Cookies – unlimited user tracking across the web by Karsten Rendemann, cookieinformation.dk Held at EAAA on January 28th, 2016 References 1. Author of the ‘Technical Guide’ – part of Cookievejledningen 2. Advisor to DI regarding GDPA (Persondataforordningen) 3. Deliver the cookie declaration on 1,000 websites Deliver data to many media What is a cookie? A cookie is data (text or binary data) that is - received from a domain, - stored in the browser and - send data back to that same domain. Cookies – is actually ‘Cookies and other tracking technologies’ like: HTTP- and Javascript cookies, HTML5, Local Storage, Flash Local Shared Object, Silverlight Isolated Storage, web beacons, pixel tags etc. Can be loaded from any element on any page of a website - The CMS-system, scripts, photos, forms etc, … Where can I see a cookie? - even in a gif Google Chrome: Right click on mouse, ‘Examine’, ‘Resources’, ‘Cookies’ 1. Name 2. Value - ‘yes/No’, a time stamp, encrypted ID 3. A domain that receive the data 4. A duration Can be connected with your IP address, where you are (GPS), who you are (via login on social media), etc. Purposes of cookies 1 2 3 4 NECESSARY Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. PREFERENCES Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. STATISTICS Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously. MARKETING Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers. So what is a cookie declaration? What if I look for cookies on eaaa.dk? Different methods – varying quality Google What are data used for? - collected about users using eaaa.dk • ” Preserves users states across page requests. • ”Registers a unique ID that is used to generate statistical data on how the visitor uses the website. • ”Optimises ad display based on the user's movement and various advertisers bids for displaying user ads.” • ”Used by Google AdSense to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.” • Registers a unique user ID that recognises the user's browser when visiting websites that show ads from Adform. The purpose is to optimise display of ads based on the user's movement combined with the ad bids placed by various advertisers. What are data used for? - from eaaa.dk • ”Bevarer brugertilstand på tværs af sideforespørgsler.” Who receives data? • ” Registrerer et unikt ID, der anvendes til at føre statistik over hvordan den besøgende bruger hjemmesiden.” - from eaaa.dk • ”Optimerer visning af annoncer ud fra brugerens adfærd kombineret med 1.bud adform.net, forskellige annoncørers på at vise annoncer for brugeren..” 2. doubleclick.net • ” Anvendes af Google 3. AdSense til at registrere og rapportere om youtube.com hjemmesidebrugerens4. handlinger eaaa.dkefter at have set eller klikket på en af annoncørens annoncer. Formålet er at måle effekten af en annonce samt at målrette annoncer til brugeren. • Registerer et unikt bruger-ID, som genkender brugerens browser ved besøg på hjemmesider, der viser annoncer fra Adform. Formålet er at optimere visning af annoncer ud fra brugerens adfærd kombineret med forskellige annoncørers bud på at vise annoncer for brugeren. Example: Let us start with a script-tag which makes it possible to track the user The scriptet runs on all pages, sets a tracking cookie and gather information about the user Every time the user does anything this is sent to the 3. party who can record it via a unique user ID Information about each page URL, referrer URL, geograhy, browser and device is automatically captured. Data about the user is recorded across ANY device and MULTIPLE websites It is easy to track events from both iOS and Android mobile applications The user ID of each of the users devices are associated and creates an aggregated user profile Live recording: Tracking of a user across multiple websites and multiple devices Some makes a semantic analysis of each page url, so they know what the text is about Each page is then analyzed to create Content Profiles with information from Tags and free text incl author, people, places, companies and sometimes combined with 3. party data This one particular application track more than one billion (1.000.000.000) active user profiles based on more than 12 billion unique user IDs Example user profile: Long term interests, intentions, context, key words, segments, categories and event stream Why is this a problem? • Price discrimination during on-line purchases – Staples (Office supply) • Women are exposed to fewer adds for high salary jobs • Adds on your screen reflects what others expect that you are interested in – Also at school and at your job From script to add When you go to another website an ad tag associates to you and checks which segments you belong to. The System respond with a list of segments. The Ad tag sends the segment information to the ad server and finds a matching add. Demo: How a man will see a campaign targeted to men Demo: A woman will see an add targeted to women Various performance data are logged They can be used to targeted recommendations … … and targeted offers Look alike modelling: How it is spread to others with the same profile as me Data from 3. parties can be used e.g. Social Media, questionaires etc. And then the adds can be displayed to all similar people Syndication – data sharing • Many data are shared across 100s of partners Nogle af LiveRamps 200 partnere Has also cookies placed on e.g. www.digst.dk “LiveRamp (Cxense subsidiary) is the leader in data connectivity, helping the world’s largest brands use their data to improve customer interactions on any channel and device. LiveRamp help marketers eliminate data silos and unlock greater value from the tools they use every day. By connecting disparate marketing platforms at the data layer, we enable brands to use new generation of datadriven marketing strategies for ROI measurement, targeting, one-to-one marketing, and more. On 40% of all cities’ websites How did cookies get on eaaa.dk? You ALWAYS do something yourself. Eaaa.dk line 313-323, adform script Beware of free scripts like AddThis Free scripts often get the browser to visit various domains in the background. Up to 23 is documented. Example: Initiator: Script tag, kildetekst line number 493: http://player.qbrick.com/playerembed.js The users browser is then directed to: http://dpm.demdex.net/id?d_rtbd=json&d_ver=2&d_orgid=B58F1CFE533095470A 490D45%40AdobeOrg&d_cb=s_c_il%5B0%5D._setMarketingCloudFields From where the cookie demdex is set. Purpose: Via a unique ID used for semantic analysis of content, the users navigation on the website is registred and associated with offline data from surveys and others with the objective of delivering targetted advertising. What does the law say? • New General Data Protection Regulation (Persondataforordning) as of eof 2017 1. Data handler responsibility for 3. party cookies 2. Documentation 3. Fine - €20 mio or 4% of turn over • Cookielaw (already existing) 1. Examine your website 2. Remove unwanted cookies 3. Declare cookies and get Consent Commercial benefits AND IT’S ABOUT TRUST = PREDICTABILITY = CORRELATION BETWEEN WHAT YOU WRITE AND WHAT YOU DO TO YOU AND YOUR WEBSITE HOW TO ACHIEVE COMPLIANCE 1 COOKIE SCREENING Identify all cookies Produce documentation Find all cookies from all 3. parties - Our scanner analyse all pages pretending to be a user in all the ways that can result in cookies being set: various screen sized, operating systems, browsers etc. Documentation Domain name of data receipient Date for screening (36% of cookies change every month) Name of each cookie Name of the 3. party that receive data Explain with the 3. party use the data for Duration of the cookie in the users browser 1 COOKIE SCREENING Identify all cookies Produce documentation 2 DECLARATION AND CONSENT Add a true Cookie Declaration Describe usage Update banner 1 COOKIE SCREENING Identify all cookies Produce documentation 2 DECLARATION AND CONSENT Add a true Cookie Declaration Describe usage Update banner Change the text on the cookie banner - Make it reflect what cookies are truly set - Before eof 2017: make it withhold 3. party cookies until consent is given 1 COOKIE SCREENING Identify all cookies Produce documentation 2 DECLARATION AND CONSENT Add a true Cookie Declaration Describe usage Update banner 3 REMOVE UNWANTED COOKIES Remove the scripts that set unwanted cookies. 1 COOKIE SCREENING Identify all cookies Produce documentation 2 DECLARATION AND CONSENT Add a true Cookie Declaration Describe usage Update banner 3 REMOVE UNWANTED COOKIES Færdig kode Alle sprog Individuelt branded 4 KEEP UPDATED Monthly 36% of all cookies change 1 COOKIE SCREENING Identify all cookies Produce documentation 2 DECLARATION AND CONSENT Add a true Cookie Declaration Describe usage Update banner 3 REMOVE UNWANTED COOKIES Færdig kode Alle sprog Individuelt branded 4 KEEP UPDATED Monthly 36% of all cookies change WEB PORTFOLIO Cover all domains, subdomains and login-areas Also w/wo www, http(s) 5 Questions?
© Copyright 2024