Rules and Privacy Requirements: Cookies, WebBeacons, etc. - Julie Park & Paula Olsen, The Church of Jesus Christ of Latter-day Saints

As individuals become more aware and care about how organizations are collecting, using and sharing their data, the privacy landscape continues to adjust. Digital marketers and others must adapt to the changing privacy requirements.

This session takes a deep look at the obligations placed on digital marketers and others by Europe’s GDPR and ePrivacy Directive, in addition to other international frameworks governing the use of cookies and similar technologies. We will also discuss our thoughts and ideas on how to best implement a compliant approach.

 

Julie Park

Manager, Data Privacy Office

The Church of Jesus Christ of Latter-day Saints

Julie Park manages the global privacy program for the Church and oversees compliance with global data privacy laws and regulations. Ms. Park is also a member of the U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee (DPIAC). In these roles, she provides advice and input on programmatic, policy, operational, administrative, and technological issues that relate to personally identifiable information and other privacy-related matters. In 2016, Ms. Park was accepted as an IAPP Fellow of Information Privacy (FIP) and holds several information security and privacy professional certifications (CIPP/E/US/C, CIPM, CIPT, CISA, CISM, CGEIT, CFE).

 

Paula Olsen

Functional Analyst & Data Privacy Engineer

The Church of Jesus Christ of Latter-day Saints

Paula Olsen provides technical guidance and support for the Church’s Data Privacy Office. Her work includes the design, development, and maintenance of applications and tools used to perform privacy and risk impact assessments, build and maintain an inventory of personal and regulated data, execute database scans required to validate inventory, and manage cookie consent options across all public-facing properties. Projects on the horizon include a single portal for individuals to more thoroughly view and manage their personal data and the development of a data warehouse to enhance reporting capabilities.


Julie Park
Glad that you're here to meet us today to talk about private rules of privacy requirements, cookies, web beacons, and similar technologies. Before Paula and I get started, we'd like to take care of a quick disclaimer, and the opinions expressed in this presentation and on the following slides are our own. They do not represent the opinions or the views of The Church of Jesus Christ of Latter-day Saints and is not legal guidance or legal advice. So now that that's out of the way, we are excited to talk to you about the privacy rules and requirements with cookies, web beacons, and similar technology. So let's get started into our 30 minute deep dive into this. Our agenda, we're going to go over the privacy landscape and give a quick overview of what the privacy laws are that are behind the cookie notices. And then we'll get into a discussion about how can that be done through evaluation, transparency and honoring choices.

So generally it's been typical of organizations in the United States that they can collect as much information as possible, as long as it doesn't cause harm to an individual. What we're seeing is a change in this thinking in the European union General Data Protection Regulation, referred to as the GDPR, and we're also seeing this with the California consumer privacy act or CCPA, they are helping organizations think differently about the personal data that they collect, how it's used and how it's shared. So we're moving towards an understanding that personal data belongs to an individual. It does not belong to the organization, and that it is a fundamental human right to have a say about how your personal data is collected, used and shared. As the the legal landscape continues to change and evolve. This mindset will continue to change as well. It could be seen in the next few years that how organizations appropriately use information, if they don't use it appropriately could be seen as you are stealing somebody's personal property.

All right, you may have seen or noticed on different websites something like this, where it says this site uses cookies. When sometimes they're a little bit longer, a little description. What started or what caused all of this to be showing up on different websites? Again, it began in Europe, but it's actually a law that isn't very well known and it's referred to as the Privacy Electronic Communications Directive, also referred to as the E-Privacy Directive. This law has been in place since 2002. It's taken almost 18 years for organizations and countries to really understand the simple meaning of what this law means. And in a nutshell, it just talks about how an individual has to give his or her consent and be provided with a comprehensive notice or information about what information is being collected and why. What we're seeing also in this landscape is that other countries beyond Europe are also starting to implement these different privacy laws, specifically on how users are being tracked on their website.

So it's difficult to say, if you ask your privacy professional or somebody else that's in your organization that has the same position as me, there is definitely another privacy person in your organization looking at this. But if you, go to them and ask them, what countries, or where do I have to provide this banner, or this notice? it's not always a simple, yes, it's required or not. There are some countries or lawmakers that have not put the, the legal landscape in place just yet. But it is interesting to see that you got South Africa and Central America, Argentina, Brazil, Mexico, they all have laws on the books that require that consent when collecting information on a website. Again, you can see also in Asia and the Pacific. What we do know is that this is going to continue to grow.

And one thing to consider as we go through this presentation and Paul and I will talk about this in a little bit, is having tools in place so that you can quickly and easily adapt as these laws continue to evolve. And more countries begin to pass laws and you need to comply with that. Now what is included in these laws? What is the big deal? So for the cookie notices and to comply with the law, it really comes down to three simple steps. It's really as simple as one, two, three. Tell people what cookies or similar technologies are on your site, then you just explain, why are the cookies there and what are they doing. And then the last thing is you give them the opportunity to agree, and that is the consent. Yes, I'm okay, I understand what information you're going to collect, what my personal information, not only my name, my language preferences that you're going to collect, what are some of my behaviors, what are my tendencies for any sort of political opinion or religious beliefs or any the health issues? All of that information being collected needs to have my permission and consent before doing that.

So let's just go through a few examples of organizations that have ignored those simple three steps. So in June of 2000, there was a lawsuit against Google. And what this lawsuit is about is that the individuals had a reasonable expectation that Google was not tracking their behavior because they had - everyone's familiar with this, You've got the in private viewing or in private browsing mode. Well, when people were navigating across Google's websites or that platform, they intentionally deceive consumers into believing that they were in an anonymous state or could not be tracked mode. When in fact Google was actually collecting the information and they were collecting information such as their browsing history and device information. That misleading and not honoring those rules is why Google is in, this lawsuit and is actually being accused of federal wiretapping. Now we'll see where this plays out, Google obviously disagrees with the claims of this lawsuit, but the gist of it is they claimed to say they were not tracking when in fact they were.

The other lawsuit where an organization, Oracle and Salesforce, in August of this year, they are currently under scrutiny because they have this class action lawsuit that centers on how Oracle and Salesforce collected information using third party cookies to track, monitor, and collect online activities. And then they auctioned that data out to advertisers platforms such as Amazon and Dropbox and Reddit and Spotify. So the issue with this is that Oracle and Salesforce, again, did not inform individuals that they were collecting the information, as they navigated against those different platforms. And then did not explain what was being collected, how it was being used and giving them the opportunity to opt out. And this is what the California Consumer Privacy Protection Act is about is again, it's the individual, it's your information we own our own information, it does not belong to the organization it's, it's mine. And this mindset, and once we start catching on to this we can get the right processes in place and everyone will start understanding why this is such a big deal. Paula, would you like to add anything more to that?

Paula Olsen
Sure. Thanks, Julie. First of all, just one clarification slip of the tongue, this suit for Google is actually a 2020 claim and not a 2000 claim.

Julie Park
Oh, thank you. Thank you.

Paula Olsen
So, there's more than one way for users to opt out of being tracked, and in a moment we'll discuss these various alternatives that we can provide on our websites. Which should give greater transparency and greater options to our users. So although these giants, you know, have ultimate responsibility for what they're doing with the user's data, because we use their platforms and we use their tools, we can help users send a more clear message to these organizations that they do, or they do not want to be tracked. So, we'll talk about that in a moment.

Julie Park
Great. Thank you, Paula. Yeah. Thank you. All right. So now we're going to transition in talk about how can a organizations comply or demonstrate compliance to these different privacy laws. So Paula, we could just tell us how organizations can do this.

Paula Olsen
Sure. So as we started the presentation, we have this three-step process. We evaluate, we provide transparency and we honor opt-out requests. So currently in the market, there's more than 8,000, tools or objects that people can use on their websites. And we know that, over the course of the next several years that number is going to grow. And many of these will go away, they'll be obsolete. But they continue to change and we need to be aware of that. One thing that I can tell you is that our developers and our marketers constantly want to be in touch with the most current technology. And we're constantly turning over requests to try something different or to use something else on our websites.

In order to be successful in this space, you really need to know what your developers are using. In addition to that, in working in this space, I'm working with so many different developers and engineers, it's become quite obvious over the past five years that they do have somewhat of an awareness of data privacy. But we've spent a fair amount of time educating our UX designers, our project managers, our developers and engineers on what this entails. And because they have a greater awareness, the communication within our organization and our understanding of this inventory of tools (widgets, trackers, analytic tools, whatever falls into this category), is much better understood within our organization. So ultimately transparency really, really equals vigilance. And we have to be persistent in making sure that we know what's being used. Remember that we can't necessarily protect our customers from the behaviors of bad actors or what different companies are doing with these third party tools. But what we can do, is we can make sure that they have an option to opt out and to send a clear message. So whatever is on your website is your responsibility and it's completely within your control.

Julie Park
So a part of that evaluation is once you've used the different various tools to monitor and scan, what type of marketing technology vendors are on your site? One thing that you can do is to make sure that they are a good actor or that they are adhering or even familiar with the requirements of these privacy laws is looking to these independent organizations. You've got the internet advertising board of the UK, the Internet Advertising Board in general, or for Europe, you have the Network Advertising Initiative or the Digital Advertising Alliance. There's also another organization, the European Interactive Digital Advertising Alliance. Be aware of what these independent organizations are doing. They are promoting privacy and they are helping organizations know, "Hey, if you bring in this marketing tech, this vendor, and they are one of our members, they've gone through a vetting process." And these independent organizations say, yes, they get it.

Julie Park
They follow those principles of providing notice, ensuring that consent is provided and, a way for people to opt out in honoring that opt out choice. You know, that at least you have a higher level of confidence that when you put that code onto your website for tracking, that you're using a good vendor, that will be protecting that information, and it will be a good indication for your organization of building trust. So if you haven't already, before you go grab that next neat tool to collect data, go to one of these websites and see, check out who the vendors are who's listed there as one of those members. Anything else you'd like to add to that, Paula?

Paula Olsen
No. Great. great segue, Julie. Thank you. So just to reiterate, know what you're using, make sure that those trackers are reputable, but there's other tools that you need in order to be successful. So first of all, make sure that you have a well-defined privacy policy. That's going to be the first place that users who are interested are going to go and look and make sure that that's well-defined for users, customers, anyone that's evaluating the use of your technology. Some of you may, actually be vendors out there who want us to use your tools. So we are looking at your privacy policies and we do want to know how you are going to handle our customers, should we bring that tool onto our websites?

Paula Olsen
So well-defined policy, but the policy's not enough and it's not enough just to tell a user in your policy to go in and clear your cookies or, reset your browser history. You know, that's not adequate. We need to be a little bit more proactive and helping our customers understand what we have on our site. So I would encourage you to consider using a consent manager. So especially if you're managing sites that have a large global traffic pattern these services are helpful in many ways. They help us manage both implied and express consent based upon our individual configuration. And they, more times than not, will give the user information about our organization. If configured properly in the language that they use in, their browser preference language. And so we want to make sure that our users know exactly what they're dealing with. So we want to give them the best opportunity to understand that. But even a consent manager is not solely adequate on its own. It really needs an integration with a tag manager. So the consent manager helps us to provide the notice and the information, the tag manager helps us to ensure that when they opt out of being tracked, that we block that tracking and we no longer allow that to happen from our specific site. So, all tools, to consider using.

Most of you probably seen this, or something that looks like this, but most cookies or trackers of any kind can be classified. They're usually referred to as either required or essential cookies. These are cookies that are required to make the website work. They don't track the user, they don't tell the company, or the organization, they don't give the organization very much information about the user at all. They usually can't opt out of these, otherwise the website doesn't work and it doesn't have its full functionality. Then you have your functional, your analytical cookies, these gather information about what our users are doing and are usually there so that we can measure and improve performance of the system and be more helpful to our customers. But as the advertising cookies sometimes that are causing a little bit more concern. And there are many of these and many different ways that the various pixels of tools are used to gather and scrape information and bring all of that together in a way that it can be used in many different ways. So if we have these on our sites, we need to give our users an opportunity to opt out.

So you know, what I'm talking about, these are the kinds of cookies that pop up. How does someone know that I'm a block away from my favorite restaurant? And all of a sudden, I get a ping for lunch specials and an invitation to come in and eat lunch, or how does that department store that I rarely shop at, know that I was looking for draperies last night and not only do they know I'm looking for draperies, but they call me out by name. So they personalize the experience and, say, "Hey Paula, we know you're, we know you're shopping for draperies." Those are the kinds of things that are just a little eerie, but it's actually the world that we live in.

I'm not saying that it's right or wrong, but there's lots of different opinions from individuals about, what they want companies or organizations to know about them. So again, it's the world that we live in. Many of us don't care about these trackers and some of us want control over these trackers and others would just like them to go away altogether. They find them to be irritating and don't understand them. But the billion dollar question here is, where will society land and where will these laws be 5, 10, 20 years from now? I don't know if there'll be even more strongly enforced or, society will have just accepted it as the norm, but today it is a legal requirement and we have to respond to it.

So as Julie pointed out again, our climate is changing. But we all want the technology. We love it. We want the convenience that it brings, but more and more, we want our privacy. So we want it out. We want to have our cake and we want to eat it too. Again, I'm not going to read these to you, but I do want to point out these last two elements that we've highlighted in yellow. So relying solely on browser settings in this environment is not enough. I had mentioned that earlier, you can't just put up a privacy policy and tell people to go in and clear their own cache, it's not adequate. And also the use of a cookie wall, for general website access is, is unlikely to be accepted.

So just in general, that wall is basically hope you're fine. That wall is, is something that you put up that basically says, if you don't accept our cookies, sorry, we can't grant you access to the website. So you're required to accept our cookies in order to come on. We can't take away someone's someone's choice. We still have an obligation to allow everyone the same service, regardless of whether they want to be tracked or not. So, you know, to sum this up we need to decide now how best to manage any of the trackers and the tools that we use on our websites. Our organizations need to be very specific about what we're gonna use, and we need to be aware of them. Make sure your IT professionals understand your obligations and requirements. It's made a world of difference in our organization to have them trained and to know exactly where to go and what to do, and to have them keep these processes up and functioning continually within our organization. So make sure that they know what to do.

Again, transparency requires vigilance and make sure that based upon the scope of your organization, that you invest in the right tools and the right technology to get the job done. So with that said, we'd like to open this up to any questions that you have.

Julie Park
Thank you. So I'm just looking at the posts and I can just see that one comment was asking if we would confirm that yes, some experiences with the DPO authorities, the Data Protection Authorities, they will show flexibility with your organization, if you show that you actually have a plan in place to demonstrate that the value of evaluating what's on your website. Do you have a plan for transparency, to be clear about what's actually on your website, what's happening, and then a way for people to opt out? So if you do get caught in one of the France's CNIL cookie sweeps, they will definitely be a little bit more understanding with you and not maybe assess fines or administrative sanctions, if you can show that you have a program in place. So that was one of the questions that came up.

One thing I would also want to just bring up that Paula touched on is the importance of this tag manager, as the person who has to go out and represent and demonstrate compliance, the integration of the cookie consent manager with the tag manager and being able to prove that the choice is expressed by individuals is actually getting to the very end of the road is so important and critical, I cannot emphasize enough how important that can be as part of your strategy for dealing with cookie consent, and showing to the regulators that you've got that plan in place. Other than that, I'm not seeing any other questions on our board. Anything else that you'd like to wrap up with?

Paula Olsen
Nope. I think we've shared all the information that we have. So thanks for letting us be here today, and good luck with your projects.

Julie Park
If you're still with us, we'd like to try to address so we're going to go through those questions. We just didn't see them before we ended the session. So one of the questions that came through is "how difficult have we found it to implement a CMP, which I think that's a Cookie Manager Program. So actually I'm going to defer to Paul cause she's really helped on the technical side of implementing that CMP. So do you want to talk about the experience of getting that cookie manager in place?

Paula Olsen
Absolutely. The service itself is fine to use. I had more complexity with trying to get multiple, developers to use the services. All of them had to manage their sites independently. So when we figured that out, we finally moved to a centralized, or we call a centralized photo service and through our tag manager we were able to just connect all of our sites to that service and implement the Cookie Consent Manager and everything associated with that. So it made the process a lot easier, and we could validate on a more regular basis that we were in full compliance. So it just depends on how fast your organization is and if you can centralize efforts perfect. If not, and you're working with individuals, it takes a lot more time.

Julie Park
Great. All right. The other question was how can you look up the other vendors on the advertising Alliance? And that's something that we'd be happy to share with you. You just go up to any one of those organizations and they have members just on the title and you can go through, click on the members. And that's how you can see who is a member of one of those independent organizations. The other question that we got was will we be sharing our slide deck? And yes, we'd be happy to share a version of the slide deck with each of you. There isn't anything on here that you couldn't find on your own, out on the internet. So we'd be happy to share that information with you as well.

Previous Video
Data Privacy Regulations: Comply Now & Prepare for the Future (Europe) - Mike Fong & Dylan Sellers, ObservePoint
Data Privacy Regulations: Comply Now & Prepare for the Future (Europe) - Mike Fong & Dylan Sellers, ObservePoint

Learn how to establish flexible processes and solutions to ensure compliance now and in the future.

Next Video
Browser Privacy: The New Normal - Cory Underwood, Search Discovery
Browser Privacy: The New Normal - Cory Underwood, Search Discovery

Discover how the new browser privacy initiatives affect you and what you can do about them.