15 Replies Latest reply on Apr 25, 2018 8:22 AM by Dan Stevens

GDPR - Are you adding a cookie opt-out link to your Privacy Policy?

Alexis Shamsi Hughes Apr 22, 2018 8:58 AM

I found this tip in GDPR preparation discussions as an action item we should take to ensure cookie compliance (in addition to setting up a cookie preferences center on our site/Marketo landing pages):

Add a link to your company Privacy Policy page enabling customers to opt out from Marketo tracking. Link should be https://"customer page"?marketo_opt_out=true. When they click, Marketo places a "mkto_opt_out" cookie on the browser and their activity is no longer tracked online.

1) Can this be any page URL - i.e. fourseasons.com/meetings_and_events/?marketo_opt_out=true?

2) Are you also taking this step? Our legal dept. most likely will not want to customize our global Privacy Policy this way for one tool for one department.

Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?

Sanford Whiteman Apr 22, 2018 1:19 PM (in response to Alexis Shamsi Hughes)

This feature can be useful, but it doesn't give the full-spectrum privacy protection that you're promising to end users.

When you add this param to a URL -- and yes, it can be any page -- Munchkin will set a "no-cookie cookie" and not perform any future tracking in that browser. But if you've told the user that by clicking that link, "they won't be tracked," this isn't true, because the moment they click a tracked link on another device, you will be tracking them again.

To cover all these bases it's more important to persist those privacy settings to the lead record and make sure to honor them everywhere (not sending them tracked links, not loading Munchkin once you know who they are). Stopping Munchkin from loading is pretty simple with or without the marketo_opt_out; it's making sure to honor the user preferences everywhere that's complex.

IMO, it's very important to fulfill the commitment that you make when somebody opts out, to the fullest extent technically possible. A false/incomplete opt-out can be more pernicious than not offering the option at all.
Like Show 0 Likes(0)

Actions
Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?

Becky Loader Apr 23, 2018 8:49 AM (in response to Alexis Shamsi Hughes)

I've seen this on a Marketo page (http://developers.marketo.com/javascript-api/lead-tracking/#opt_out ):

Not sure how advance this will come into effect of the GDPR however, hoping soon!
Like Show 0 Likes(0)

Actions
- Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
  
  Sanford Whiteman Apr 23, 2018 9:07 AM (in response to Becky Loader)
  
  This is what Alexsi is referring to above, and it already functions if you use the Munchkin beta embed code.
  
  However, it doesn't suffice for GDPR, as I explained above, because you will still be tracking people who you know, and who specifically disallowed tracking when they're on another device. You have to do more work than this to comply with people's wishes.
  
  Like Show 1 Likes(1)
  
  Actions
Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?

Amy Connor Apr 23, 2018 11:31 AM (in response to Alexis Shamsi Hughes)

We're using a cookie consent manager (TrustArc) to handle this.
Like Show 0 Likes(0)

Actions
- Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
  
  Dan Stevens Apr 23, 2018 11:35 AM (in response to Amy Connor)
  
  Amy - even the cookie consent tools (like TrustArc and OneTrust) manage this at the cookie/browser level - not user level. Basically what Sandy is saying is that it's going to be quite difficult to set/meet the expectations of users when they opt-in/out of cookies since the majority of the tools are setting this at the device/browser level.
  
  Like Show 0 Likes(0)
  
  Actions
- Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
  
  Dan Stevens Apr 24, 2018 10:17 AM (in response to Amy Connor)
  
  One other thing that's surfaced in our discussions with our legal teams - specifically consent around cookie tracking - the tracking that is contained within emails is not a "cookie". So tools like OneTrust and TrustArc don't impact this tracking. One more challenge to figure out. Would be interested how others are dealing with this.
  
  Grégoire Michel
  Michelle Miles
  
  Like Show 0 Likes(0)
  
  Actions
  - Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
    
    Sanford Whiteman Apr 24, 2018 10:49 AM (in response to Dan Stevens)
    
    It's not, but it's still tracking web activity and I can't believe it's a true exemption. Even localStorage isn't a cookie but we all know it serves an identical purpose to a (1st party) cookie...
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
      
      Dan Stevens Apr 24, 2018 11:25 AM (in response to Sanford Whiteman)
      
      I should have stated this was more of an assumption until we have our next meeting with OneTrust to confirm. Based on your discussions with OneTrust, Sandy, by opting out of Marketo tracking cookies, does it also disable Marketo email tracking (at the device level, of course)?
      
      Like Show 0 Likes(0)
      
      Actions
      - Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
        
        Sanford Whiteman Apr 24, 2018 11:34 AM (in response to Dan Stevens)
        
        I should have stated this was more of an assumption until we have our next meeting with OneTrust to confirm. Based on your discussions with OneTrust, Sandy, by opting out of Marketo tracking cookies, does it also disable Marketo email tracking (at the device level, of course)?
        Nope, it doesn't affect email tracking directly, since it can't un-rewrite email links.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
        
        Dan Stevens Apr 24, 2018 7:21 PM (in response to Sanford Whiteman)
        
        Then I'll have to circle back with our legal team to find out if "email tracking" can be bundled with "opting-in to receive emails". Without including yet another type of "opt-out" checkbox (or "opt-in" checkbox), I just think it will be challenging to manage this at scale.
        
        Like Show 0 Likes(0)
        
        Actions
        
        Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
        
        Michelle Miles Apr 25, 2018 7:44 AM (in response to Dan Stevens)
        
        Dan, while we defer to clients' legal teams, this is generally how we're doing it. We're bundling email tracking with opting in to receive emails. The email opt-in acknowledges a privacy policy that states all tracking and processing. What are you thinking?
        2 of 2 people found this helpful
        
        Like Show 1 Likes(1)
        
        Actions
        
        Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
        
        Dan Stevens Apr 25, 2018 8:22 AM (in response to Michelle Miles)
        
        Thanks Michelle - I had a conversation with our legal team this morning and we're in complete alignment with your approach.
        
        Like Show 1 Likes(1)
        
        Actions
  - Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
    
    Grégoire Michel Apr 24, 2018 11:17 AM (in response to Dan Stevens)
    
    Hi Dan,
    
    Most of the people I work with will handle it at munchkin (browser) level, not at email level, but some are sending the DNT info through emails : Its pretty easy to add a marketo_opt_out=true to any link in the emails, though. Can be done with a lead field that is hard coded in all CTA's in the email template. You can even make it more sophisticated using some velocity that Sanford Whiteman has proposed in a blog post. There is still a flaw, though: if a user add manually a link into a text editable zone, you have no control and will have to rely on user training / compliance.
    
    -Greg
    
    Like Show 0 Likes(0)
    
    Actions
    - Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
      
      Dan Stevens Apr 24, 2018 11:27 AM (in response to Grégoire Michel)
      
      Hi Greg - I realize it's easy to add. The difficult part is integrating/managing this with other vendor's solutions (like OneTrust). I'll find out later this week if the OneTrust solution covers email tracking.
      
      Like Show 0 Likes(0)
      
      Actions
- Re: GDPR - Are you adding a cookie opt-out link to your Privacy Policy?
  
  Kyle McCormick Apr 24, 2018 8:07 PM (in response to Amy Connor)
  
  Amy Connor Does your TrustArc solution allow visitors to opt-out of Marketo cookies? Our TrustArc representative has informed us their solution does not work with Marketo tracking but I am seeing multiple users on the community who are utilizing it.
  
  Like Show 0 Likes(0)
  
  Actions

Go to original post