undoubtedly help the website With those conclusions in mind, we c) Social plugin cookies - A classification of cookies based operator’s cause. This is further propose four steps that would ensure d) Cookies run and used by third on their level of intrusiveness supported by the only recital to the compliance with the minimum parties would assist in communicating new ePrivacy Directive (recital 66) common denominator defined e) A summary table with the results with website users, aiding the that expressly goes into detail in the above. These steps are consistent of your cookie audit. explanation of the need for explanation of the intended goal of with existing national guidelines, All these sections can be grouped permission in certain cases. the new provisions, as only third- while remaining essentially practical under “Cookies” and precede party relationships are mentioned39. and aiming at causing only a minimal or follow preexisting notices - Both the US FTC and local EU data disruption to the provision of online regarding the collection of protection agencies will most - Many web analytics vendors offer services: personal data (with the new likely begin taking action against their own opt-out plugins and section labeled “Privacy and companies that purposefully options40. A link to them can be 1. Cookie audit. Run an audit Cookies”). Also, the link to this disregard the new laws. A second easily given within the website’s of all persistent cookies being policy should gain prominence if priority would be targeting website privacy policy disclaimer or legal used throughout the company’s not obvious at first sight. operators that do not make any notice. digital properties, recording basic attempt to comply (as recognized information about each of them: 4. Opt-out compliance: Make sure by ICO). - It is easier to prove positive actions expiration term (life of the cookie), that your website can comply with towards compliance than to defend purpose (eg.: internal analytics), level Do Not Track browser plugins and, - Given the fact that the EU G29’s an unchanged policy on the basis of intrusiveness and owner. A sample if possible, include a first-visit only Opinion on Behavioral Advertising that everybody else is failing to act. audit form is provided in the Annex header notice that lets the user has been a key precedent for the to this document, while a variety choose whether to exclude your own new framework, we must pay of free tools remain available for its cookies without the need to revert to special attention to the fact that fulfillment41. browser plugin settings. third-party cookie-based affiliate networks and ad networks 2. Cookie management policy. represent its most important 39 “Third parties may wish to store Establish some basic rules for the NOTE: These recommendations are information on the equipment of a user, or gain target. As a consequence, any access to information already stored, for a number of regular supervision of cookies being by no means intended to replace cookie-based activity that stems purposes, ranging from the legitimate (such as certain used, aiming at reducing their qualified legal advice. types of cookies) to those involving unwarranted from the very same website intrusion into the private sphere (such as spyware number or, where possible, their requested by the end user (and not or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive expiration term. undertaken behind the scenes and information when engaging in any activity which could result in such storage or gaining of access. The involving third parties) should at methods of providing information and offering the 3. Privacy notice update. Redraft the very least attract less scrutiny. right to refuse should be as user-friendly as possible your privacy notice including […]” As this differentiation must also 40 Two alternative examples are provided separate sections for: by the Google Analytics (http://tools.google.com/ be obvious at the technical level dlpage/gaoptout)and Adobe Omniture SiteCatalyst (especially if Do Not Track browser opt-out applications (http://www.omniture.cz/en/ privacy/2o7#optout). Whereas the first one consists plugins become commonplace), an of a browser plugin, Adobe’s system is (paradoxically) based on cookies. 41 E.g.: Firecookie.
22 Global compliance of cookie-based web analytics activities 23 Cookie inventory and 6.ANNEX: classifi cation audit form
COOKIE DURATION PURPOSE INTRUSIVENESS
Global compliance of cookie-based web analyti cs acti viti es 25 About Divisadero Divisadero is a Digital Analytics and Online Business Advisory Services company. With a 40-strong multidisciplinary team distributed across Europe and Latin America, Divisadero works with multiple Fortune 500 companies, including: Vodafone, Heineken, Mango, Santander, BBVA, ING Direct, Coca-Cola, AXA, NH Hotels, Barclays Bank, Yell, Vueling or Iberdrola. www.divisadero.eu
About the author Sergio Maldonado holds an LLM (Merit) 2002) and author of “Web Analytics, Measure in IT and Internet Law from Queen Mary’s to triumph” (Spanish language, ESIC University University (University of London), and a Publishing, 2010). He is also a guest professor law degree (JD) from the University of the at ESIC Business School and a regular speaker Basque Country (Spain). He also holds various at international Digital Marketing events business, computer programming and web (WSAB London, eMetrics San Francisco, analytics certifications. Initially trained as a eMetrics Washington D.C., WAW Beijing, lawyer in California and admitted to practice OMExpo Madrid, ESEADE Buenos Aires, IMC in both England & Wales and Spain, Sergio Barcelona) Sergio is the founder of Divisadero/ is co-author of “Internet, key business legal MVConsultoria, which he has run since 2006. issues” (Spanish language, Thomson-Aranzadi,