Global Compliance of Cookie-Bassed Web Analytics Activities
Total Page:16
File Type:pdf, Size:1020Kb
Global compliance of GLOBALcookie-bassed COMPLIANCEweb analytics oactivitiesf cookie-based web analytics activities Finding a cross-border compliance solution [Version 3.0 (April 2012). for cookie-based web analytics activities should be on the agenda of every company doing business online, as well as web analytics software vendors, online content publishers and online advertisers. This paper focuses on EU cookie regulations, US-based Do Not Track initiatives and other worldwide privacy initiatives, in search of a series of steps to aid us in achieving global compliance. INDEX 1 The technical and business need for 5 cookies A world built on cookies 5 Cookie types and threats 6 2 The social dilemma 9 3 A short history of worldwide cookie- 11 related privacy protection 4 The EU regulatory challenge 15 Opt-out vs. Opt-in 15 Yes I do, Don´t I? 16 Calling a spade a spade: national 17 implementations Which law applies to you? 19 5 Technical and legal solutions for 21 cross-border compliance of web analytics activities A proposed approach to the new 21 A document by legal framework Divisadero. All rights reserved. 21 www.divisadero.eu Building a minimum common denominator Author Technical and practical solutions 23 Sergio Maldonado Design by ANNEX: Cookie inventory and 25 Alexia Méndez 6 classification audit form Global compliance of cookie-based web analytics activities 3 1. THE TECHNICAL AND BUSINESS NEED FOR COOKIES sessions, registrations and logins, online banking sessions, electronic government applications… and virtually every online action that goes beyond user-dissociated displays of information. But cookies are also used for other purposes: by allowing us to tie multiple page visualizations to the same anonymous browser, they enable online audience measurement concepts such as “visit” and “visitor”. By statistically analyzing visits to different website sections, products or services, an online business manager is able to A world built on cookies choose the most efficient content, Cookies are essential to the way format, structure or delivery options. the web is used today. They These efforts fall under the realm of enable retention of information “web analytics”. for successful shopping cart Global compliance of cookie-based web analytics activities 5 1. The technical and business need for cookies Furthermore, by analyzing visits and Cookie types and threats When depth of storage is “zombie” cookies. These consist of visitors, an online service provider is Cookie variations have, since their considered, cookies can be retained a combination of regular, FlashTM able to isolate the most successful creation, been extremely complex1 in a temporary (cache) browser and HTML5 cookies, as well as sources in the promotion of his and we must now also consider their memory, or persistently archived database systems that allow website or her own offering, evaluate key more sophisticated alternatives, in the user’s file system for a operators to keep track of users even points of failure in a checkout or which have been created to achieve defined period of time (the latter, after cookies have been expressly registration process and make a the same objective. for instance, prevents the need for removed from the user’s file system. match between, for instance, the repeated user logins every time Although “supercookies” have so most common search terms used by “Traditional”, HTTP2 cookies a browser window is closed or a far only been found7 in conjunction consumers and products sold. This (consisting of text files stored in the session timeout is reached). with the provision of legitimate also falls under the scope of web user’s browser file system), can be services (such as MSN.com, Hulu. analytics activities. classified under two criteria: level Cookies can be replaced by com or Spotify), they are cleary in of relationship with the end user alternative systems that will be breach of expected standards of Well beyond the service-enablement and depth of storage. Under the considered equal under the law transparency, depriving the end user and service-optimization fields, former, cookies can be first-party in terms of compliance issues of clear understanding about the cookie-based services have and third-party. Whereas first-party (“non-traditional” cookies). These nature of information-retention by become a key building block in cookies are directly served by the range from FlashTM: “Local Shared the service provider . the evolution of Digital Marketing. very website the user is visiting (this Objects” (available when the Thus, for instance, an “ad server” is mostly true for shopping carts, multimedia Flash technology is at Finally, so-called “spyware” cookies8 is able to avoid displaying the registration and web analytics), play), to the HTML 54: “local storage” are files akin to regular cookies, same “banner ad” to a specific third-party cookies are linked system, which has far greater which differ in that they do not user more than a given number of to third-party domain names or possibilities in terms of memory and respect the storage specifications times (thus preventing saturation), external suppliers specialized in life span5. determined by browsers. Whereas and an internal promotion on campaign management, behavioral “spyware” cookies cannot contain the advertiser’s home page may targeting and personalization, Extreme usage of cookies has come programming or carry viruses (they automatically display the design but also to some web analytics to be known as “supercookies”6 or are still flat text files), they are able which performs best for a given services. While first-party cookies to retain browser history without the traffic source out of a group of tested are unanimously supported, some org/html/rfc2109), determined that they would have user knowing about it. to be either not allowed or at least not enabled by alternatives. browsers disable third-party cookies default. Although the later scenario is still in place by default3. with Safari (Apple) and Opera browsers, the IETF’s latest specification, dating from April 2011 (http:// tools.ietf.org/html/rfc6265#page-28), takes a more Cookie-based flexible approach. 1 Cookies first appeared in the 1994 4 HTML stands for Hyper Text Markup release of Netscape browser (Internet Explorer could Language. The various versions of this content services have support cookies in late 1995). Their appearance description standard (5 being the latest) have marked a technical milestone, as it removed the accompanied the evolution of the web since its very major obstacle preventing the development of inception. It is the base and standard for all resources become a key electronic commerce applications. deployed on the web (and available through a 2 Hyper Text Transfer Protocol, a W3C standard browser). building block in standard which conforms to the “sustaining 5 HTML 5 Local Storage can pile up to 5 MB communications protocol” of the World Wide Web. of information, whereas Flash Local Shared Objects 3 A working group within the Internet are limited to 100 KB and traditional HTTP cookies 7 See http://online.wsj.com/article/SB1 the evolution of Engineering Task Force originally identified third-party cannot exceed 4 KB. 0001424053111903480904576508382675931492. cookies as a privacy threat and, in its first specification 6 See http://ashkansoltani.org/docs/ html#ixzz1VN0Zmq4b Digital Marketing. for their browser implementation ((http://tools.ietf. respawn_redux.html 8 http://en.wikipedia.org/wiki/Spyware 6 Global compliance of cookie-based web analytics activities 7 2.The Social DILEMMA control of their own personal data. Worse, in many cases individuals cannot tell how much behavioral information is being collected about them, and whether this is being tied to personally identifiable information. Albeit countless business models are built on free services and the exchange of content for a small fraction of personal or even anonymous behavioral data (often collected by third parties in charge of monetizing advertising space), It is only natural that website users this trade-off is not always stated rebel against an invasion of privacy clearly9. Furthermore, as consumers that they do not understand nor control. As online content and 9 The inevitable, competitive nature of electronic commerce services have business is mainly to blame for this lack of clarity. Where there is a lack of enforcement, companies can become more sophisticated, users find tremendous competitive advantage in avoiding compliance. In an analog scenario, it is well known may feel they are irreversibly losing that stricter safeguards for the acceptance of website terms and conditions (“clickwrap” contracts) result in Global compliance of cookie-based web analytics activities 9 2. The social dilemma we have become accustomed abandon the website if he or she (perhaps naïvely) to accessing a does not agree with its terms? Must large collection of resources at a specific agreement be obtained? no cost. In this regard, some have Is such agreement the only possible compared websites to “private evidence of sufficient prior notice gardens” where a visitor must of those terms? Should users bear respect their owners’ rules if he is to the burden of informing themselves 3. A SHORT enjoy the promenade10. adequately and adapting their browsers’ preferences prior to adventuring into the unknown? In HISTORY OF Websites have these questions lie the key differing interpretations of the international WORLDWIDE been compared to legal framework. private gardens COOKIE-RELATED where a visitor must respect their PRIVACY owners’ rules. PROTECTION Of course, if, when entering a new “private garden” (the boundaries between separate gardens not always being so obvious), users were able to clearly understand and accept its privacy rules, they would not feel compromised. They would understand that the information would be used solely in the Privacy concerns are not contained cradle of the first ever self-regulatory agreed manner, in both aggregate to a particular region. However, scheme for cookies and privacy: P3P (anonymous) fashion and where the those which have traditionally (“Platform for Privacy Preferences)11, information identifies the user.