In this article we describe how data is collected on your website, how long it is stored for, how it is passed to your Emarsys contact database and how all of these are affected by data protection legislation (in particular GDPR).
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Marketing Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
Web Extend and GDPR
- Web Extend and GDPR compliance
- Opting out of behavior tracking
- Retrieving or deleting historical data on request from a customer
- I'm not sure - I still want to disable Web Extend
General information on web data collection
Web Extend and GDPR compliance
In order to understand Web Extend in terms of GDPR compliance, you need to differentiate between its two functions:
- Tracking visitor behavior on your website and storing this data indefinitely in the Web Extend database.
- Enriching individual contact profiles in your Emarsys database with this data.
1. Tracking web behavior
All data collected by Web Extend on your website and stored in the Web Extend database, both by the JavaScript commands and by the cookies, is either anonymous (before login) or pseudonymized (after login). Therefore, lacking any further measures to identify, processing of this data is not restricted by GDPR.
You do not need to disable the Web Extend scripts in order to be GDPR-compliant!
- Anonymous data is collected from visitors who have not yet logged in or registered, and is used to build product affinity models as well as to offer generic recommendations such as the most-viewed or best-selling products. Once a visitor logs in, the data from that session becomes pseudonymized.
- Pseudonymized data is associated with an individual visitor but cannot be directly linked to a contact in your Emarsys database, nor used to establish the identity of any natural person.
2. Enriching contact data profiles
The Web Extend database regularly updates your Emarsys account with the data it has collected on visitor sessions. Here the pseudonymized identifiers for these sessions are matched to the identifier keys stored in your Emarsys contact database.
- In the case of externalID, this key is entered in a custom field created by you.
- In the case of Emarsys emailhash as identifier, the key is stored in the predictUserId and predictSecret contact database fields.
This is the point at which the GDPR restrictions on data processing and data subject rights become more significant, mainly in the form of these three obligations:
- To offer the customer the chance to opt out of behavior tracking
- To retrieve all the data you have on the customer
- To delete all the data you have on the customer
The process for all of these should be described in your Privacy Policy.
When Web Extend sends the data to your Emarsys contact database to enrich contact profiles, this takes place within the Emarsys data security infrastructure and is covered by our security accreditations.
Opting out of behavior tracking
1. Implicit consent for behavior tracking
GDPR requires that you inform the visitor to your website that you intend to track their behavior. For first-time visitors this is usually done through 'implicit consent', i.e. you display this information in a pop-up or banner and the visitor only has to click it away or continue for consent to be given.
In your Privacy Policy you must explain that cookies and JavaScript will be used to enrich the customer's profile and enable personalized content. Make sure to tell the reader that it is in their interest as it lets you provide only relevant content for them. You must then provide instructions on how to disable cookies (for anonymous users), and on how to opt out of profile enrichment (for registered users).
You must capture explicit consent before you start to collect personal data for identification with Web Extend in that given web session.
Before you use Web Extend it is your responsibility to ensure that you always obtain the necessary consent for that data from your consumers (i.e: a natural person such as a customer, contact, or account). For more about Web Extend data collection, see the Emarsys Developer Hub.
2. Opting out of profile enrichment
You can give your registered customers the option not to have their contact profiles in your Emarsys contact database enriched with the data collected by Web Extend. This will not affect the way the cookies behave on your website, but will simply break the connection between the pseudonymized data and the contact's database profile.
-
When registering new contacts
You should include a sentence on your registration form that describes how the customer's behavior will be tracked and used to provide personalized content. You can then offer an opt-out checkbox for personalized content, or direct them to your Privacy Policy. -
For existing contacts
You should direct them to your updated Privacy Policy where they can find instructions on how to opt out.
In both cases, you should implement a suitable method to change the value of the field Do not track me to TRUE
.
When a contact is set for Do not track me, all historic, existing and previously collected web behavior related data (Web Extend and Web Channel data) is removed. This affects the reporting of Web Channel campaigns and Predict recommendations, since these contacts will not be tracked anymore. However, it is not affecting Predict and Web Channel historic reporting since that is stored in an aggregated form.
Retrieving historical data on request from a customer
Your Privacy Policy should also contain instructions on how a customer can request a copy of their historical web browser data.
The process is the same as described above for the opt-out. You should collect the email address of the contact and attach them to a support request. We will then execute the desired action within the 30-day limit as prescribed by GDPR.
I'm not sure - I still want to disable Web Extend
If for some reason you are still not convinced by what you have read so far, and still want to disable Web Extend on your site, we have one last option for you.
You can submit a support request to stop the Web Extend database from syncing with your Emarsys contact database. When we suspend this function, no contact records can be updated with any data collected on your website.
The advantage of this option is that you can still continue to collect generic, anonymous data on visitor behavior, which will at least help to build up the statistical models for product affinity, as well as track the most-viewed and most-bought products. However, you will not have any of the advanced features such as revenue attribution or personalized recommendations available.
When you ask us to resume the sync, only the previous two or three days' worth of data will still be available to enrich the respective contact profiles.
General information on web data collection
Which data is collected and stored by the Web Extend commands
The Web Extend JavaScript commands do collect and store website browse behavior for an unlimited time in our own database, but this data is always anonymous or pseudonymized and cannot be exploited by a third party in the event of a security breach. Lacking any further measures to identify, processing of this data is not restricted by GDPR.
This data is used to build the statistical models that underpin many of our personalization algorithms.
The data collected is:
- Browser and version
- Operating system
- Referring URL
- IP address (hashed and abbreviated)
- Session and cookie IDs
- Country or region
Web Channel's local storage items
Web Channel is placing items in the web browser's local storage and session storage, and they are used for the following purposes:
-
wpsStore
- Stores a list of the sessions state history in an ordered manner. State means the applications state, including web browser, operating system, window size. -
Wps-1
- Stores user-related events (last impression, last load, etc.) grouped by Web Channel campaigns. -
_wp_storage_test
- Used for storage validation (whether this value has been changed or still exists). -
_wp_eh/_wp_ci/_wp_eh_2/_wp_ci_2
- Stores pseudonymized identifiers (external IDs or hashed email address) in case of logged-in customers.
The Web Extend cookies
Web Extend drops a number of different cookies on visitors' browsers. Cookies usually have both a 1st-party and 3rd-party version, which are selected depending on the settings of any specific visitor. The domain for the third-party cookies is scarabresearch.com.
The expiration dates are usually one year, except for the session cookie, which is deleted at the end of each session.
The information these cookies store are basically of two types:
-
Service information
- IP address
- Browser
- Cookie identifiers
- Pseudonymized identifiers (external IDs or hashed email address) in the case of logged-in customers
-
Browsing information
- itemIDs that have been viewed
- itemIDs that have been added to the cart
- itemIDs that have been purchased
All non-operational information is stored in an encrypted form. Our cookie policies have been reviewed by the Emarsys Data Security team, and are compliant with our data security standards.
Here is a complete list of the cookies used (as of March, 2020):
-
scarab.visitor - This cookie that stores the visitor id which will identify the visitor through sessions. Its lifetime is one year.
-
cdv - This is the 3rd-party version of scarab.visitor. It stores a server side generated visitor id to identify the same visitors through different sessions. It provides the capability to identify a visitor as a known user even if no identification event has taken place. If this cookie is blocked, the user cannot be identified without an identification event.
- Its lifetime is one year.
-
cdv - This is the 3rd-party version of scarab.visitor. It stores a server side generated visitor id to identify the same visitors through different sessions. It provides the capability to identify a visitor as a known user even if no identification event has taken place. If this cookie is blocked, the user cannot be identified without an identification event.
-
scarab.profile - This cookie stores user profile information, products the user browsed, etc. It also stores performance metrics about our scripts, load times, execution times, and so on after being generated by the first event (go command). The information stored in this cookie is encrypted. This cookie is only present if the xp cookie is blocked.
-
xp - This is the 3rd-party version of the first party cookie scarab.profile. It is set from the first party version. It contains user profile data in a serialized, encrypted format. The data is covering events, such as, item view, category view and searches.
- If this cookie is blocked, the personal recommendation feature for visitors will not be available.
- Its lifetime is one year.
-
scarab.mayViewed - A session cookie that is used for click and add-to-cart tracking. When a user clicks on a recommended item, and there is not enough time to report the click to our server (to avoid blocking the user flow), the click information is stored in a cookie. The next time the script loads in the same browser, these cookies are read and the data is sent to our servers.
- Their lifetime is limited to the current session of the visitor.
-
xp - This is the 3rd-party version of the first party cookie scarab.profile. It is set from the first party version. It contains user profile data in a serialized, encrypted format. The data is covering events, such as, item view, category view and searches.
-
s - This is a 3rd-party cookie used for similar purposes as scarab.mayViewed. It stores a server side generated session id for session length identification. If this cookie is blocked, the visitors session lengths are estimated by event timestamps.
- Its lifetime is limited to the current session of the visitor.
-
fc - Force cohort cookie: It is used for A/B testing.
- Its lifetime is set to 30 minutes.
Depending on how the users browser restricts the use of cookies, their lifetime time may be shorter: certain browsers block or limit the lifetime of cookies used for tracking (e.g. Safari, Firefox). For more information, see Web Extend data collection - FAQ.
How the Web Extend cookies work
The Web Extend cookies store the following data on your website:
- Browser user agent
- Cookie identifiers
- Pseudonymous identifier (external ID or Emarsys emailhash) in the case of logged-in visitors
- Web traffic session data: product views (mayViewed cookie)
Besides this data, we store the user's IP address in our own Web Extend database. Only when this database updates your Emarsys account's contact database is the pseudonymized data matched to a contact ID and that contact's profile is updated (see above).
setEmail command in the Web Extend JavaScript
The setEmail
command does receive a personal data (US: personally identifiable information, or PII) as input: the contact's email address.
However, this email address is hashed using a proprietary algorithm in the end-user's browser, and only this hashed ID is passed on to and stored by Web Extend.
Reverse engineering the hash is beyond reasonable efforts by today's technology.
Email address as identifier in Sales Data files
A subsystem of Web Extend, the Sales Data Service, also receives personal data/PII (the email address of the contact) for input in some implementations.
Similarly to setEmail
, this email address is hashed immediately as the file is processed, and only this hashed ID is stored with these sales data files.