1

Eprivacy Issues and

Their Potential Effect on Online Data Collection

Anna LongFounder and Principal Analyst

Web AnalyticaSM

2

1 - 2

Agenda

• ePrivacy – What’s the Problem?

• Three Attempts to Address ePrivacy Issues– EU ePrivacy Directive– W3C Tracking Protection Working Group– W3C Customer Experience Digital Data

Community Group

3

Online Privacy – What’s the Problem?

The landscape:

•The Wall Street Journal, The New York Times, Time Magazine, and other news organizations have written articles raising concerns about abuse of privacy online.

•The Privacy Rights Clearinghouse, Consumer Watchdog, Consumer Action, and the Center for Digital Democracy have voice concerns about online privacy.

•Politicians and regulators in the US and other regions have conducted studies, held hearings, and introduced legislation attempting to address online privacy violations.

4

Technology’s Impact on Privacy

Concerns about technology’s impact on privacy pre-date the commercialization of the World Wide Web.

March 18, 1992

5

Technology’s Impact on Privacy

“A new protocol being developed by the Internet Engineering Task Force (IETF) has raised privacy concerns. Internet Protocol Version 6 (IPv6) is the "next generation" protocol designed by the IETF to replace the current version Internet Protocol (IPv4)...

“The new addressing structure, however, may mean that every packet can be traced back to each user's unique network interface card ID… That information... forms the basis of the privacy concerns raised by some observers of the IETF process.”

Concerns about the Internet’s effect on privacy go back to the last century.

October 12, 1999

6

Online Privacy – Is This The Problem?

7

What’s to Be Done about ePrivacy Issues?

Three major initiatives are underway:

• European Union’s ePrivacy Directive: applies regulation to cookie storage

• World Wide Web Consortium (W3C) Tracking Protection Working Group: developing standards to put tracking control in the hands of individual website users

• W3C Customer Experience Digital Data Community Group: creating standards that put control in the hands of website owners

8

Europe Union ePrivacy Directive

The European Commission has had an online privacy directive (Directive 2002/058 on Privacy and Electronic Communications) in place for over a decade.

• 2002 version required website owners to inform visitors about cookie placement and offer a method of refusing cookies (opt-out)

• 2009 version requires website owners to gain permission from visitors before storing any cookies not essential to basic site operation (opt-in)

The opt-in requirement of the 2009 revision caused an uproar in the European online community. Many feared it would severely disrupt visitors’ website experiences and put European online commerce at a severe competitive disadvantage.

9

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.... “

From 2009 Revision of Article 5(3) of Directive 2002/58/EC, emphasis added

EU ePrivacy Directive2009 Revision

10

European Union Legislative ActivityThe “Cookie” Laws

European Commission directed all EU members to incorporate the amended ePrivacy Directive into their national laws by 25 May 2011.

• Many members did not meet that deadline and still have not put regulation in place.

• UK enacted regulations requiring opt-in checks as of 26 May 2011 and immediately postponed enforcement for a year.

• When the UK regulation took effect, the UK Information Commissioner’s Office (ICO) urged quick action, but the law was quickly derided as anti-competitive, confusing, and harmful. Eventually, even the ICO took down its cookie opt-in pop-up.

11

BBC Food: An Example of a Cookie Opt-In (Almost)

12

David Naylor: An Example of a Cookie Opt-In (Parody)

13

From http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/#more-2942

How the UK Cookie Law has Played Out – One View

14From http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/#more-2942

What the UK Cookie Law Has Achieved – One Opinion

15

W3C Tracking Protection Working GroupBackground

In Spring 2011, the World Wide Web Consortium (W3C) created its Tracking Protection Working Group to deliver standards for communicating and conforming to website visitors’ privacy preferences.

From the beginning, this was a high-profile group with members from technical fields, governments, and industry associations, but dominated by privacy advocates and advertising industry groups.

16

W3C Tracking Protection Working GroupThe Twists and Turns

Between September 2011 and April 2014, the group’s work has included :

• Multiple drafts of two specifications•Tracking preference expression (the Do Not Track (DNT) flag)• Website compliance

• 9 face-to-face meetings in Europe and US• 111 teleconferences• 242 issues raised• 447 actions assigned• 5 co-chairs• 2 charter extensions

17

W3C Tracking Protection Working GroupWhere Does The Project Stand?

The latest:

• Summer 2013 – Digital Advertising Alliance stand-off forced co-chairs to choose sides. Result: several resignations and group went on hiatus.

• W3C surveyed the remaining working group members to determine how to proceed. Chose to proceed, but losing members and shrinking scope.

• One spec (tracking preference expression) approaching release for public comment

• Meanwhile, all major browsers as well as some software operating systems and utilities are offering the DNT flag as an option or a default. Most websites are ignoring the flag.

18

W3C Customer Experience Digital Data Community Group

Background

This W3C Project was formed by the merger of two standardization initiatives, one led by Google and Qubit, the other by IBM

It is being driven primarily by technologists and analysts

The Group’s mission is to identify a standard framework for analytics data, both for efficiency and to enhance analytics capabilities

Because much of this data is of a sensitive or private nature, privacy must be addressed along with other standardization issues

19

W3C Customer Experience Digital Data Community GroupStandard Analytics Data Object (Current as of Spec. 1)

digitalData .PageIdentifier

.Page

.Product

.Transaction

.Event

.Component

.Cart

.User

.Version

.ShippingAddress

.ShippingAddress.Securty

SAddrLine1SAddrLine2CityState/ProvincePostal CodeCountry

SAddrLine1: PrivateSAddrLine2:PrivateCity: Analytics, AdvertisingState/Province: Analytics, AdvertisingPostal Code:Analytics, AdvertisingCountry: Analytics Advertising

W3C Customer Experience Digital Data Community Group

Permissions Mapping

www.calc.com – analytics; www.adsRus.com – advertising; www.audit.com – financial;www.oursite.com – personalization;

Example of a mapping table:

21

W3C Customer Experience Digital Data Community GroupArchitecture (Current Vision)

Access Control Layer

www.calc.com – analytics; www.adsRus.com – advertising; www.audit.com - financial

Access Permissions Table

digitalData .PageIdentifier

.Page

.Product

.Transaction

.Event

.Component

.Cart

.User

.Version

www.calc.com www.BigAds.com

Request Data Request

W3C Customer Experience Digital Data Community Group

Benefits

In developing the specification with these features, the Group is attempting to set up an analytics data architecture that:

• Provides standardized data to be used by all analytics products

• Is flexible, extensible, and customizable for regions, industries, and organizations

• Offers the potential for more analytics integration (such as web application performance monitoring)

If you are interested in participating in this effort as it moves to the next stage of standardization, contact me.

23

Anna LongFounder and Principal Analyst

Web AnalyticaSM

Email: anna.m.long@webanalytica.netLinkedIn: linkedin.com/in/annamlong

Twitter: @webbylytical

Cary, NC Washington, DC

919 349-5725