2012-Oct: Effect of EU cookie law on US organisations

Transcript

1. Effect of the EU cookie law on US businesses …and how to avoid a $800K/£500K fine from UK in 2012+ or 5% global revenue fine from EU in 2013+ By Phil Pearce Oct-2012

2. About Me WA last 7 years PPC & SEO background GA top contributor (700+ answers on GA forum) WA exchange mentor (for Computeraid.org) Blackhat Analytics WAW presenter in 2010 Shortlisted for ICO.gov.uk tech ref panel London based at ConversionWorks.co.uk EU DAA privacy sig member Fun Fact: I have an Identical Twin brother Funny Thing: I stick my tongue-out when concentrating LinkedIn: uk.linkedin.com/in/philpearce Twitter: @philpearce

3. 23+ DAA EU sig members

4. Timelines…

5. EU 2002 EU Data protection act 2009 EU e-Privacy Directive 2011 Amendments to e-Privacy Directive Regulations 2012-May: Soft-Enforcement 2012-Nov: Hard-Enforcement (e.g $800K/£500K fine for SMS spam) 2013-Jan: Netherlands opt-in law enforced vs Government institutions 2013-Q1 New EU e-Privacy harmonised version with 2% revenue penalties legislation is defined, and “set in stone”. … 2015-Q1-ish EU Enforcement starts & end of auto-accepted third party cookies. Timelines US 2004 US-EU Safe harbour DoNotTrack legislation California laws

6. So… How did we get in this situation?

7. Simple question … [Olympic analogy] In 2012 London Paralympics 200m – Alan Oliveira beat Oscar Pistorius Did he cheat or were his longer stilts just a technological advantage?

8. Answer … • No, he did not cheat. • He upheld Olympic beliefs & the spirit of the games. • And he was acting within the rules set out by the Olympic committee.

9. Simple question … [Industry analogy] In 2010 Research division of an Advertising agency invented a way to outperform their rivals using means to increase cookies persistence. Were they cheating or were these extended cookies just a technological advantage?

10. • No, they were not cheating. • But… they were acting against the ethics of the internet. • And they was acting against the undefined rules set out by the internet committee. [2 class-action lawsuits later …] • Adobe announcement about rules of flash cookies. • Browsers updated to manage flash cookies in same way as text based cookies. • Various industry warnings and announcements Q: What are the rules of the games for new technologies? Simple question … [Industry analogy]

11. • Ad behavioural targeting (Interest Based Stalking) • Ad remarketing (Return Visitor Stalking) • Flash cookie respawning (Zombie Cookies) • Visited links CSS hack (History Sniffing) • Safari 3rd party POST cookie (Preference bypassing) … More over-egged tracking innovations:

12. …And resulting US class actions!

13. Big brands effected…

14. About that Evil Cookie Thing…

15. Source: Harris-TRUSTe (2/11, n=1,000 US adults) Consumer Sentiment

16. QB1a: Which of the following types of information and data that are related to you – do you consider as personal? http://ec.europa.eu/commfrontoffice/publicopinion/archives/ebs/ebs_359_en.pdf • Medical information (patient record, health information) • Your Fingerprints • Financial information (e. g salary,bank details, credit record) • Your work history • Your driving Licine Number or passport number • Your Name • Your Home Address • Your nationality • Things you do (e.g. hobbies, sports, places you go) • Your tastes and opinions • Photos of you • Who your friends are • Websites you visit • Your mobile phone number EU survey mandate (10K people survey per country)

17. US facebook beacon & Google Buzz force to fund privacy research as result of Class-action research fund! $2m to http://www.circleid.com/posts/a_look_at_the_facebook_privacy_class_action_beacon_settlement/ https://gigaom.com/2011/04/01/proposed-division-of-google-buzz-settlement-money/ EU pre-privacy lobbies even have a TV campaign: http://www.youtube.com/watch?v=5ByVaZ0rg8U Funding for Anti-privacy organisations

18. Number of EU class actions… Because…

19. UK ICO.gov.uk fines • $0.5m/£325K fine for Sussex Hospitals as 10K sensitive patent data on an excel sheet was index in Google search results.http://www.ico.gov.uk/news/latest_news/2012/nhs-trust-fined-325000-following- data-breach-affecting-thousands-of-patients-and-staff-01062012.aspx • $0.4m/£250K fine for Scottish Borders Council as 600+ employee`s sensitive printed pension data left in recycle skip by a contractor.http://www.out-law.com/en/articles/2012/september/scottish-council- fined-250k-following-recycle-bin-data-breach/ • 1st Nov – fines for ICO announced $0.8m/£500K for SMS spam and 16 of 450 bad cookie companies identified via CookieConsent survey on ico`s website. Fines at country level instead…

20. What if Countries themselves are non-compliant with the Cookie Law?

21. …They get fined too!! EU daily penalty for not implementing cookie law – ongoing EU country lawsuit http://europa.eu/rapid/press-release_IP-12-524_en.htm

22. Protect Consumers (act in their best interests) vs Exploit Consumers (financial gain) It`s all about the Balance Cross domain tracking Cross domain behavioural targeting Re-marketing Database appends Social & Demographic Targeting Control Transparency Choice Self regulation Class actions

23. Stronger fines & enforcement, need to keep the equilibrium Absence of Class actions in EU means… Control Transparency Choice Self regulation Class actions Cross domain tracking Cross domain behavioural targeting Re-marketing Database appends Social & Demographic Targeting

24. EU have decided to act first because browser based solution not ready in-time Jan 2013!

25. Hence back in UK (we were 1st country to implement) on May 25th 2012 it became…

26. Non-standard craziness…

27. EU announce new research project on Pop-up / Trustmarks 6month later…

28. Do Not Track (opt-out) • Browser Based • Class-Action regulation • Small FTC fines • Start Date: TBC • Consumers Pro Privacy • Size of Ad and Analytics industry: $xxx (large) • Funding of Privacy lobbyist • News Coverage: Low [tbc] Difference between US vs EU Consent based (opt-in) • Website based: Client Side • No Class actions • Large EU fines in 2013 • Start Date: 25th May 2012 • Consumers Privacy Concerned • Size of Ad and Analytics industry: $xxx (medium) • News Coverage: High [tbc] • Regulation in Verticals: FSA, ofcom, PhonePayPlus Apples vs Oranges

29. Hybrid approach expected says David Smith http://www.youtube.com/watch?v=43ArijaE8LY Hybrid DNT & Opt-in 2015 … maybe

30. • Local Government and Councils • National Heath Service (NHS) • Recruitment Companies • Social networks Note: Finance and Telcom regulated by already Financial Service Agency (FSA) and Ofcom Additionally, Top 100 companies based on Alexa data received reminder letter from ICO. UK “offline” privacy fines are focused on key verticals…

31. ICO use Digital Dialogue 5K survey to discredit EU 10k survey! Results of survey were used by ICO to discredit the 10K Eurobarometer privacy survey, which was too pro-privacy 🙂 https://www.techworld.com/news/security/information-commissioner-criticises-eu-cookie-directive-3381339/

32. ICO use Digital Dialogue 5K survey to discredit EU 10k survey! The methodology of this survey used clustered groups of users – based on their age and attribute towards sharing data (rather than the unclustered Eurobarometer survey).

33. What is “privacy” to you? Pragmatist Value Hunter Enthusiastic sharer Non-sharer Sceptic

34. What is “privacy” to you? Q: What is “privacy”? A: It depends based on your personal viewpoint towards sharing. TrustE CEO http://www.youtube.com/playlist?list=PL45AABD8BB96D3785 Hence need for solutions for clustered groups or Country specific Given this data, personally, I think…. a browser based 4 question manual classification system, combined with an automatic URL privacy learning system, would help separate vulnerable or high risk users from experienced users who can already surf the internet safely.

35. Hence solutions need to be adaptive (not one solution fix all) For example using a JS plugin to detect Geo-IP and/or new visitor then display notice accordingly. JS ClientSide http://www.geoplugin.net/javascript.gp JS ClientSide http://www.google.com/jsapi ServerSide https://dev.maxmind.com/geoip/legacy/mod_geoip2/

36. It`s not just about Cookie Ethical tests…. • Intent • Tracking purpose • Notice • Choice / Consent Self-reg is preferred … but it has been too slow and enforcers feel they need to step-in. Enforced regulation is “the last option” … it`s expensive and could hamper growth. But… The detail still to be “hammer out” in courts and via self regulation.

37. Decision Tree Examples… Tax IR35 example https://www.ir35testing.co.uk/TakeTheTest If yes… level of risk / intrusiveness

38. Interactive Slider – defaulted to tracking ON Also consider BT slider adaptive method (default setting mode can be changed easily) http://creativeaura.github.io/eu-cookie-opt-in/

39. Problems with EU laws … (so far)

40. Mobile issues – Brand image obscured

41. Mobile browser based notification method is fine. Brand logo not obscured

42. User-initiated click opens up a new attack vector Virus

43. The Wrong sort of Notification!

44. W3C I love it, when a Browser-based solutions comes together! W3CEditor`sDraft

45. But…. We need more time! opt-out permission cookies are not standardised: thus difficult to apply browser whitelisted! Lots of unresolved “issues” ?

46. 12th April Expect a confirmation on the Timeline for a Browser Settings solution

47. Microsoft breaks ranks MS IE10 default to DNT on! This was against the wishes of the tracking protection group. Consequently… It triggered a lack of trust from regulators in that a self-reg framework can be achieved, as commercial interest effecting group cohesion. Also, Advertisers say they will ignore DNT signals from IE10, diluting the effectiveness of the browser based mechanism. Source: http://t.co/6z2crUeg

48. Possible SEO confusion… = Canonical or Cookies = Confusion?

49. xxx Appendix1

50. Appendix2: Moving towards an Olympic standard… 1. PRIVACY – I agree to hold consumer data in the highest regard and will do everything in my power to keep personally identifiable consumer data safe, secure and private. 2. TRANSPARENCY – I agree to encourage full disclosure of my clients/employer consumer data collection practices and to encourage communication of how that data will be used in clear and understandable language. 3. CONSUMER CONTROL – I agree to inform and empower consumers to opt out of my clients/employer data collection practices and to document ways to do this. 4. EDUCATION – I agree to educate my clients/employer about the types of data collected, and the potential risks to consumers associated with those data. 5. ACCOUNTABILITY – I agree to act as a steward of customer data and to uphold the consumers’ right to privacy as governed by my clients/employer and applicable laws and regulations.

51. We need Perceived image change… …In order to gain Consumer trust and Yes, please track-me consent.

52. Questions?

53. • Cookie Law Solutions reviewed redictiveintent.com/2012/02/cookie-law-solutions/ • 4 examples of sites already implementing it malcolmcoles.co.uk/blog/eu-cookie-law-examples-of-sites-already-implementing-it/ • 3 mock-up example solutions reviewed econsultancy.com/uk/blog/9202-eu-cookie-law-three-approaches-to-compliance • Browser Base solution http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#js-interface http://www.w3.org/2011/tracking-protection/ • http://demo.xpertdeveloper.com/html5-notification/ Links