By Dominic Jones | Published: January 4, 2008 | 
Printer version
| Comment |
Dispelling the “cookie myth” around e-proxy
BROADRIDGE Financial Solutions consultants are spreading incorrect information about the SEC’s requirements regarding the use of cookies on websites hosting proxy materials.
I’ve just seen a presentation in which the Broadridge presenter says companies must provide a website that is “cookie free.” Nonsense.
The result of this misinformation is that companies, many of which use cookies on their websites for various practical reasons, mistakenly believe they have to use Broadridge’s website to host their proxy materials.
That is not the case. Actually, using Broadridge to host your proxy materials is a dumb thing to do because it will negatively impact the user experience for your company’s shareholders.
So here’s what you need to know:
- You CANNOT use cookies to infringe upon the anonymity of people who use the website hosting your proxy materials. In fact, you are not allowed to infringe upon the anonymity of users in any manner, not just via cookies. Most cookies on corporate websites are not used to identify people, although some are.
- However, you CAN use cookies for other things that don’t infringe on users’ anonymity, such as improving the usability of your online documents. Cookies are actually useful in a number of situations, such as remembering when a user has acknowledged a disclaimer, or enabling them to create a personalized download of your meeting materials. You don’t need to infringe upon their anonymity to do these things.
OK, hope I’ve cleared that up. Here’s the full text of the SEC’s final rules requiring online proxy materials (PDF 424 KB, 72 pages). It’s explained very clearly, so I can’t understand why the Broadridge folks don’t understand it.
If you’re interested, Wikipedia’s explanation of cookies is a good one.
Related posts:
Dispelling the “cookie myth” around e-proxy (January08, 2008)
Participation plummets in e-proxy votes (October 23, 2007)
Microsoft reverts to snail mail in e-proxy (October 18, 2007)
AMERCO’s shareholder forum, e-proxy (July 11, 2007)
Is Shareholder.com client breaching SEC privacy rules? (July 10, 2007)
My bad experience with first e-proxy notice (July 04, 2007)
E-proxy: do it for love, not money (June 14, 2007)
10 reasons to avoid image-based reports (February 2003)
Usability guru weighs in on image-based reports (February 2003)
Please Support Our Work
Email your friends about us. Subscribe to our paid publication Online IR Trends Quarterly. Get us to recommend improvements to your IR website (we're really good at it).
January 7th, 2008 at 5:38 pm
Hello,
I re-read the final rules and don’t know that I come to the same conclusion in regards to using cookies or partial cookies…
Here is the excerpt from the final rule that makes me think differently…no where does it mention you can keep some types of cookies:
“..Although this prohibition does raise the cost to maintain the Web sites, we believe that eliminating this prohibition may have a negative effect on shareholders’ willingness to access the proxy materials via an Internet Web site. We do not believe this requirement will create undue burden on companies. Soliciting parties must refrain from installing cookies and other tracking features on the Web site or portion of the Web site where the proxy materials are posted. This may require segregating those pages from the rest of the soliciting party’s regular Web site or creating a new Web site. ”
What am I missing?
D
January 7th, 2008 at 8:14 pm
Cookies, or any other practice that is used to infringe upon the anonymity of the user, are not permitted. The issue is confidentiality, not usability or aesthetics or anything else.
The passage you quote was in response to a question specific to mutual fund companies. The issue seemed to be that many of these firms have client log-in websites that use cookies. Ironically, the SEC’s idea of segregating the pages or creating a new site would not work to prevent infringing on the user’s anonymity. If clients logged in to their clients-only area and an identifying cookie was installed on their computers, and then they went to vote on another area of the site and were tracked, the anonymity of their vote would be compromised because their use of those pages would be associated with their account details.
If the cookie was not associated with any identifying info, then it would not infringe on their anonymity and so would be permitted.
Again,the issue is the users’ confidentiality, nothing else. It’s kind of obvious, isn’t it?
January 7th, 2008 at 8:41 pm
Here’s more from the rule release which clearly shows the issue is all about confidentiality, not cookies per se.
“Three commenters were concerned about the provisions of the model that require a company to maintain the designated Web site in a manner that does not infringe on the anonymity of persons accessing the Web site. One commenter was concerned that the prohibition on “cookies” will raise the costs of maintaining Internet Web sites. Conversely, one commenter was concerned that there could be potential abuses of shareholder privacy through information tracking and collection of information on Internet Web sites. Similar concerns regarding potential abuses of shareholder privacy also were raised with regard to the adoption of the voluntary notice and access model.
“Although we recognize that the confidentiality requirements may increase the cost of maintaining an Internet Web site, we believe that the protection of shareholder information is important. A rule that permits issuers to discover the identity of a person accessing the Web site could effectively negate a beneficial owner’s ability under the proxy rules to object to an intermediary’s disclosure of that beneficial owner’s identity to the issuer. In addition, a rule without this prohibition on the issuer may make some shareholders hesitant to access the proxy disclosures, which would not promote the purposes of this rule. Therefore we have retained this provision of the rule to help prevent potential abuses of shareholder information.
“We do not believe that this requirement will impose any undue burden on companies. Under the rule, a company must refrain from installing cookies and other tracking features on the Web site on which the proxy materials are posted. This may require segregating those pages from the rest of the company’s regular Web site or creating a new Web site. However, the rule does not require the company to turn off the Web site’s connection log, which automatically tracks numerical IP addresses that connect to that Web site. Although in most cases, this IP address does not provide companies with sufficient information to identify the accessing shareholder, companies may not use these numbers to attempt to find out more information about persons accessing the Web site.”
The actual rule itself does not refer explicitly to cookies. It simply says:
“A registrant or its agent shall maintain the Internet Web site on which it posts its proxy materials in a manner that does not infringe on the anonymity of a person accessing such Web site.”
While cookies are sometimes used to “infringe on the anonymity of a person,” this is NOT their primary use. This is explained in the Wikipedia explanation included in the post. Read it, it’s a very good description. Here’s a quote from their discussion of misconceptions about cookies.
“Cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, that is, they do not contain personal information of the user (name, address, etc.) More precisely, they cannot contain personal information unless the user has made it available to some sites.”
It is simplistic to read the rules as banning all use of cookies, or to use or avoid any technology not explicitly prohibited or permitted. For example, the adopting release makes no mention of Flash Local Stored Objects, which can be used to infringe on users’ anonymity. Yet, just because they don’t mention them, does not mean they’re allowed.
Similarly, just because the SEC does not say you can use cookies that do not infringe on users anonymity, does not mean you cannot do so.
January 8th, 2008 at 7:43 am
[...] then Broadridge itself is currently breaching the SEC’s rules. That’s because they themselves are using cookies on the website they currently use to host their clients’ proxy materials for eproxy. [...]
June 3rd, 2008 at 4:16 am
[...] website because they have been told by vendors that they must provide their materials on a “cookie-free” website, even though that term is not used anywhere in the SEC’s rules. Ironically, the websites on [...]
June 25th, 2008 at 5:35 am
[...] Due to one ambiguous sentence in the adopting release by someone who didn’t know that not all cookies infringe of web users’ anonymity, companies using the voluntary notice and access process have been persuaded that they cannot host [...]
July 28th, 2008 at 2:30 pm
[...] The issue was addressed in the e-proxy rules, but it was misinterpreted by the legal community and self-serving vendors to mean that companies cannot track investors on their websites even [...]
August 5th, 2008 at 4:51 pm
[...] about difficulties in receiving proxy voting instructions or materials from Broadridge and their marketing around the SEC’s notice-and-access process has left much to be desired. I have also been hearing privately from companies that they have seen [...]