Legal Statement•

TraceDock Legal Statement

Almost every website seeks to acquire information on visitor behavior. This process is commonly known as analytics (after the popular Google tool of the same name) and reveals information such as visitor paths, successful and failed marketing and sales, popular and unpopular pages, and so on. Additionally, visitor information such as IP address, browser version, installed plugins and supported languages and so on are collected to segment and analyze visitors further. The collection of this type of information has raised privacy concerns. In Europe, this type of information is regarded as personal data — which is protected by the EU's General Data Protection Regulation or GDPR. Usage of personal data is only permitted under strict safeguards and often requires prior consent by visitors. What's more, the prevalence of internet advertising has given rise to the widespread usage of so-called "ad blockers", which not only title advertisements from view but also limit or block the usage of third-party analytics tools. This is mainly because such tools collect a lot of information regarding users and perform tracking over multiple websites to build information profiles of these users. Such wide profiles are seen as privacy-invasive.

1. How TraceDock works

TraceDock seeks a balance between a website operator's interest in acquiring visitor information and website visitors' desire for privacy and avoiding being tracked all over the internet. The Service operates as a first-party plugin that a website operator installs. The plugin collects visitor information and enables its inclusion in Google Analytics or other analytics platforms. However, the plugin is designed with privacy in mind and does not merely forward that information. Rather, the information is first anonymized as discussed below. TraceDock is a first-party plugin that runs on its own subdomain in parallel to a website's existing analytics implementation. Here, it automatically recognizes if any analytics is blocked. In such cases, data is sent to the TraceDock servers, where it will be forwarded to the analytics platforms.

In order to connect websites visits to the same anonymized user TraceDock creates a first-party clientlD, depending on if the user consents to cookies this can be done either by:

1. A client-side "client id" that is randomly generated and set in a first-party cookie by the TraceDock plugin. As long as this cookie is retained, website visits by the same user can be combined. The cookie has an expiry period of six months, and the user can delete the cookie at any time.
2. A server-side "client id" that is computed through a hash function based on the website URL, User-Agent, and the external 1P address. This hash function (SHA1) used is mathematically irreversible, meaning that you cannot backward engineer the underlying values.

2. Legal analysis under the Danish cookie Order

This section only deals with the rules if the end-user does not give his consent to cookies. The section first describes applicable law and in section 2.6 our legal opinion of the Service is given on the basis of the applicable legislation.

2.1 What do the rules protect?

The purpose of the rules is to protect the private sphere of the users. The rules

are based on the view that the users' terminal equipment is part of the user's private sphere, which should be protected against unwarranted intrusion. Terminal equipment means computers and mobile units such as smartphones, tablets, etc., in which information can be stored or already stored information be accessed. The protected person is the user of an electronic communications network or service who does not make such electronic communications networks or services available to other parties on a commercial basis, i.e. all users of a computer or a mobile unit. The protection is associated with the terminal equipment, which, as mentioned above, is regarded as being part of the owner's private sphere.

2.2 What technologies are covered?

The Cookie Order does not give a specific definition of the technologies regulated by the Order other than the specific description given in section 3(1), which has the following wording:

Natural or legal persons may not store information, or pain access to information already stored, in an end user’s terminal equipment, or let a third party store information or pain access to information, if the end-user has not consented thereto, having been provided with comprehensive information about the storing of, or access to, the information.

The rules are neutral in terms of technology. The Cookie Order extends beyond storing of or access to information in the users' terminal equipment in connection with internet access: it also includes storing of or access to information from external media such as USB keys, CDs, CD-ROMS, external hard disks, etc.

As for the form, type, or standard used for storing the information, the Cookie Order covers not only "classic" HTTP cookies, but similar technologies of any type, including Flash cookies (Local Shared Objects), Web Storage (HTML5), Java scripts or cookies set when using Microsoft Silverlight. 

In relation to the requirement for information and consent, Danish legislation does not distinguish between the various types of cookies but includes all cookies irrespective of their life span and origin.

Cookies may have different life spans: they may stop at the end of a browser session (i.e. from the moment when the user opens a browser window until this is closed again), or they may last for a longer time and cover several browser sessions, being able to track the user's movements on the internet.

2.3 What actions are covered?

The Cookie Order is only concerned with the action consisting in storing of or access to already stored information in a user's terminal equipment. Actions taking place before or after storing of or access to information in a user's terminal equipment do not fall within the rules of the Cookie Order. Such actions may instead be covered by the general provisions for the protection of personal data.

2.4 What information is covered?

The Cookie Order applies to any type of information collected or stored in the user's terminal equipment.

The cookie rules regulate the means for the collection of data. No distinction is made here between personal and non-personal information.

Nor is it significant whether the information is semantically meaningful, unintelligible text strings, code, or whether the information is encrypted.

2.5 Consent and information requirement

To meet the information requirement, you must:

• write the information in a clear, precise, and easy-to-understand language or equivalent in easy-to-understand pictorial language, eg pictograms
• inform about the purposes of using cookies
• tell the users who are behind the cookies used - it can be the website the owner or a third party
• provide information about how the user agrees to or denies the use of cookies
• state how the user can withdraw his consent
• state the duration of operation of the cookies (expiration date).

On 1 October 2019, the European Court of Justice handed down a preliminary ruling on the requirement of consent to the use of cookies (Case C-673/17).

The judgment also stated that the user must have information about the duration of operation of cookies (expiration date) - i.e. how long cookies collect information on the user's [terminal] equipment.

Requirements for consent:

• The user must be able to give consent or refuse to give consent to the use of cookies.
• The user must be able to revoke a previously given consent.
• The user must be able to easily find further information about the use of cookies on the website.
• Consent must be linked to the purpose for which the data collection is to be used.

2.6 The TraceDock Service

The Service is based on cookie-less tracking technology. TraceDock base the clientlD on a server-side hash of the website/User Agent and an external IP address, making it thus anonymous and first party. However, if a user does consent to cookies TraceDock uses a cookie identifier because this is more accurate.

Although the Cookies Order applies to similar technologies — which TraceDock must be considered to be - the rules on the duty to provide information and consent pursuant to section 3 of the Cookies Order only apply if TraceDock »stores information or gains access to information already stored in an end user’s terminal equipment« (see section 2.2).

If an end-user rejects cookies, TraceDock (and the website) are not allowed to store a clientlD in the browser in the form of a cookie, and TraceDock generates instead of a server-side ClientlD as mentioned above.

We have noticed that the Service does not store information or gain access to information already stored in an end user’s terminal equipment. TraceDock only uses an external IP address which is not read from the end-user's terminal equipment but through the User Agent.

On this basis, it is our legal opinion that the Cookie Order does not apply to the described Service.

3. GDPR

3.1 Anonymization efforts

TraceDock undertakes various efforts to anonymize the data that is delivered to the analytics platforms. For instance, data that is being collected from users with ad-blockers or from Firefox (or other browsers with similar tracking prevention mechanisms) will have the IP address anonymized (the last octet removed) when sending data to the platform. The anonymization is performed at the TraceDock servers.

3.2 Legal analysis under the GDPR

The starting point of the analysis is to define whether the website operator is the data controller alone or jointly in regard to this processing of data. According to Article 4(7) GDPR, a "'controller" means "the natural or legal person [ ... ] which, alone or jointly with others, determines the purposes and means of the processing of personal data". The website operator is considered the data controller alone among other due to the fact that the website operator determines the purpose and do not share data with third parties.

The collection of the information, as shown above, falls under the heading of "processing of personal information" under the GDPR. The website operator must be able to demonstrate the existence of a legal basis (article 6 GDPR) to justify the processing of personal data and be in compliance with the other GDPR requirements. There is no specific hierarchy made between the different lawful basis of the GDPR: the controller needs to ensure that the selected lawful basis matches the objective and context of the processing operation in question. In relation to website operators’ processing of personal data, consent is often used but a different lawful basis can be selected in that context. For a website operator to rely on the ground of a legitimate interest (article 6(1)(f) GDPR), three cumulative conditions shall be met:

• the pursuit of a legitimate interest by the data controller
• the need to process personal data for the purpose of the legitimate interest pursued and
• the conditions that the fundamental rights and freedoms of the data subject whose data require protection does not take precedence)

The reason this ground usually does not apply is that the type of tracking performed by most analytics tools has a serious privacy impact and no measures are taken to reduce this. However, the TraceDock Service does significantly reduce the privacy impact of analytics. The following reasons apply:

1. The data collection is first-party only, no personal data is shared with third parties.
2. The TraceDock Service filters and eliminates traceable personal data such as IP-address.
3. The identifier TraceDock sets are relatively short-lived (up to 180 days) and unique to the website it was set for.
4. The data in the analytics tool cannot be reused for further tracking or retargeting.

Based on these reasons, a website operator may invoke the ground of legitimate interest and thereby avoid asking consent under the GDPR for its use of analytics together with the TraceDock solution.

Of course, other GDPR requirements continue to apply. The most important requirement is that visitors are adequately informed of their processing of personal data. Article 5 (1) (a) GDPR states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 5 (1)(b) GDPR also states that personal data shall be collected for specified, explicit, and legitimate purposes. Information presented to data subjects in respect of the way in which their personal data are processed should be, in all cases, concise, transparent, and in an intelligible and easily accessible form, using clear and plain language. Users shall be provided with the relevant information directly on the screen, interactively, and where appropriate or necessary, through layered notices.