2012-Oct: Effect of EU cookie law on US organisations
54
Effect of the EU cookie law on US businesses …and how to avoid a $800K/£500K fine from UK in 2012+ or 5% global revenue fine from EU in 2013+ By Phil Pearce Oct-2012
-
Upload
phil-pearce -
Category
Data & Analytics
-
view
139 -
download
3
Transcript of 2012-Oct: Effect of EU cookie law on US organisations
Effect of the EU cookie law on US businesses
…and how to avoid a $800K/£500K fine from UK in 2012+ or 5% global revenue fine from EU in 2013+
By Phil Pearce
Oct-2012
About Me
WA last 7 yearsPPC & SEO background
GA top contributor (700+ answers on GA forum)WA exchange mentor (for Computeraid.org)Blackhat Analytics WAW presenter in 2010
Shortlisted for ICO.gov.uk tech ref panel London based at ConversionWorks.co.uk
EU DAA privacy sig memberFun Fact: I have an Identical Twin brother
Funny Thing: I stick my tongue-out when concentrating
LinkedIn: uk.linkedin.com/in/philpearceTwitter: @philpearce
23+ DAA EU sig members
Timelines…
EU2002 EU Data protection act2009 EU e-Privacy Directive2011 Amendments to e-Privacy Directive Regulations2012-May: Soft-Enforcement2012-Nov: Hard-Enforcement (e.g$800K/£500K fine for SMS spam)2013-Jan: Netherlands opt-in law enforced vs Government institutions2013-Q1 New EU e-Privacy harmonised version with 2% revenue penalties legislation is defined, and “set in stone”.…2015-Q1-ish EU Enforcement starts & end of auto-accepted third party cookies.
Timelines
US
2004 US-EU Safe harbour
DoNotTrack legislation
California laws
So… How did we get in this situation?
Simple question … [Olympic analogy]
In 2012 London Paralympics 200m –Alan Oliveira beat Oscar Pistorius
Did he cheat or were his longer stilts just a technological advantage?
Answer …
• No, he did not cheat.
• He upheld Olympic beliefs & the spirit of the games.
• And he was acting within the rules set out by the Olympic committee.
Simple question … [Industry analogy]
In 2010 Research division of an Advertising agency invented a way to outperform their rivals using
means to increase cookies persistence.
Were they cheating or were these extended cookies just a technological advantage?
• No, they were not cheating.
• But... they were acting against the ethics of the internet.
• And they was acting against the undefined rules set out by the internet committee.
[2 class-action lawsuits later …]
• Adobe announcement about rules of flash cookies.
• Browsers updated to manage flash cookies in same way as text based cookies.
• Various industry warnings and announcements
Q: What are the rules of the games for new technologies?
Simple question … [Industry analogy]
• Ad behavioural targeting (Interest Based Stalking)
• Ad remarketing (Return Visitor Stalking)
• Flash cookie respawning (Zombie Cookies)
• Visited links CSS hack (History Sniffing)
• Safari 3rd party POST cookie (Preference bypassing)
… More over-egged tracking innovations:
…And resulting US class actions!
Big brands effected…
About that Evil Cookie Thing…
Source: Harris-TRUSTe (2/11, n=1,000 US adults)
Consumer Sentiment
QB1a: Which of the following types of information and data that are related to you - do you consider as personal?http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf
• Medical information (patient record, health information)• Your Fingerprints• Financial information (e. g salary, bank details, credit record)• Your work history• Your driving Licine Number or passport number• Your Name• Your Home Address• Your nationality• Things you do (e.g. hobbies, sports, places you go)• Your tastes and opinions• Photos of you• Who your friends are• Websites you visit• Your mobile phone number
EU survey mandate (10K people survey
per country)
US facebook beacon & Google Buzz force to fund privacy research
as result of Class-action research fund! $2m to http://www.circleid.com/posts/a_look_at_the_facebook_privacy_class_action_beacon_settlement/
http://www.paidcontent.org/table/proposed-division-of-google-buzz-settlement-money/
EU pre-privacy lobbies even have a TV campaign:http://www.youtube.com/watch?v=5ByVaZ0rg8U
http://ec.europa.eu/avservices/video/videoplayer.cfm?ref=I072122
Funding for Anti-privacy organisations
Number of EU class actions…
Because…
UK ICO.gov.uk fines
• $0.5m/£325K fine for Sussex Hospitals as 10K sensitive patent data on an excel sheet was index in Google search results.http://www.ico.gov.uk/news/latest_news/2012/nhs-trust-fined-325000-following-data-breach-affecting-thousands-of-patients-and-staff-01062012.aspx
• $0.4m/£250K fine for Scottish Borders Council as 600+ employee`s sensitive printed pension data left in recycle skip by a contractor.http://www.out-law.com/en/articles/2012/september/scottish-council-fined-250k-following-recycle-bin-data-breach/
• 1st Nov – fines for ICO announced $0.8m/£500K for SMS spam and 16 of 450 bad cookie companies identified via CookieConsent survey on ico`s website.
Fines at country level instead…
What if Countries themselves arenon-compliant with the Cookie Law?
…They get fined too!!
EU daily penalty for not implementing cookie law - ongoing EU country lawsuit
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/524
Protect Consumers (act in their best interests)
vs
Exploit Consumers (financial gain)
It`s all about the Balance
Cross domain tracking
Cross domain behavioural targeting
Re-marketing
Database appends
Social & Demographic Targeting
Control
Transparency
Choice
Self regulation
Class actions
Stronger fines & enforcement, need to keep the equilibrium
Absence of Class actions in EU means…
Control
Transparency
Choice
Self regulation
Class actions
Cross domain tracking
Cross domain behavioural targeting
Re-marketing
Database appends
Social & Demographic Targeting
EU have decided to act first because browser based solution not ready in-time
Jan 2013!
Hence back in UK (we were 1st country to implement)
on May 25th 2012 it became…
Non-standard craziness…
EU announce new research project on Pop-up / Trustmarks
6month later…
Do Not Track (opt-out)• Browser Based• Class-Action regulation• Small FTC fines• Start Date: TBC
• Consumers Pro Privacy• Size of Ad and Analytics industry: $xxx (large)• Funding of Privacy lobbyist• News Coverage: Low [tbc]
Difference between US vs EU
Consent based (opt-in)• Website based: Client Side• No Class actions• Large EU fines in 2013• Start Date: 25th May 2012
• Consumers Privacy Concerned• Size of Ad and Analytics industry: $xxx (medium)• News Coverage: High [tbc]
• Regulation in Verticals: FSA, ofcom, PhonePayPlus
Apples vs Oranges
Hybrid approach expected says David Smith
http://www.youtube.com/watch?v=43ArijaE8LY
Hybrid DNT & Opt-in 2015 … maybe
• Local Government and Councils
• National Heath Service (NHS)
• Recruitment Companies
• Social networks
Note: Finance and Telcom regulated by already Financial Service Agency (FSA) and Ofcom
Additionally, Top 100 companies based on Alexa data received reminder letter from ICO.
UK “offline” privacy fines are focused on key verticals…
ICO use Digital Dialogue 5K survey to discredit EU 10k survey!
Results of survey were used by ICO to discredit the 10K Eurobarometer privacy survey, which was too pro-privacy :)http://news.techworld.com/security/3381339/information-commissioner-criticises-eu-cookie-directive/
ICO use Digital Dialogue 5K survey to discredit EU 10k survey!
The methodology of this survey used clustered groups of users - based on their age and attribute towards sharing data (rather than the unclustered Eurobarometer survey).
What is “privacy” to you?
Pragmatist Value Hunter Enthusiastic sharer
Non-sharer Sceptic
What is “privacy” to you?
Q: What is “privacy”?A: It depends based on your personal viewpoint towards sharing. TrustE CEOhttp://www.youtube.com/playlist?list=PL45AABD8BB96D3785Hence need for solutions for clustered groups or Country specific
Given this data, personally, I think…. a browser based 4 question manual classification system, combined with an automatic URL privacy learning system, would help separate vulnerable or high risk users from experienced users who can already surf the internet safely.
Hence solutions need to be adaptive (not one solution fix all)
For example using a JS plugin to detect Geo-IP and/or new visitor then display notice accordingly.
JS ClientSide
http://www.geoplugin.net/javascript.gphttp://www.civicuk.com/cookie-law/configuration
JS ClientSide
http://www.google.com/jsapi
ServerSide
http://www.maxmind.com/app/mod_geoip
It`s not just about Cookie
Ethical tests….
• Intent• Tracking purpose
• Notice• Choice / Consent
Self-reg is preferred … but it has been too slow and enforcers feel they need to step-in.
Enforced regulation is “the last option” … it`s expensive and could hamper growth.
But… The detail still to be “hammer out” in courts and via self regulation.
Decision Tree Examples…
Tax IR35 examplehttp://www.contractorcalculator.co.uk/IR35_Test_Start.aspx
If yes… level of risk / intrusiveness
Interactive Slider –
defaulted to tracking ON
Also consider BT slider adaptive method (default setting mode can be changed easily)
http://creativeaura.github.com/eu-cookie-opt-in/
Problems with EU laws … (so far)
Mobile issues – Brand image obscured
Mobile browser based notification method is fine.
Brand logo not obscured
User-initiated click opens up a new attack vector
Virus
The Wrong sort of Notification!
W3C
I love it, when a Browser-based solutions comes together!W
3C
Ed
ito
r`s
Dra
ft
But…. We need more time!
opt-out permission cookies are not standardised: thus difficult
to apply browser whitelisted!
Lots of unresolved “issues”
?
12th April Expect a confirmation on the Timeline for a Browser Settings solution
Microsoft breaks ranks
MS IE10 default to DNT on!
This was against the wishes of the tracking protection group.
Consequently...
It triggered a lack of trust from regulators in that a self-reg framework can be achieved, as commercial interest effecting group cohesion.
Also, Advertisers say they will ignore DNT signals from IE10, diluting the effectiveness of the browser based mechanism.
Source: http://t.co/6z2crUeg
Possible SEO confusion…
= Canonical or Cookies = Confusion?
xxx
Appendix1
Appendix2: Moving towards an Olympic standard…
1. PRIVACY – I agree to hold consumer data in the highest regard and will do everything in my power to keep personally identifiable consumerdata safe, secure and private.
2. TRANSPARENCY – I agree to encourage full disclosure of my clients/employer consumer data collection practices and to encouragecommunication of how that data will be used in clear and understandable language.
3. CONSUMER CONTROL – I agree to inform and empower consumers to opt out of my clients/employer data collection practices and todocument ways to do this.
4. EDUCATION – I agree to educate my clients/employer about the types of data collected, and the potential risks to consumers associated withthose data.
5. ACCOUNTABILITY – I agree to act as a steward of customer data and to uphold the consumers’ right to privacy as governed by myclients/employer and applicable laws and regulations.
We need Perceived image change…
…In order to gain Consumer trust and Yes, please track-me consent.
Questions?
• Cookie Law Solutions reviewedredictiveintent.com/2012/02/cookie-law-solutions/
• 4 examples of sites already implementing itmalcolmcoles.co.uk/blog/eu-cookie-law-examples-of-sites-already-implementing-it/
• 3 mock-up example solutions reviewed econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance
• Browser Base solutionhttp://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#js-interfacehttp://www.w3.org/2011/tracking-protection/
• http://demo.xpertdeveloper.com/html5-notification/http://samples.superexpert.com/JavaScriptReference/
Links
