Global cookie-bassed web analytics activities

 
CONTINUE READING
Global cookie-bassed web analytics activities
Global
                                                      compliance of
                                                      GLOBAL
                                                      cookie-bassed
                                                      COMPLIANCE
                                                      web   analytics
                                                      of cookie-based
                                                      activities
                                                      web analytics activities

Finding a cross-border compliance solution            Version 3.0 (April 2012)
for cookie-based web analytics activities
should be on the agenda of every company
doing business online, as well as web
analytics software vendors, online content
publishers and online advertisers. This paper
focuses on EU cookie regulations, US-based
Do Not Track initiatives and other worldwide
privacy initiatives, in search of a series of steps
to aid us in achieving global compliance.
Global cookie-bassed web analytics activities
INDEX

                                   1   The technical and business need for                                                        5
                                       cookies

                                          A world built on cookies                                                                5
                                          Cookie types and threats                                                                6

                                   2   The social dilemma                                                                         9

                                   3   A short history of worldwide cookie-                                                      11
                                       related privacy protection

                                   4   The EU regulatory challenge                                                               15

                                          Opt-out vs. Opt-in                                                                     15
                                          Yes I do, Don´t I?                                                                     16
                                          Calling a spade a spade: national                                                      17
                                          implementations
                                          Which law applies to you?                                                              19

                                   5   Technical and legal solutions for                                                         21
                                       cross-border compliance of web
                                       analytics activities

                                          A proposed approach to the new                                                         21
A document by                             legal framework
Divisadero. All rights reserved.
                                          Building a minimum common                                                              21
www.divisadero.eu
                                          denominator
Author                                                                                                                           23
                                          Technical and practical solutions
Sergio Maldonado

Design by
Alexia Méndez
                                   6   ANNEX: Cookie inventory and                                                               25
                                       classification audit form

                                                                         Global compliance of cookie-based web analytics activities   3
Global cookie-bassed web analytics activities
1. THE
                                           TECHNICAL
                                           AND
                                           BUSINESS
                                           NEED FOR
                                           COOKIES
                                           sessions, registrations and logins,
                                           online banking sessions, electronic
                                           government applications… and
                                           virtually every online action that
                                           goes beyond user-dissociated
                                           displays of information.

                                           But cookies are also used for other
                                           purposes: by allowing us to tie
                                           multiple page visualizations to
                                           the same anonymous browser,
                                           they enable online audience
                                           measurement concepts such as
                                           “visit” and “visitor”. By statistically
                                           analyzing visits to different website
                                           sections, products or services, an
                                           online business manager is able to
A world built on cookies                   choose the most efficient content,
Cookies are essential to the way           format, structure or delivery options.
the web is used today. They                These efforts fall under the realm of
enable retention of information            “web analytics”.
for successful shopping cart

                               Global compliance of cookie-based web analytics activities   5
Global cookie-bassed web analytics activities
1. The technical and business need for cookies

    Furthermore, by analyzing visits and             Cookie types and threats                                      When depth of storage is                                   “zombie” cookies. These consist of
    visitors, an online service provider is          Cookie variations have, since their                           considered, cookies can be retained                        a combination of regular, FlashTM
    able to isolate the most successful              creation, been extremely complex1                             in a temporary (cache) browser                             and HTML5 cookies, as well as
    sources in the promotion of his                  and we must now also consider their                           memory, or persistently archived                           database systems that allow website
    or her own offering, evaluate key                more sophisticated alternatives,                              in the user’s file system for a                            operators to keep track of users even
    points of failure in a checkout or               which have been created to achieve                            defined period of time (the latter,                        after cookies have been expressly
    registration process and make a                  the same objective.                                           for instance, prevents the need for                        removed from the user’s file system.
    match between, for instance, the                                                                               repeated user logins every time                            Although “supercookies” have so
    most common search terms used by                 “Traditional”, HTTP2 cookies                                  a browser window is closed or a                            far only been found7 in conjunction
    consumers and products sold. This                (consisting of text files stored in the                       session timeout is reached).                               with the provision of legitimate
    also falls under the scope of web                user’s browser file system), can be                                                                                      services (such as MSN.com, Hulu.
    analytics activities.                            classified under two criteria: level                          Cookies can be replaced by                                 com or Spotify), they are cleary in
                                                     of relationship with the end user                             alternative systems that will be                           breach of expected standards of
    Well beyond the service-enablement               and depth of storage. Under the                               considered equal under the law                             transparency, depriving the end user
    and service-optimization fields,                 former, cookies can be first-party                            in terms of compliance issues                              of clear understanding about the
    cookie-based services have                       and third-party. Whereas first-party                          (“non-traditional” cookies). These                         nature of information-retention by
    become a key building block in                   cookies are directly served by the                            range from FlashTM: “Local Shared                          the service provider .
    the evolution of Digital Marketing.              very website the user is visiting (this                       Objects” (available when the
    Thus, for instance, an “ad server”               is mostly true for shopping carts,                            multimedia Flash technology is at                          Finally, so-called “spyware” cookies8
    is able to avoid displaying the                  registration and web analytics),                              play), to the HTML 54: “local storage”                     are files akin to regular cookies,
    same “banner ad” to a specific                   third-party cookies are linked                                system, which has far greater                              which differ in that they do not
    user more than a given number of                 to third-party domain names or                                possibilities in terms of memory and                       respect the storage specifications
    times (thus preventing saturation),              external suppliers specialized in                             life span5.                                                determined by browsers. Whereas
    and an internal promotion on                     campaign management, behavioral                                                                                          “spyware” cookies cannot contain
    the advertiser’s home page may                   targeting and personalization,                                Extreme usage of cookies has come                          programming or carry viruses (they
    automatically display the design                 but also to some web analytics                                to be known as “supercookies”6 or                          are still flat text files), they are able
    which performs best for a given                  services. While first-party cookies                                                                                      to retain browser history without the
    traffic source out of a group of tested          are unanimously supported, some                               org/html/rfc2109), determined that they would have         user knowing about it.
                                                                                                                   to be either not allowed or at least not enabled by
    alternatives.                                    browsers disable third-party cookies                          default. Although the later scenario is still in place
                                                     by default3.                                                  with Safari (Apple) and Opera browsers, the IETF’s

    Cookie-based
                                                                                                                   latest specification, dating from April 2011 (http://
                                                                                                                   tools.ietf.org/html/rfc6265#page-28), takes a more
                                                                                                                   flexible approach.

    services have
                                                     1 	          Cookies first appeared in the 1994               4 	           HTML stands for Hyper Text Markup
                                                     release of Netscape browser (Internet Explorer could          Language. The various versions of this content
                                                     support cookies in late 1995). Their appearance

    become a key
                                                                                                                   description standard (5 being the latest) have
                                                     marked a technical milestone, as it removed the               accompanied the evolution of the web since its very
                                                     major obstacle preventing the development of                  inception. It is the base and standard for all resources

    building block in
                                                     electronic commerce applications.                             deployed on the web (and available through a
                                                     2 	          Hyper Text Transfer Protocol, a W3C              standard browser).
                                                     standard which conforms to the “sustaining                    5 	           HTML 5 Local Storage can pile up to 5 MB

    the evolution of
                                                     communications protocol” of the World Wide Web.               of information, whereas Flash Local Shared Objects
                                                     3 	          A working group within the Internet              are limited to 100 KB and traditional HTTP cookies         7 	        See http://online.wsj.com/article/SB1

    Digital Marketing.
                                                     Engineering Task Force originally identified third-party      cannot exceed 4 KB.                                        0001424053111903480904576508382675931492.
                                                     cookies as a privacy threat and, in its first specification   6 	           See http://ashkansoltani.org/docs/           html#ixzz1VN0Zmq4b
                                                     for their browser implementation ((http://tools.ietf.         respawn_redux.html                                         8 	         http://en.wikipedia.org/wiki/Spyware

6                                                                                                                                                                 Global compliance of cookie-based web analytics activities     7
Global cookie-bassed web analytics activities
2.The Social
DILEMMA

                                            control of their own personal data.
                                            Worse, in many cases individuals
                                            cannot tell how much behavioral
                                            information is being collected
                                            about them, and whether this
                                            is being tied to personally
                                            identifiable information.

                                            Albeit countless business models
                                            are built on free services and
                                            the exchange of content for a
                                            small fraction of personal or even
                                            anonymous behavioral data (often
                                            collected by third parties in charge
                                            of monetizing advertising space),
It is only natural that website users       this trade-off is not always stated
rebel against an invasion of privacy        clearly9. Furthermore, as consumers
that they do not understand nor
control. As online content and              9 	           The inevitable, competitive nature of
electronic commerce services have           business is mainly to blame for this lack of clarity.
                                            Where there is a lack of enforcement, companies can
become more sophisticated, users            find tremendous competitive advantage in avoiding
                                            compliance. In an analog scenario, it is well known
may feel they are irreversibly losing       that stricter safeguards for the acceptance of website
                                            terms and conditions (“clickwrap” contracts) result in

                                Global compliance of cookie-based web analytics activities           9
Global cookie-bassed web analytics activities
2. The social dilemma

     we have become accustomed                              abandon the website if he or she
     (perhaps naïvely) to accessing a                       does not agree with its terms? Must
     large collection of resources at                       a specific agreement be obtained?
     no cost. In this regard, some have                     Is such agreement the only possible
     compared websites to “private                          evidence of sufficient prior notice

                                                                                                                                                    3. A SHORT
     gardens” where a visitor must                          of those terms? Should users bear
     respect their owners’ rules if he is to                the burden of informing themselves
                                                            adequately and adapting their
                                                                                                                                                    HISTORY OF
     enjoy the promenade10.
                                                            browsers’ preferences prior to

     Websites have                                          adventuring into the unknown? In

     been compared to
                                                            these questions lie the key differing
                                                            interpretations of the international                                                    WORLDWIDE
     private gardens
                                                            legal framework.
                                                                                                                                                    COOKIE-RELATED
     where a visitor
     must respect their                                                                                                                             PRIVACY
     owners’ rules.                                                                                                                                 PROTECTION
     Of course, if, when entering a new
     “private garden” (the boundaries
     between separate gardens not
     always being so obvious), users
     were able to clearly understand and
     accept its privacy rules, they would
     not feel compromised. They would
     understand that the information
     would be used solely in the                                                                    Privacy concerns are not contained         cradle of the first ever self-regulatory
     agreed manner, in both aggregate                                                               to a particular region. However,           scheme for cookies and privacy: P3P
     (anonymous) fashion and where the                                                              those which have traditionally             (“Platform for Privacy Preferences)11,
     information identifies the user. This                                                          favored a culture of higher citizen        officially issued as a W3C standard
     is called “informed consent”.                                                                  tutelage and public intervention           through a 2002 Recommendation.
                                                                                                    have naturally led the current trend       With the initial support of Microsoft,
     But informed consent could take                                                                in privacy advocacy. Cookie-related        Internet Explorer 6 browser’s P3P
     many forms: Can a user not simply                                                              concerns have been no exception.           compliance had the direct effect of
                                                                                                                                               preventing the permanent storage
                                                                                                    The World Wide Web Consortium              of first-party cookies, as well as
     lower conversion rates (of visitors into customers).
     10            See Baekdal, Thomas: “What is a                                                  (W3C), hosted by the Massachusetts
     violation of privacy?” http://www.baekdal.com/
     opinion/what-is-a-violation-of-privacy/
                                                                                                    Institute of Technology, was the           11         See http://www.w3.org/P3P/

10                                                                                                                                 Global compliance of cookie-based web analytics activities   11
Global cookie-bassed web analytics activities
3. A short history of worldwide cookie-related privacy protection

     blocking third-party cookies unless                     collecting personal data on-line”                         Such legislation would later be                               proven hard to abandon a traditional
     a P3P-compliant policy (in itself an                    was issued by its Data Protection                         complemented by what came                                     approach to privacy and implement
     XML “machine-readable” file) could                      Working Party (“G29”) in 200115.                          to be known as the E-Privacy                                  any policies beyond the scope of
     be found12. The standard did not                        Among other things, it clarified the                      Directive 200217, establishing legal                          protecting citizens from government
     succeed, and even attracted a good                      manner in which the Data Protection                       and technical requirements on                                 bodies.
     share of criticism from all sides13.                    Directive had to be applied to online                     the processing of personal data in
                                                             activities, including data collection                     electronic environments. During                               The simple consequence of such
     P3P was a neither surprising                            through online form fields, and the                       the formation and voting period of                            wide coverage is that most countries
     nor inappropriate Internet-born                         way compulsory information had                            the Directive an opt-in regime for                            will impose certain obligations on
     response to a myriad of regional and                    be made available to users. More                          cookies was discussed18, threatening                          businesses that store personal data
     national initiatives taking off at the                  importantly, it specifically imposed                      the imposition of a whole new                                 within cookies. These obligations
     very time, threatening the integrity                    an obligation on businesses to                            system of information. In the end,                            could take the form of registration
     and global appeal of the web. The                       disclose the names of companies                           it limited itself to requirements for                         with a local agency, prior permission,
     main source of this concern was,                        serving third-party cookies on their                      appropriate notification of the usage                         notification, user access, cancellation
     without any doubt, the European                         website16.                                                and purpose of cookies, as well as                            by user request, minimum
     Union’s regulatory framework.                                                                                     the consequences of disabling them.                           data security or ulterior usage

                                                             In 2001, an EU                                            Privacy legislation debate is not                             obligations. Of course, the limits
     The EU had first come up with its                                                                                 restricted to the EU but is found                             of “personal data” or “personally
     first major data protection initiative                  Recommendation                                            worldwide19. In cases as recent                               identifiable information” vary across
                                                                                                                                                                                     countries (eg. a simple IP address
                                                             sets forth the need
     in 199514. Then, with the advent                                                                                  as China’s20, privacy legislation is
     of the Internet and electronic                                                                                    already addressing Internet-specific                          would be sufficient to qualify in

                                                             for businesses to
     commerce, a Recommendation “on                                                                                    concerns. In Australia21, and other                           Germany)23.
     certain minimum requirements for                                                                                  common law countries22, it has
                                                             disclose the names                                                                                                      What had never been seen, until
                                                                                                                                                                                     the E-Privacy Directive arrived, is a
                                                             of companies
                                                                                                                       17              Directive 2002/58/EC of the European
     12            P3P aimed to allow end users to dictate                                                             Parliament and of the Council of 12 July concerning           piece of legislation that applied to
                                                                                                                       the processing of personal data and the protection of

                                                             serving third-party
     the amount of information that a website could
     gather about them through cookies without the need                                                                privacy in the electronic communications sector of 12         a particular set of data processing
     for interpretation of complex legal disclaimers. By                                                               July 2002.                                                    practices, independent of whether

                                                             cookies on their
     delegating the negotiation of acceptable terms to                                                                 18              An initially approved amendment by the
     machine-readable files, users could always be certain                                                             European Parliament along these lines was eventually          those practices involved the storage
                                                                                                                       discarded in the EU Council of Ministers, shortly
     that their own user-defined barriers would not be                                                                                                                               of personal information. In this
                                                             websites.
     surpassed.                                                                                                        before receiving its final go-ahead.
     13            See http://en.wikipedia.org/wiki/P3P.                                                               19              In particular, civil law countries in South   regard the E-Privacy Directive was
     While other browsers quickly chose to stay clear                                                                  America with legal systems rooted in the same
     of P3P, favouring their own alternatives (or simply                                                               grounds as those shared by most EU members, have              alone, until Do Not Track appeared in
     ensuring that an optional plug-in remained available                                                              been quick to follow. This is the case in Argentina,          the United States.
     for users to turn their own systems into P3P-                                                                     Chile or Uruguay, which in the process have enjoyed
     compatible environments), Internet Explorer ended       15            See http://ec.europa.eu/justice/policies/   being considered countries with “adequate” personal
     up turning to its own proprietary solutions (this was   privacy/docs/wpdocs/2001/wp43en.pdf                       data protection levels by the European Commission
     the case of InPrivate Browsing and InPrivate Blocking   16            It also said “If a cookie is placed by an   (this facilities the transfer of data to such countries).
     in IE8).                                                organization through its own website and only this        20              The Economist: “The long march to             Canada (as it also follows civil law and boasts the
     14            On October 24, 1995, the Council          organization can access the content of the cookie,        privacy” http://www.economist.com/node/5389362                most comprehensive personal data protection
     and Parliament of the European Union adopted a          there is no additional requirement for information        21              The Australian National Privacy Principles    legislation in the country).
     Directive 95/46/EC on the protection of individuals     identifying the organization responsible for placing      (set out in Schedule 3 of the Privacy Act 1988) extend        23            See Peter Scharr’s declarations at the
     with regard to the processing of personal data and on   the cookie to be given, provided that the organization    data protection obligations to businesses with a              helm of the Data Protection Working Party (January
     the free movement of such data. This would come to      hosting the website has already been adequately           turnover of more than A$3 million.                            2008) and the recommendations that followed in
     be known as the “data protection directive”.            identified.”                                              22              Québec would be the exception in              each EU Member State.

12                                                                                                                                                                      Global compliance of cookie-based web analytics activities          13
3. A short history of worldwide cookie-related privacy protection

     What had never                                   Commission decided to endorse24
                                                      the initiative. By April 2011, Internet
     been seen is a                                   Explorer 9, Firefox 4 and Apple Safari
                                                                                                              4. The EU Regulatory
     piece of legislation
                                                      were already supporting it. At that

                                                                                                              CHALLENGE
                                                      point Google Chrome was singled
     that applies to a                                out by the FTC as the only browser
                                                      lagging behind25.
     particular set of
     data processing                                  On top of this, the United States
                                                      may be heading for its own piece
     practices,                                       of legislation on the subject,

     independent of
                                                      with current plans by House
                                                      Representative Cliff Stearns to
     whether those                                    introduce legal provisions that
                                                      would be enforced by the FTC
     practices involve the                            along with Do Not Track (based

     storage of personal                              on the existing Consumer Privacy
                                                      Protection Act26).
                                                                                                                                                        EU amended the E-Privacy Directive

     information.                                                                                                                                       in 200927 to address the need for
                                                                                                                                                        permission when cookies are
                                                                                                                                                        served or read. Specifically, under
     Run by Stanford University                                                                                                                         article 5 (3)’s new wording, users
     academics in California, the Do Not                                                                                                                must be provided with ‘‘clear and
     Track initiative aimed to provide a                                                                                                                comprehensive information’’ about
     technical and legal solution which                                                                                                                 the storage of information, or access
     replicated the idea of the “do not                                                                                                                 to stored information, on their
     call” list, which prevents unsolicited                                                                                                             terminal equipment, and users must
     commercial communications over                                                                                                                     provide their specific consent.
     the phone. Once a user has installed
     a Do Not Track plug-in in his                                                                                                                      An exception to this requirement is
     browser, websites that comply with                                                                                                                 provided by the article itself- 5(3),
     the initiative would be prevented                24            See FTC Staff Issues Privacy Report,
     from serving cookies. Of, course the             Offers Framework for Consumers, Businesses, and
                                                      Policymakers http://www.ftc.gov/opa/2010/12/                                                      27           Directive 2009/136/EC of 25 November
     problem with self-regulation is that             privacyreport.shtm                                                                                2009 amending Directive 2002/22/EC on universal
                                                      25            See http://www.wired.com/                                                           service and users’ rights relating to electronic
     it requires mass adoption if it is to be         epicenter/2011/04/chrome-do-not-track/. Google                                                    communications networks and services, Directive
     effective on a large scale.                      has released its own technical solution to ensure                                                 2002/58/EC concerning the processing of personal
                                                      the implementation of an opt-out approach: Google                                                 data and the protection of privacy in the electronic
                                                      Chrome’s Keep My Opt-Outs plug-in blocks targeted       Opt-out vs. Opt-in                        communications sector and Regulation (EC) No
     Do Not Track received a serious                  ads produced by a group of companies and ad                                                       2006/2004 on cooperation between national
                                                      networks that have decided to abide by this scheme.     Moved by fresh social concerns in         authorities responsible for the enforcement of
     boost in December 2010, when                     26            See http://arstechnica.com/tech-policy/   light of new technical and business       consumer protection laws. Its full text can be found
                                                      news/2011/03/congressman-to-revive-2005-online-                                                   here: http://eur-lex.europa.eu/LexUriServ/LexUriServ.
     the United States Federal Trade                  privacy-bill-with-new-feedback.ars                      developments (see chapter 1), the         do?uri=OJ:L:2009:337:0011:0036:En:PDF .

14                                                                                                                                          Global compliance of cookie-based web analytics activities          15
4. The EU regulatory challenge

     as amended: “permission will not be      inclusion of web analytics activities28,              cookies (where these have not been                        has had a very discouraging effect
     required when cookies are deemed         from the outset, France’s equivalent                  disabled). Instead, consent would                         on industry professionals, prompting
     strictly necessary to the operation of   body 29 has done the opposite.                        require a specific “positive” action on                   widespread talk of a complete
     the services.” This concept has proved                                                         the part of the individual.                               disconnection between the policy
     controversial: Does “operation”
     mean “service-enablement”? Does          While the UK’s                                        On the other hand, the EU
                                                                                                                                                              and the reality of business.

     it rather encompass “service-            competent body                                        Commission Communications                                 Unfortunately, express permission at

                                              has expressly
     optimization”? Whereas the former                                                              Committee, which was set up                               website level can only be obtained
     would only include those cookies                                                               to advise Member States on the                            through pop-ups or graphical
     used in shopping carts or registered
     sessions, the latter would be wide
                                              discarded the                                         Directive’s implementation, has
                                                                                                    suggested that browser settings or
                                                                                                                                                              alerts that prevent the user from
                                                                                                                                                              making progress on whatever
     enough to include web analytics,         inclusion of                                          other application settings could be                       tasks he has chosen to complete
     commonplace maintenance tasks
     and non-crucial cookie-based             web analytics                                         sufficient as a form of consent. For
                                                                                                    this reason, browser manufacturers
                                                                                                                                                              online. This goes directly against all
                                                                                                                                                              usability and user-centered design
     features (such as remembering a          activities, France’s                                  have now been dragged into                                principles33. As there are no half-

                                              equivalent body
     language selection or geographical                                                             discussions with national authorities.                    way solutions and this seems a high
     location).                                                                                                                                               price to pay, making a more precise

                                              has done the                                          The former line of thought inspired                       distinction between different levels

     Permission to                            opposite.
                                                                                                    the initial interpretation of the new
                                                                                                    rules by the UK’s ICO31. According
                                                                                                                                                              of intrusiveness prior to seriously
                                                                                                                                                              hampering the very purpose of an
     read or write                                                                                  to it, express permission requests                        online service would be sensible.

     cookies will not                         Yes I do, Don´t I?                                    would need to be made every                               Discussion of this distinction will
                                              Much has been written about the                       time a new cookie is served. To                           follow.
     be required                              extent of the consent required. In                    demonstrate how this solution
                                                                                                    could be deployed successfully,                           Calling a spade a spade:
     when cookies are
                                              light of a recent Opinion issued by
                                              the EU Data Protection Working                        the ICO applied to its own website.                       national implementations
     deemed strictly                          Party30 (“G29”): when dealing with
                                              online behavioral advertising (built
                                                                                                    Sharing its impact on the website’s
                                                                                                    unique visitor count (90% drop)32
                                                                                                                                                              Of course, speculation on the
                                                                                                                                                              Directive’s general terms is useless
     necessary for the                        on third party cookies), appropriate                                                                            when the 27 EU members were

     operation of the                         consent cannot be assumed to                                                                                    obliged to implement it into
                                                                                                    31             Through its guidance paper on the
                                              have been given where users are                       new framework for cookies (see http://www.ico.            specific national law by June 2011.

     services
                                                                                                    gov.uk/for_organisations/privacy_and_electronic_          After much feet dragging, things
                                              operating within browsers which                       communications/new_regulations.aspx), even
                                              provide options for disabling                         providing as examples the use of specific text            have started to settle down in the
                                                                                                    displayed to users, either in pop-ups, footers or
                                                                                                    elsewhere.                                                past few months, with the one-
     As was rightly feared, the                                                                     32             See The ICO’s response to a public         year moratory in its application
     interpretation of this exception has     28            See http://www.ico.gov.uk/              request by our Digital Analytics Association colleague
                                              for_organisations/privacy_and_electronic_             Vicky Brock, referenced IRQ0397602 (“ I would like
     differed across countries. While the     communications/new_regulations.aspx                   to request information regarding to the recorded
     UK’s Information Commissioner’s          29            The Commission Nationale de             levels of traffic to the ICO website before and after     also be found here: http://www.research-live.com/
                                              l’Informatique et des Libertés (“CNIL”)               the cookie opt in message was placed on the ICO           news/analytics/cookie-refusal-leads-to-90-drop-in-
     Office has expressly discarded the       30            Opinion 2/2010 on online behavioral     website.”)                                                measured-visits-to-ico-site/4005538.article.
                                              advertising. (http://ec.europa.eu/justice/policies/   http://www.ico.gov.uk/about_us/how_we_comply/             33          Vid. KRUG, Steve “Don’t make me think”,
                                              privacy/docs/wpdocs/2010/wp171_en.pdf)                disclosure_log/201106.aspx. A full account can            Que, 2000.

16                                                                                                                                                Global compliance of cookie-based web analytics activities        17
4. The EU regulatory challenge

     coming to an end in the United                              •   Government websites in the                              expressing a “soft consent” based
     Kingdom and the arrival of national                             United Kingdom are not expressly                        on appropriate notices (in many
     implementations in other countries.                             requiring permission when                               ways akin to an “opt-out”) or
     In particular, the United Kingdom                               analytical cookies are in use.                          allowing acceptance through
     has been rich in developments,                                                                                          browser settings without further
     with two of them particularly                               Spain’s recently enacted law brings                         considerations.
     significant: Both ICO’s “Guidelines                         another perspective, with an
     on the new cookies regulations” and                         additional element thrown into the                          Which law applies to you?
     the Government Digital Service’s                            mix: According to its newly enacted                         Unlike other EU legislation, which
     “Implementer Guide to the Privacy                           law37, permission can be validly                            applies the national law of the
     and Electronic Communications                               obtained through browser settings,                          end user´s physical location, the            Where applicable laws conflict, we
     Regulations for public sector                               albeit it must involve a positive                           legal framework of personal data             assume that enforcement rationale
     websites”34 providing useful                                action on the part of the user                              protection is based instead on the           would determine the action taken
     frameworks. The following important                         (through an initial wizard during                           national law where the service               against any violation of legislation.
     conclusions can be drawn from a                             installation or upgrade). This throws                       provider is established or, if located       Albeit any company could be
     review of both documents:                                   some hope into the future, although                         outside of the EEA (EU plus Norway,          potentially sued by end users in any
                                                                 it is not enough to alleviate today’s                       Liechtenstein and Iceland), based            other country, a website operator is
     •   A criterion of intrusiveness is                         needs.                                                      on the national law of the nation            mainly at risk in the countries where
         gaining ground, allowing websites                                                                                   where the service provider hosts             it is headquartered or domiciled
         to classify cookies into separate                       At the more lenient end of                                  its personal data storage hardware           due to the difficulty of enforcing
         groups35                                                the spectrum, we can find                                   (data processing “equipment”).               compliance and distributing
                                                                 other countries that have now                               However, since cookies make                  punishments. Of course, for non-EU
     •   Web Analytics activities and                            implemented legal changes: The                              use of the end user’s personal               multinational companies with offices
         other first-party cookie uses are                       Czech Republic, Finland, Hungary,                           computer for storage purposes, the           throughout the EU this would mean
         not considered a priority in the                        Ireland and Sweden are all either                           Communications committee has                 having to comply with up to 27
         enforcement of prior permission                                                                                     interpreted them as data storage             different laws.
         requirements36.                                                                                                     facilities operated by the service
                                                                                                                             providers. This interpretation would
                                                                                                                                                                          Non-EU
                                                                 and gain their consent. In practice we would expect
                                                                 you to provide clear information to users about
     34            http://alphagov.files.wordpress.              analytical cookies and take what steps you can to seek      mean that any EU country could
     com/2012/03/gds-cookies-implementer-guide.pdf
     35            The UK Government Digital Service has
                                                                 their agreement. This is likely to involve making the
                                                                 argument to show users why these cookies are useful.
                                                                                                                             see its national law applied to a
                                                                                                                             website run by a U.S., Australian or
                                                                                                                                                                          multinational
                                                                                                                                                                          companies with
     used a three level classification:                          Although the Information Commissioner cannot
     1) Moderately intrusive: embedded third-party               completely exclude the possibility of formal action
     content and social media-plugins; Advertising               in any area, it is highly unlikely that priority for any    Indonesian company (unless access

                                                                                                                                                                          offices throughout
     campaign optimisation.                                      formal action would be given to focusing on uses of         is blocked for residents of said
     2) Minimally intrusive: Web Analytics/metrics;              cookies where there is a low level of intrusiveness and
     Personalised content/interface.                             risk of harm to individuals. Provided clear information     country).
                                                                                                                                                                          the EU would have
     3) Exempt: Stop multiple form submissions; Load             is given about their activities we are highly unlikely to
     balancing; Transaction specific.                            prioritise first party cookies used only for analytical
     36            The ICO’s “Guidance on the use of             purposes in any consideration of regulatory action.
     cookies and similar technologies” incorporates the
     following clarification: “The Regulations do not
                                                                 37             by way of a Real Decreto-ley which
                                                                 modifies the Ley de Servicios de la Sociedad de                                                          to comply with up
                                                                                                                                                                          to 27 different laws.
     distinguish between cookies used for analytical             la Información y de Comercio Electrónico 2002,
     activities and those used for other purposes. We do         itself a transposition of the Electronic Commerce
     not consider analytical cookies fall within the ‘strictly   Directive, with a change in the Ley General de
     necessary’ exception criteria. This means in theory         Telecomunicaciones 2003 that implemented the
     websites need to tell people about analytical cookies       ePrivacy Directive expected shortly

18                                                                                                                                                            Global compliance of cookie-based web analytics activities   19
5. TECHNICAL and LEGAL SOLUTIONS
for CROSS-BORDER COMPLIANCE
of Web Analytics Activities

A proposed approach to the                  Building a minimum common
new legal framework                         denominator
Although the climate remains                A number of sources set precedent
uncertain, with many national               and can act as guidelines for the said
laws pending enactment, and a               minimum standard:
majority of data protection agencies
struggling to cope with the technical       •   Guidelines issued by those
implications of the Directive, we will          countries which have already
now summarize a website operator’s              implemented the EU Directive into
current options for the definition of           national law
a minimum common denominator                •   Recommendations of the EU
to safeguard against the different              Communications Committee
national laws involved.                     •   Opinions of the EU Data Protection
                                                Working Party (“G29”)
                                            •   Recitals to the new ePrivacy
                                                Directive
                                            •   The United States FTC report on
                                                Do Not Track38.

                                            38         See http://ftc.gov/
                                            os/2010/12/101201privacyreport.pdf

                                Global compliance of cookie-based web analytics activities   21
5. Technical and legal solutions for cross-border compliance of web analytics activities

     It is by looking at these that we can               effort to stick to first-party cookies                 Technical and practical                     a) Analytical cookies
     reach the following conclusions:                    for web analytics activities would                     solutions                                   b) Other internal usage cookies
                                                         undoubtedly help the website                           With those conclusions in mind, we          c) Social plugin cookies
     - A classification of cookies based                 operator’s cause. This is further                      propose four steps that would ensure        d) Cookies run and used by third
       on their level of intrusiveness                   supported by the only recital to the                   compliance with the minimum                   parties
       would assist in communicating                     new ePrivacy Directive (recital 66)                    common denominator defined                  e) A summary table with the results
       with website users, aiding the                    that expressly goes into detail in the                 above. These steps are consistent             of your cookie audit.
       explanation of the need for                       explanation of the intended goal of                    with existing national guidelines,            All these sections can be grouped
       permission in certain cases.                      the new provisions, as only third-                     while remaining essentially practical         under “Cookies” and precede
                                                         party relationships are mentioned39.                   and aiming at causing only a minimal          or follow preexisting notices
     - Both the US FTC and local EU data                                                                        disruption to the provision of online         regarding the collection of
       protection agencies will most                   - Many web analytics vendors offer                       services:                                     personal data (with the new
       likely begin taking action against                their own opt-out plugins and                                                                        section labeled “Privacy and
       companies that purposefully                       options40. A link to them can be                       1. Cookie audit. Run an audit                 Cookies”). Also, the link to this
       disregard the new laws. A second                  easily given within the website’s                      of all persistent cookies being               policy should gain prominence if
       priority would be targeting website               privacy policy disclaimer or legal                     used throughout the company’s                 not obvious at first sight.
       operators that do not make any                    notice.                                                digital properties, recording basic
       attempt to comply (as recognized                                                                         information about each of them:             4. Opt-out compliance: Make sure
       by ICO).                                        - It is easier to prove positive actions                 expiration term (life of the cookie),       that your website can comply with
                                                         towards compliance than to defend                      purpose (eg.: internal analytics), level    Do Not Track browser plugins and,
     - Given the fact that the EU G29’s                  an unchanged policy on the basis                       of intrusiveness and owner. A sample        if possible, include a first-visit only
       Opinion on Behavioral Advertising                 that everybody else is failing to act.                 audit form is provided in the Annex         header notice that lets the user
       has been a key precedent for the                                                                         to this document, while a variety           choose whether to exclude your own
       new framework, we must pay                                                                               of free tools remain available for its      cookies without the need to revert to
       special attention to the fact that                                                                       fulfillment41.                              browser plugin settings.
       third-party cookie-based affiliate
       networks and ad networks                                                                                 2. Cookie management policy.
       represent its most important                    39            “Third parties may wish to store           Establish some basic rules for the          NOTE: These recommendations are
                                                       information on the equipment of a user, or gain
       target. As a consequence, any                   access to information already stored, for a number of    regular supervision of cookies being        by no means intended to replace
       cookie-based activity that stems                purposes, ranging from the legitimate (such as certain   used, aiming at reducing their              qualified legal advice.
                                                       types of cookies) to those involving unwarranted
       from the very same website                      intrusion into the private sphere (such as spyware       number or, where possible, their
       requested by the end user (and not              or viruses). It is therefore of paramount importance
                                                       that users be provided with clear and comprehensive
                                                                                                                expiration term.
       undertaken behind the scenes and                information when engaging in any activity which
                                                       could result in such storage or gaining of access. The
       involving third parties) should at              methods of providing information and offering the        3. Privacy notice update. Redraft
       the very least attract less scrutiny.           right to refuse should be as user-friendly as possible   your privacy notice including
                                                       […]”
       As this differentiation must also               40            Two alternative examples are provided      separate sections for:
                                                       by the Google Analytics (http://tools.google.com/
       be obvious at the technical level               dlpage/gaoptout)and Adobe Omniture SiteCatalyst
       (especially if Do Not Track browser             opt-out applications (http://www.omniture.cz/en/
                                                       privacy/2o7#optout). Whereas the first one consists
       plugins become commonplace), an                 of a browser plugin, Adobe’s system is (paradoxically)
                                                       based on cookies.                                        41       E.g.: Firecookie.

22                                                                                                                                               Global compliance of cookie-based web analytics activities   23
6.ANNEX:            Cookie inventory and
                    classification audit form

COOKIE   DURATION               PURPOSE                 INTRUSIVENESS

              Global compliance of cookie-based web analytics activities   25
About Divisadero
Divisadero is a Digital Analytics and Online
Business Advisory Services company. With a
40-strong multidisciplinary team distributed
across Europe and Latin America, Divisadero
works with multiple Fortune 500 companies,
including: Vodafone, Heineken, Mango,
Santander, BBVA, ING Direct, Coca-Cola, AXA,
NH Hotels, Barclays Bank, Yell, Vueling or
Iberdrola.
www.divisadero.eu

About the author
Sergio Maldonado holds an LLM (Merit)              2002) and author of “Web Analytics, Measure
in IT and Internet Law from Queen Mary’s           to triumph” (Spanish language, ESIC University
University (University of London), and a           Publishing, 2010). He is also a guest professor
law degree (JD) from the University of the         at ESIC Business School and a regular speaker
Basque Country (Spain). He also holds various      at international Digital Marketing events
business, computer programming and web             (WSAB London, eMetrics San Francisco,
analytics certifications. Initially trained as a   eMetrics Washington D.C., WAW Beijing,
lawyer in California and admitted to practice      OMExpo Madrid, ESEADE Buenos Aires, IMC
in both England & Wales and Spain, Sergio          Barcelona) Sergio is the founder of Divisadero/
is co-author of “Internet, key business legal      MVConsultoria, which he has run since 2006.
issues” (Spanish language, Thomson-Aranzadi,
You can also read