Open Tracking and the New Cookie Law

There has been a lot of talk in the email industry about whether open tracking falls under the category of “similar technology.” Let’s be clear right from the off: we cannot answer this question – only the Information Commissioner can answer this question definitively.  What I can do is analyse what we know so far.  A simple search of the most recent guidance notes showed that the word open was used four times and email was used once and this wasn’t in respect of email marketing.

Based on the conversations that have gone on with the great and good of the email community both here and in the US, The Email Marketing Council believes that email open tracking is not covered in this legislation. The purpose of the new Privacy in Electronic Communications Regulations was to “protect the privacy of internet users” and was driven by “concerns about the online tracking of individuals and spyware.”

Open tracking uses a one pixel by one pixel clear GIF, which is stored as a temporary file on the user’s computer. This is very different than the cookies used to track individuals online:

  • Once images including open tracking GIFs are downloaded by the consumer, there is no way for the marketer to read them back. Cookies on the other hand are files stored on the user’s computer and are designed to be accessible over and over.
  • Open tracking GIFs return information in the same way that web pages return information about the user’s computer because that is how the internet was designed as opposed to cookies which are designed specifically to allow websites to track previous behaviour.
  • Open tracking is associated with an email address and is therefore device independent versus cookies which have a one to one relationship with a specific device.

If these differences are not enough then I throw out one last thought. Open tracking is most similar to web traffic and activity analysis based on server side processing of web server log files. This is not covered by the regulation changes. Even when it comes to client side cookie based analytics, the ICO has stated that they cannot conceive a scenario where they would prosecute for use of analytics cookies

I think that the motivation behind the new cookie law is a good one.  Consumers do not really understand that everything they do online is being tracked.  They believe that because they are moving around the internet in the privacy of their own home that what they do is private.  This law however is clearly aimed at cookies used to build complete profiles of internet users which could eventually be sold on. These regulations were not aimed at marketers trying to ensure their emails reach the inbox and improve how they communicate with their customers.

As always the law is not the same as best practice. Marketing best practice is to be clear and transparent with customers. To this end, regardless of the law, it is sensible to include in your privacy policy that customers opting-in are giving email permission, open tracking and permission for other data use appropriate to your email communications.  Look out for a whitepaper on the topic to be published in the near future.

This entry was posted in Legislation and tagged , , on by .
Skip Fidura

About Skip Fidura

Skip Fidura who is the Group Digital Director and Client Serviecs Director to the dotDigital Group has been in marketing for over fifteen years, having worked in contact centres, direct marketing, customer analysis, and digital marketing. 

Most recently Skip was Email Partner at OgilvyOne London and prior to that he was the Director of European Operations for Acxiom Digital.  He has worked with clients such as Hallmark, BT, Kodak, hp, and Travelocity.co.uk.

  • Marcus

    Under the ‘Terminology and definitions’ section of the ICO Guidance (Dec 2011) it states:

    ‘The Regulations apply to cookies and also to similar technologies for storing information. This could include for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).’

    So a 1×1 transparent gif would still be covered by the legislation.

    The ICO Guidance is pretty fluffy in a lot of respects but _does_ put a strong emphasis on intrusiveness and ensuring consent is gained where tracking or profiling is to be applied.

    Essentially an email address is an even more personal identifier (ie. more intrusive) than identifying a ‘terminal device’ and much more likely to be used in profiling. 

    Therefore would it not be best practice to provide a brief explanation of intent next to the email opt-in to ensure compliance?

  • http://twitter.com/TheCookieCrunch Cookie Collective

    If I use a web based client to open the email that has placed a tacking beacon in that email, surely that is the same as visiting a website that also uses a beacon to track page activity.  So I am not sure your argument entirely stacks up – although it would be nice if it did.
    However, I think email tracking is basically the same as web analytics – so it would still be covered by the regulations, but could be considered low risk activity.
    As pointed out, the important thing is probably to tell recipients waht is going on – and if they don’t like it they can unsubscribe.

  • Anne_ONonymous

    Of course, it’s not possible to read back a GIF that’s stored in a users coputer however, every time that user opens a page containing the GIF, it will be requested from a server. If the GIF just happens to be associated with an ID, say the GIF’s name or a User ID in the string requesting the GIF, then the user will be tracked.

    OK, the User ID does not directly link to the individual but, and this has been demonstrated before, it is possible to build a profile and associate this with  an individual, simply by aggregating multiple sets of tracking information.

    I welcome tracking.

    About as much as I would, in ‘real life’, welcome a man in a dirty raincoat following me around the shops and carrying a notepad; making notes about what I look at, going ahead of me to rearrange shelf-edge adverts and tailoring me special offers (that aren’t actually that special).

    In ‘real life’, it wouldn’t be long before the man in the dirty raincoat was led into a back alley, to emerge a few minutes later, needing extensive dental treatment.

    Advertisers: Please desist from being the man in the dirty raincoat. 

    • Marcus

      Precisely,

      If the GIF http request was capturing _just_ a generic, anonymous campaign identifier, this is not much concern. You get anonymous campaign ‘opens’, no one is singled out.

      However, when a unique user Id is part of that http request, you are able to build a profile of when someone is accessing their email and tie it back to the email address.

      Similarly, user Id’s can be part of a http request for a click-through which again allows you to build a profile.

      Transparency is key. Let the individuals decide if they are comfortable with whatever level of intrusiveness you are employing via a clear (and informative) statement of intent.

      The ICO Guidance even specifically mentions that analytics are not seen as ‘strictly necessary’ and therefore require consent.

      The last paragraph of the article sums it up pretty well IMHO.

  • Tim Bohn

    Surely you are missing the point. Of course all this technology falls under the legislation. 
    The legislation is draconian and flawed. The point is, if everyone abided by the law, the commercial drivers of the Internet would be broken and we would all have to start paying for stuff that is currently free. I know which way I’d rather have it.

  • Skip Fidura

    First apologies for not commenting sooner,
    I have been out of the office.  Secondly,
    I want to thank everyone for their wonderful comments.  As I said at the beginning, only the ICO
    could definitively answer whether open tracking is covered. All I was doing was
    putting forward an argument for why it isn’t or shouldn’t
    be covered.  Unfortunately because the
    law is vague on the issue, saying that open tracking is not covered would
    undermine the regulatory framework if it were later determined that open
    tracking was meant to be covered.

    What I find more interesting is that this
    discussion and many others around this topic have focussed on the technology
    rather than what is both best practice and our self-regulatory
    responsibility.  I am in the process of
    drafting a follow-up blog post focussed on what we should be doing to both
    within the letter and more importantly the spirit of this legislation.