5 Replies Latest reply on May 16, 2017 3:33 AM by Grégoire Michel

    How is Marketo and customers addressing some of the recent cookie legislation?

    Dan Stevens
      According to our legal team, several countries have or will be adopting strict cookie and data privacy laws (e.g., Italy, Spain, Canada, France, etc.).  As a result, we are being asked to include enhanced functionality to allow users to opt-in/out of having cookies saved to their device/browser.  I know Eloqua has a feature called "strict mode" (see below) which can be enforced selectively for visitors from a list of countries you specificy within the interface (who must opt-in in order to have tracking cookies placed on their devices).  Visitor identification is done via IP address.  What is Marketo's point-of-view on this and is any enhanced functionality in the works today?

        • Re: How is Marketo and customers addressing some of the recent cookie legislation?
               There is no restriction on cookies not storing any personal identifiable information. The Munchkin ID falls within that category.
               Furthermore, companies using Marketo can honour user preferences through Admin - Munchkin - “Do Not Track” Browser Request
               The general rule is adding a popup giving users the option to accept the cookie.
               The EU legislation is a broad framework. Member States can enforce more strict rules. Austria implemented the most demanding legislation; Finland is among the most relaxed. Austria maintains lists of opt-outs at national level. All companies targeting Austrian  email addresses (ending in .at) must adhere to that list.
               Marketing Automation and the European Privacy Laws
               You can find the complete legal documents at http://europa.eu/
          • Re: How is Marketo and customers addressing some of the recent cookie legislation?
            The side effects of cookies could not be more evident. I was wrongly identified when posting my reply!
            • Re: How is Marketo and customers addressing some of the recent cookie legislation?
              Dan Stevens
              Even storing anonymous data - like company name and IP address - is considered personal identifiable information.  Here is some of the info that our legal team has provided us recently - and has caused concern on how to properly implement in Marketo:

              The Italian Data Protection Authority (Garante) has published guidance on complying with the cookie requirements in Italy in order to obtain the express consent of the user. The main points are as follows:
              •           Website operators are required to implement a web banner on the landing page outlining cookies used, the right to refuse cookies and a link to a separate notice setting out full details of the cookies used and the means by which a user can turn them on or off.
              •           The requirement to notify the Garante where profiling cookies and related technologies are used.
              •           Penalties under Italian data protection law can range from €6,000 to €120,000 (for example for serving cookies without obtaining the appropriate consent and failing to notify the Garante of such processing activities).
              •           Operators shall benefit from a one-year grace period (expiring on 3rd June 2015) to implement the relevant measures.
              After being the first EU member state to issue fines for infringement of its cookie rules (see here) the law regulating the use of cookies has been amended. We highlight the following changes. It has been clarified that it is an infringement to serve cookies without the individual’s consent. Due to a legislative error this was previously not the case and the Spanish DPA could not undertake enforcement action on this issue. Infringements may be ‘low’ or ‘serious’. The latter category will apply if the organisation infringes the cookie rules on several occasions within a period of three years. The enforcement powers available to the Spanish DPA have also changed so that it is able to issue warnings for failure to comply with the cookie rules, or decide that it will apply the lowest category of fines for serious infringements under certain circumstances. Advertising networks will also now be liable for their failure to comply with the cookie rules.
              Spain Decision on Cookie Infringement: http://www.agpd.es/portalwebAGPD/resoluciones/procedimientos_sancionadores/ps_2014/common/pdfs/PS-00321-2013_Resolucion-de-fecha-14-01-2014_Art-ii-culo-5.1-LOPD-22.2-LSSI.pdf
              Following the Dutch DPA’s first investigation into an organisation’s use of cookies, the online advertising agency ‘YD Display Advertising Benelux’ (YD) was found to have infringed the Dutch cookie rules by placing tracking cookies on users’ web browsers in order to provide personalised advertising without the user’s consent. The cookies enabled YD and its network of advertisers to track the behaviour of visitors through multiple websites. The DPA found that the ability of users to opt-out of receiving personalised advertising was not sufficient to construe unambiguous consent and the information provided by YD to its users on the use of use of such cookies did not satisfy the notice requirements.
              The Dutch DPA noted that such violations would still exist even if the proposed amendments to the current Dutch cookie rules (currently going through the Dutch Parliament) were applied because such tracking cookies would still require user consent. This investigation follows the Dutch DPA’s earlier announcement that one of its priorities for 2014 is to focus on the profiling, tracking and tracing of internet users.
              This year has, and will continue to be, a busy year for the French Data Protection Authority (CNIL) (see here).  A new consumer rights law came into force on 17 March, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections (in addition to the existing on-site inspections). This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the online activities of companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing. One can expect the use of cookies to also fall under this remit.
              Finally, the Belgian DPA has recently launched a public consultation on its draft cookie guidance (see our previous blog), stating that implied user consent may be an acceptable model for the use of cookies.
              2 of 2 people found this helpful
              • Re: How is Marketo and customers addressing some of the recent cookie legislation?
                Grégoire Michel

                Reopening this thread because of the upcoming GDPR in the EU. Remember 2 things about it:

                • It's extra territorial. Meaning any company doing business in Europe will have to comply
                • Any information that can be used to link to a personal record is considered as sensitive. Meaning Marketo cookies that are linked to database leads are.



                1 of 1 people found this helpful