In this article we describe how data is collected on your website, how long it is stored for, how it is passed to your Emarsys contact database and how all of these are affected by data protection legislation (in particular GDPR).
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Marketing Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
Web Extend and GDPR
- Web Extend and GDPR compliance
- Opting out of behavior tracking
- Retrieving or deleting historical data on request from a customer
- I'm not sure - I still want to disable Web Extend
General information on web data collection
Web Extend and GDPR compliance
In order to understand Web Extend in terms of GDPR compliance, you need to differentiate between its two functions:
- Tracking visitor behavior on your website and storing this data indefinitely in the Web Extend database.
- Enriching individual contact profiles in your Emarsys database with this data.
1. Tracking web behavior
All data collected by Web Extend on your website and stored in the Web Extend database, both by the JavaScript commands and by the cookies, is either anonymous (before login) or pseudonymized (after login). Therefore, lacking any further measures to identify, processing of this data is not restricted by GDPR.
You do not need to disable the Web Extend scripts in order to be GDPR-compliant!
- Anonymous data is collected from visitors who have not yet logged in or registered, and is used to build product affinity models as well as to offer generic recommendations such as the most-viewed or best-selling products. Once a visitor logs in, the data from that session becomes pseudonymized.
- Pseudonymized data is associated with an individual visitor but cannot be directly linked to a contact in your Emarsys database, nor used to establish the identity of any natural person.
2. Enriching contact data profiles
The Web Extend database regularly updates your Emarsys account with the data it has collected on visitor sessions. Here the pseudonymized identifiers for these sessions are matched to the identifier keys stored in your Emarsys contact database.
- In the case of externalID, this key is entered in a custom field created by you.
- In the case of Emarsys emailhash as identifier, the key is stored in the predictUserId and predictSecret contact database fields.
This is the point at which the GDPR restrictions on data processing and data subject rights become more significant, mainly in the form of these three obligations:
- To offer the customer the chance to opt out of behavior tracking
- To retrieve all the data you have on the customer
- To delete all the data you have on the customer
The process for all of these should be described in your Privacy Policy.
When Web Extend sends the data to your Emarsys contact database to enrich contact profiles, this takes place within the Emarsys data security infrastructure and is covered by our security accreditations.
Opting out of behavior tracking
1. Implicit consent for behavior tracking
GDPR requires that you inform the visitor to your website that you intend to track their behavior. For first-time visitors this is usually done through 'implicit consent', i.e. you display this information in a pop-up or banner and the visitor only has to click it away or continue for consent to be given.
Since Web Extend uses both JavaScript snippets and cookies, we recommend that you don't simply say 'we use cookies' on your pop-up. You should clearly direct the reader to your Privacy Policy where you can explain it in more detail. We think this text is sufficient (but remember, we are not qualified to give legal advice!):
"This site uses cookies. Some of these are essential and some help us to provide a more personalized experience. For details on how we track your session, and instructions on how to opt out of this tracking, visit our Privacy Policy."
In your Privacy Policy you should explain that cookies and JavaScript will be used to enrich the customer's profile and enable personalized content. Make sure to tell the reader that it is in their interest as it lets you provide only relevant content for them. You should then provide instructions on how to disable cookies (for anonymous users), and on how to opt out of profile enrichment (for registered users).
2. Opting out of profile enrichment
You can give your registered customers the option not to have their contact profiles in your Emarsys contact database enriched with the data collected by Web Extend. This will not affect the way the cookies behave on your website, but will simply break the connection between the pseudonymized data and the contact's database profile.
-
When registering new contacts
You should include a sentence on your registration form that describes how the customer's behavior will be tracked and used to provide personalized content. You can then offer an opt-out checkbox for personalized content, or direct them to your Privacy Policy. -
For existing contacts
You should direct them to your updated Privacy Policy where they can find instructions on how to opt out.
In both cases, you should implement a suitable method to change the value of the field Do not track me to TRUE.
Retrieving or deleting historical data on request from a customer
Your Privacy Policy should also contain instructions on how a customer can request a copy of their historical web browser data, or to delete the same.
The process is the same as described above for the opt-out. You should collect the email address of the contact and attach them to a support request. We will then execute the desired action within the 30-day limit as prescribed by GDPR.
I'm not sure - I still want to disable Web Extend
If for some reason you are still not convinced by what you have read so far, and still want to disable Web Extend on your site, we have one last option for you.
You can submit a support request to stop the Web Extend database from syncing with your Emarsys contact database. When we suspend this function, no contact records can be updated with any data collected on your website.
The advantage of this option is that you can still continue to collect generic, anonymous data on visitor behavior, which will at least help to build up the statistical models for product affinity, as well as track the most-viewed and most-bought products. However, you will not have any of the advanced features such as revenue attribution or personalized recommendations available.
When you ask us to resume the sync, only the previous two or three days' worth of data will still be available to enrich the respective contact profiles.
Which data is collected and stored by the Web Extend commands
The Web Extend JavaScript commands do collect and store website browse behavior for an unlimited time in our own database, but this data is always anonymous or pseudonymized and cannot be exploited by a third party in the event of a security breach. Lacking any further measures to identify, processing of this data is not restricted by GDPR.
This data is used to build the statistical models that underpin many of our personalization algorithms.
The data collected is:
- Browser and version
- Operating system
- Referring URL
- IP address (hashed and abbreviated)
- Session and cookie IDs
- Country
The Web Extend cookies
Web Extend drops a number of different cookies on visitors' browsers. Cookies usually have both a 1st-party and 3rd-party version, which are selected depending on the settings of any specific visitor. The domain for the third-party cookies is scarabresearch.com.
The expiration dates are usually one year, except for the session cookie, which is deleted at the end of each session.
The information these cookies store are basically of two types:
-
Service information
- IP address
- Browser
- Cookie identifiers
- Pseudonymized identifiers (external IDs or hashed email address) int he case of logged-in customers
-
Browsing information
- itemIDs that have been viewed
- itemIDs that have been added to the cart
- itemIDs that have been purchased
All non-operational information is stored in an encrypted form. Our cookie policies have been reviewed by the Emarsys Data Security team, and are compliant with our data security standards.
Here is a complete list of the cookies used (as of May, 2018):
-
scarab.visitor - This cookie that stores store the visitor id which will identify the visitor through sessions.
- cdv - This is the 3rd-party version of scarab.visitor.
-
scarab.profile - This cookie stores user profile information, products the user browsed, etc. It also stores performance metrics about our scripts, how fast is it loaded, executed, and so on. The information stored in this cookie is encrypted.
- xp - This is the 3rd-party version of scarab.profile.
-
scarab.mayAdd & scarab.mayViewed - These are the session cookies that are used for click and add-to-cart tracking. When a user clicks on a recommended item, for example, there's no time to report the click to our server (we don't want to block the user flow), so we store it in a cookie. The next time our script loads in the same browser we read these cookies and send the data to our servers.
- s - This is a 3rd-party cookie used for similar purposes as scarab.mayAdd and scarab.mayViewed.
How the Web Extend cookies work
The Web Extend cookies store the following data on your website:
- Browser user agent
- Cookie identifiers
- Pseudonymous identifier (external ID or Emarsys emailhash) in the case of logged-in visitors
- Web traffic session data: product views (mayViewed cookie) and carts (mayAdd cookie)
Besides this data, we store the user's IP address in our own Web Extend database. Only when this database updates your Emarsys account's contact database is the pseudonymized data matched to a contact ID and that contact's profile is updated (see above).
setEmail command in the Web Extend JavaScript
The setEmail command does receive a personal data (US: personally identifiable information, or PII) as input: the contact's email address.
However, this email address is hashed using a proprietary algorithm in the end-user's browser, and only this hashed ID is passed on to and stored by Web Extend.
Reverse engineering the hash is beyond reasonable efforts by today's technology.
Email address as identifier in Sales Data files
A subsystem of Web Extend, the Sales Data Service, also receives personal data/PII (the email address of the contact) for input in some implementations.
Similarly to setEmail, this email address is hashed immediately as the file is processed, and only this hashed ID is stored with these sales data files.