tl;dr | Executive summary
- There’s a big difference between ‘What you can do’ and ‘What you’re allowed to do’.
- Cookies might enable you to track customer behaviour, but that doesn’t allow you to ignore the Privacy rights of your website visitor.
- For websites that sell to EU citizens, Permission is essential before setting permanent cookies with unique IDs.
- ‘Privacy by Design’ is the sensible way to avoid fines that will destroy profits.
When I mentioned to Chiara Rustici that I was working on Privacy by Design issues, she replied “details please”. Here we go …
How website software works
Recently, I’ve been delving deep into Sitecore, a software product for building websites. The vendor has become a global leader because its product allows Marketers to create websites that deliver content specific to the visitors’ interests – dynamically.
Here’s how it works, in simple terms.
Instead of designing a webpage to contain a specific picture or chunk of text, you design a Sitecore webpage to contain a placeholder. And that placeholder is then dynamically loaded with information relevant to each individual visitor, based on context rules.
So, for example, you can use a Session cookie (a temporary cookie that is deleted at the end of each visit to a website) to identify where your website visitor is from. And then you create a Rule that says: ‘IF country is Germany or Austria, THEN show all texts in German’. And if you want, you can use finer levels of geo-positioning to distinguish whether to show, say, a Swiss visitor a text in German, French or Italian. A default Rule would then show (say) English language texts to visitors from all other countries.
The technical information provided by Session cookies is useful for generic customisations. By identifying the screen size / ratio, designers can adapt the layout of the content (desktop / tablet / mobile device). Thus far, the level of customisation amounts to common courtesy in the internet world.
But Sitecore will also go one better than that. It can also set a permanent Cookie as well. This cookie collects information about each visit to the website and sends the data back to a database.
The permanent cookie has a unique ID. And this means that a series of visits can be linked together to form a history of the cookie. The database will record which webpages the visitor looked at briefly, which pages they spent time reading in detail, what they downloaded, when, and so on. With every subsequent visit, the record in the database becomes richer and more detailed.
For the Marketer, this is a great way to understand visitor interests. Over time, the individual history will begin to match up with a specific Persona – one of several fictitious or idealised ‘customer profiles’ that the Marketing team uses to decide what information to offer which type of visitor.
So for example, in the travel industry, it makes sense to create distinct Personas for adventure-seeking singles, families with children, retired couples, and so on, because they each have very different interests, budgets and buying behaviour.
Dynamic content for websites means that the Marketer can deliver each website visitor more of what they like and less of what is irrelevant, which (hopefully) increases the chances that they will become a customer.
Let’s suppose the unknown website visitor does decide to buy. They fill in the online form, provide payment details, etc. – and the Permanent Cookie is now identified as belonging to a real person.
Bingo. All that patient content customisation has enabled the Marketer to win a new customer. Additional techniques, like statistical analysis across all customer purchases, will suggest other items that we may sensibly offer to sell-up, or to win repeat business.
If the same person uses different devices to do business with you – say, a PC at work and a Tablet at home – then each device will have its own Permanent cookie. But – and here’s the clever bit – the software can identify when two Permanent Cookies refer to the same person. It can create a more detailed, joined-up picture of the customer to provide an even better match between interests and content.
What do Marketers want to do with technology like this?
It’s simple: Marketers want to understand customer desires and meet them profitably. Sitecore software is popular precisely because it does just that.
So what’s wrong with this picture? Nothing at all – if your company is based in (say) America and selling to US citizens only.
But if your company sells to EU citizens, the processes described above completely ignore existing and upcoming EU privacy law. Using this sort of Cookie functionality ‘Out-of-the Box’ and without professional guidance is about as safe as tap-dancing in a minefield.
Misunderstandings frequently arise because of differences in definitions. When American marketers say that a cookie collects ‘anonymous’ data, they often mean that the real-world identity of the website visitor is initially unknown.
Under EU definitions, a permanent cookie with a unique ID is not collecting anonymous data, but ‘pseudonymised personal data’. This intention is clearly stated in the software vendors own documentation and marketing material: the idea is to collect as much information about an individual’s online click behaviour as possible, with the objective of joining it together with genuine PII, and across multiple devices, later on.
The fact that the permanent cookie accumulates data over a series of sessions is another indication that the data is pseudonymised and not anonymous. If the data collection were genuinely anonymous, there would be no way to connect individual sessions over time. It is the unique ID that enables the cumulative view of visitor behaviour, across a series of separate visits.
The definitions of Personally Identifiable Information (PII) differ between countries, too. In the USA, there is no nation-wide legal standard: privacy laws vary by State and by industry. The US laws that come closest to EU standards are the HIPAA regulations for health care data.
In the EU, however, storage and use of pseudonymised data must meet the same strict standards as Personally Identifiable Information (PII).
What you’re allowed to do
The General Data Protection Regulation (GDPR) represents the new reality. For all organisations selling into the EU – no matter where they are incorporated – failure to comply will destroy most Marketers dreams of profitability.
From May 2018, fines for non-Compliance with GDPR will be up to €20 million or 4% of global turnover. Four percent of turnover may represent the entire annual marketing budget for a mid-sized firm. It might even represent two to three years marketing budget for B2B branches like durable goods or investment machinery.
As such, it makes sense to adopt a Damage Avoidance strategy and pay more attention to Privacy Compliance up front.
Privacy by Design
So is it possible to build dynamic websites that deliver relevant information dynamically and still comply with EU law? If so how?
The short answer is ‘yes’. The key ‘how-to’ is to understand EU Privacy laws and implement their principles while designing online processes, rather than bolting them on afterwards.
One-to-one communication is a desirable goal for Marketers. The promise of increased relevance is also in the interests of the Customer. It’s technically achievable. But, as I’ve written elsewhere, the safest working approach for international Marketers is to handle all EU customer data – explicit, implicit, behavioural, whatever – as if it were PII.
If PII about EU citizens is stored and analysed, EU law requires unambiguous, voluntary permission in advance of data storage and processing. The webmaster should also document both the permission and the process carefully.
IMO, this shifts the focus for website design. Getting an opt-in for a permanent cookie with a unique ID is no longer a side-issue. Since it forms the foundation of customised content delivery, the process for acquiring new Customers and legal compliance, it needs to be treated as Online Marketing Priority 1.
I’ll go even further and suggest that, since the issue of cookies and collecting click behaviour is so sensitive, the strictest legal requirements are simply the minimum threshold. In terms of effective customer communications and public relations, there may be a very good business case for going the extra mile.
Regardless of what national law allows, telling your website visitors to opt out of cookies via the browser is a crude choice. So is the default text ‘by using this site, you agree to our placing cookies’. Especially when there is no way to express disagreement. People – from new website visitors to long-term customers (the most profitable ones) – deserve better than that.
Session cookies (the ones that are deleted at the end of each website visit) are ideal for placing customised content about Cookie choices. The information and options can be varied by language and jurisdiction, to ensure maximum relevance for each visitor.
Cookie Guideline for Marketers
Whether or not the permanent cookie collects data that permits identification of the individual is academic hair-splitting: the intention is to join that data onto the PII of a known, real-world person in the future. And by joining the online behaviour collected via the cookie, to the explicit data of the PII, the individual profile is enriched. As a result, all the joined-up information must be handled as PII.
To comply with EU law, the Marketer must get voluntary and permission to save and store pseudonymised data before even placing the permanent cookie with a unique ID on the website visitor’s device.
The webmaster’s obligations to the Data Subject include:
- Informing the data subject of their rights in advance of collection and storage
(what data is collected, how it is used, etc.)
- providing the option to refuse the permanent cookie
(This is complex – allowable methods vary by country across Europe.)
- getting permission to store and use the personal data by a positive action
(an opt-out mechanism is insufficient)
- documenting the permission and be able to produce it on demand
- documenting the company processes for collection and storage of PII.
Written by a marketer for Marketers / For legal advice, contact your legal team.