Handling Cookies and Privacy in the EU

John_M
Marketo Employee
Marketo Employee

Many customers ask how Enterprise consulting recommends that they stay in complicate with the European Privacy Directive. Of course its important to consult your company's legal team before implementing anything, but this blog discusses one possible approach to the problem

EU-Launches-New-Cyber-Security-Strategy.jpg

Of course from a Marketo perspective, this all centers around the Marketo Munchkin Tracking cookie, which allows us to track anonymous activity of various types, and then link that activity to a Lead in Marketo once they fill out a Marketo Form, allowing a full picture of their actions on your site.

The goals of the initiative were

1. Determine the location of a visitor (and if that location is in the EU)

2. Determine if that user has already opted in or opted out of activity tracking via Munchkin tracking

3. If a user has no preference set, display an overlay informing them of the relevant legalities, and opting them in (note that you should consult your legal team on this one) and also providing a link to the privacy policy where they may opt out of tracking

4. If a user is opted in to tracking, proceed, initializing munchkin as normal

5. If a user is opted out of tracking, do NOT initialize munchkin and delete the Marketo Munchkin Tracking Cookie

6. If a user changes his or her selection to opted out, delete the Marketo Munchkin Tracking Cookie

We recommend thinking through not only the happy path for a user that accepts tracking, but every possible path to ensure that no tracking occurs without a user's consent.

For determining the location of the visitor, we've used the MaxMind Javascript reverse IP lookup product, and could maintain a list of what countries are in the EU (you never know when the list will change). MaxMind easily determines location at a country level (and much more precisely if needed) and lets you process based on the user's location. Its important to keep in mind that it's the user's current location that counts,  so its a good idea to keep checking it. Laws are much more lax on tracking in the US than they are in Germany, and you don't want to inadvertently violate the directive simply because someone who was originally in the US is visiting Germany.

We'd recommend tracking not one but two items using cookies (with NON PII so as not to cause further privacy problems). These cookies track "EU or NON EU" and then "Marketo Preference", which tracks the user's opt out preference.

Considerations

- Are you concerned with the whole site... or just the Marketo Landing Pages?

- Are you going to implicitly track people if they do nothing? What re the legalities around this for your locale?

Suggestions

- Make a flow chart! Fully understand your happy and all exception flows before you start

- Modularize your code. Where possible write code you can put into marketo landing pages AND standard pages. This will insulate you from changes too.

- Test Test Test! By maintaining a list of EU countries in an array (or whatever you like) you can easily add "United States" to the list temporarily to see what users in the EU will see

Screen Shot 2015-07-31 at 4.29.04 PM.png

Further Reading

- Stay In Compliance! What Marketers need to know about ePrivacy Laws

- US Marketers Should Not Ignore EU Privacy Laws—Even If They Don’t Market in the EU

1900
0