BROADRIDGE Financial Solutions consultants are spreading incorrect information about the SEC’s requirements regarding the use of cookies on websites hosting proxy materials.
I’ve just seen a presentation in which the Broadridge presenter says companies must provide a website that is “cookie free.” Nonsense.
The result of this misinformation is that companies, many of which use cookies on their websites for various practical reasons, mistakenly believe they have to use Broadridge’s website to host their proxy materials.
That is not the case. Actually, using Broadridge to host your proxy materials is a dumb thing to do because it will negatively impact the user experience for your company’s shareholders.
So here’s what you need to know:
- You CANNOT use cookies to infringe upon the anonymity of people who use the website hosting your proxy materials. In fact, you are not allowed to infringe upon the anonymity of users in any manner, not just via cookies. Most cookies on corporate websites are not used to identify people, although some are.
- However, you CAN use cookies for other things that don’t infringe on users’ anonymity, such as improving the usability of your online documents. Cookies are actually useful in a number of situations, such as remembering when a user has acknowledged a disclaimer, or enabling them to create a personalized download of your meeting materials. You don’t need to infringe upon their anonymity to do these things.
OK, hope I’ve cleared that up. Here’s the full text of the SEC’s final rules requiring online proxy materials (PDF 424 KB, 72 pages). It’s explained very clearly, so I can’t understand why the Broadridge folks don’t understand it.
If you’re interested, Wikipedia’s explanation of cookies is a good one.
Related posts:
Dispelling the “cookie myth” around e-proxy (January08, 2008)
Participation plummets in e-proxy votes (October 23, 2007)
Microsoft reverts to snail mail in e-proxy (October 18, 2007)
AMERCO’s shareholder forum, e-proxy (July 11, 2007)
Is Shareholder.com client breaching SEC privacy rules? (July 10, 2007)
My bad experience with first e-proxy notice (July 04, 2007)
E-proxy: do it for love, not money (June 14, 2007)
10 reasons to avoid image-based reports (February 2003)
Usability guru weighs in on image-based reports (February 2003)
Hello,
I re-read the final rules and don’t know that I come to the same conclusion in regards to using cookies or partial cookies…
Here is the excerpt from the final rule that makes me think differently…no where does it mention you can keep some types of cookies:
“..Although this prohibition does raise the cost to maintain the Web sites, we believe that eliminating this prohibition may have a negative effect on shareholders’ willingness to access the proxy materials via an Internet Web site. We do not believe this requirement will create undue burden on companies. Soliciting parties must refrain from installing cookies and other tracking features on the Web site or portion of the Web site where the proxy materials are posted. This may require segregating those pages from the rest of the soliciting party’s regular Web site or creating a new Web site. ”
What am I missing?
D
Here’s more from the rule release which clearly shows the issue is all about confidentiality, not cookies per se.
“Three commenters were concerned about the provisions of the model that require a company to maintain the designated Web site in a manner that does not infringe on the anonymity of persons accessing the Web site. One commenter was concerned that the prohibition on “cookies” will raise the costs of maintaining Internet Web sites. Conversely, one commenter was concerned that there could be potential abuses of shareholder privacy through information tracking and collection of information on Internet Web sites. Similar concerns regarding potential abuses of shareholder privacy also were raised with regard to the adoption of the voluntary notice and access model.
“Although we recognize that the confidentiality requirements may increase the cost of maintaining an Internet Web site, we believe that the protection of shareholder information is important. A rule that permits issuers to discover the identity of a person accessing the Web site could effectively negate a beneficial owner’s ability under the proxy rules to object to an intermediary’s disclosure of that beneficial owner’s identity to the issuer. In addition, a rule without this prohibition on the issuer may make some shareholders hesitant to access the proxy disclosures, which would not promote the purposes of this rule. Therefore we have retained this provision of the rule to help prevent potential abuses of shareholder information.
“We do not believe that this requirement will impose any undue burden on companies. Under the rule, a company must refrain from installing cookies and other tracking features on the Web site on which the proxy materials are posted. This may require segregating those pages from the rest of the company’s regular Web site or creating a new Web site. However, the rule does not require the company to turn off the Web site’s connection log, which automatically tracks numerical IP addresses that connect to that Web site. Although in most cases, this IP address does not provide companies with sufficient information to identify the accessing shareholder, companies may not use these numbers to attempt to find out more information about persons accessing the Web site.”
The actual rule itself does not refer explicitly to cookies. It simply says:
“A registrant or its agent shall maintain the Internet Web site on which it posts its proxy materials in a manner that does not infringe on the anonymity of a person accessing such Web site.”
While cookies are sometimes used to “infringe on the anonymity of a person,” this is NOT their primary use. This is explained in the Wikipedia explanation included in the post. Read it, it’s a very good description. Here’s a quote from their discussion of misconceptions about cookies.
“Cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, that is, they do not contain personal information of the user (name, address, etc.) More precisely, they cannot contain personal information unless the user has made it available to some sites.”
It is simplistic to read the rules as banning all use of cookies, or to use or avoid any technology not explicitly prohibited or permitted. For example, the adopting release makes no mention of Flash Local Stored Objects, which can be used to infringe on users’ anonymity. Yet, just because they don’t mention them, does not mean they’re allowed.
Similarly, just because the SEC does not say you can use cookies that do not infringe on users anonymity, does not mean you cannot do so.
D,
Cookies that infringe on the anonymity of individuals, or any other practice that is used to infringe upon the anonymity of the user, are not permitted. The issue is confidentiality, not cookies per se. The problem is that most people, including some at the SEC who wrote parts of the adopting release, don’t understand that there is a difference between cookies that identify you and those that don’t.
The passage you quote was in response to a question specific to mutual fund companies. The issue seemed to be that many of these firms have client log-in websites that use cookies. Ironically, the SEC’s idea of segregating the pages or creating a new site would not work to prevent infringing on the user’s anonymity. If clients logged in to their clients-only area and an identifying cookie was installed on their computers, and then they went to vote on another area of the site and were tracked, the anonymity of their vote would be compromised because their use of those pages would be associated with their account details.
If the cookie was not associated with any identifying info, then it would not infringe on their anonymity and so would be permitted.
Again,the issue is the users’ confidentiality, nothing else. It’s kind of obvious, isn’t it?
[...] then Broadridge itself is currently breaching the SEC’s rules. That’s because they themselves are using cookies on the website they currently use to host their clients’ proxy materials for eproxy. [...]
[...] website because they have been told by vendors that they must provide their materials on a “cookie-free” website, even though that term is not used anywhere in the SEC’s rules. Ironically, the websites on [...]
[...] Due to one ambiguous sentence in the adopting release by someone who didn’t know that not all cookies infringe of web users’ anonymity, companies using the voluntary notice and access process have been persuaded that they cannot host [...]
[...] The issue was addressed in the e-proxy rules, but it was misinterpreted by the legal community and self-serving vendors to mean that companies cannot track investors on their websites even [...]
[...] about difficulties in receiving proxy voting instructions or materials from Broadridge and their marketing around the SEC’s notice-and-access process has left much to be desired. I have also been hearing privately from companies that they have seen [...]
[...] paid good money to, they might point to a sentence in an SEC adopting release that they’ve mindlessly interpreted to mean that the SEC thinks needless replication is the way to go. Some smart lawyer might even [...]
We use Google Analytics in our website…We have been told that because of this we are not a “cookie free website” therefore we should go with Bridgeview…is that correct?
sorry..meant to say BROADRIDGE not BridgeView
Carlos,
There’s no blanket prohibition on using cookies, only cookies that infringe upon the anonymity of people who use the site on which the proxy materials are hosted.
In addition, the SEC says you don’t have to turn off your website log, which logs IP addresses, but they say you shouldn’t go digging around in there to find out who is using the materials. It’s in the SEC adopting release.
Tell your lawyers to read up about cookies. Unless they understand the technology, they won’t understand the SEC’s position. And know that Broadridge uses cookies on the servers where they will host your materials. Whoever is giving you this advice that you have to use Broadridge is either stupid or has a vested interest in throwing business Broadridge’s way.
Now, as for Google Analytics, it’s 99.9% safe because it doesn’t infringe upon the anonymity of users. However, it does track IPs, and from that you can get a general idea of who is using the site, but only at an organization or service provider level, not on a personal level. The IP info is the same as you can get via your server log file, so just don’t go digging around there.
Finally, most big investors are going to vote without visiting your site and you won’t have any way to track them.
If you’re really worried about this, get a new domain like yourcompanyproxy.com from GoDaddy or something and host the materials there without GA on it. Provide links to the voting sites from it. That will cost you a couple hundred bucks a year (including hosting) and you can use it forever. Better yet, point your new domain to a page or area on your own server that doesn’t have the GA script on it. It’s easy to remove the GA script from pages. If you do this, your own site will have NO cookies, which is better even than Broadridge.
There are lots of different approaches and none of them requires hosting your materials on Broadridge’s servers.