Privacy & Cybersecurity Law Blog

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

The updated section about Adobe’s product summarizes the discussions between Adobe and the Bavarian data protection authority that lead to Adobe modifying its product. These modifications included:

• reducing the duration of tracking cookies from 60 to 24 months; and
• the anonymization of IP addresses used for geo-location purposes.

Guidance for Website Operators

The Bavarian data protection authority also provides detailed guidance for website operators on how to configure Adobe’s product to comply with relevant data protection laws. The guidance covers the following topics:

• the need for data processing agreements;
• the ability to opt out of tracking;
• required amendments to privacy policies;
• two of the product’s server-side settings (“Before Geo-Lookup: Replace visitor’s last IP octet with 0” and “Obfuscate IP-Removed”); and
• the maximum duration of tracking cookies (24 months).

Among its answers to 12 frequently asked questions, the Bavarian data protection authority indicates:

• Browser settings are not a sufficient opt-out mechanism for Adobe tracking cookies, but a link to Adobe’s global opt-out webpage would suffice.
• The MD5 hashing algorithm cannot be used to anonymize IPv4 addresses. This is because the effort required to de-anonymize such hashed IP addresses is comparatively low.

Going forward, the Bavarian data protection authority plans to expand its automated checks to other online tracking tools. Accordingly, website operators using online tracking tools should review their configurations and privacy policies.