SORRY to bore you with this arcane discussion about cookies, but I’m continuing to hear from vendors who claim companies cannot use any cookies on websites hosting their proxy materials.
This is nonsense and the people pushing this line of thinking — and I’m talking about a lot of different people — either aren’t paying attention or they’re deliberately trying to confuse companies for their own ends. Perhaps both.
You might recall that this issue came up after I saw a presentation in which a representative of Broadridge Financial Solutions tells the audience they have to post their proxy materials on a “cookie free” website. (Others are telling firms the same thing.)
That might sound right, but if it was — and it’s most definitely not — then Broadridge itself is currently breaching the SEC’s rules. That’s because they themselves are using cookies on the websites they use to host their clients’ proxy materials for eproxy.
Look at the screenshot below. It shows you information about the cookie that was set to my browser when I visited www.investorEconnect.com, the domain Broadridge uses to host its clients’ proxy materials.
 |
| Broadridge’s own domains provided for eproxy services use cookies, even while the company’s sales people are telling their clients their websites must be “cookie free.” |
So are Broadridge and its clients breaching the SEC’s rules around cookies?
No they are not, and here’s why:
The SEC’s rules state you cannot “infringe on the anonymity” of people who access the website hosting your proxy materials. In other words, you cannot use any method to learn the identities of users on the website hosting your proxy materials. That includes, but is not limited to, using cookies that contain identifying information.
However, there is no universal ban on cookies. Anonymous cookies, those that do not contain information that would enable you to identify a user, do not infringe on shareholders’ anonymity and therefore are not a problem.
And that is why Broadridge can use cookies on its Investor E-connect website and other proxy related sites; because they are using cookies to ensure that users can use the website and get the information they need, not to infringe on shareholders’ anonymity.
This is similar to how most companies uses cookies on their websites, the same websites that some service providers now want companies to believe are not fit to host proxy materials. Why are service providers telling companies this? In part it’s a consequence of selective reading of the SEC’s statements, but it’s also because vendors would like companies to rent server space from them at exorbitant rates.
 |
| Broadridge is also using cookies on its StreetLink domain. This hosts some companies’ annual meeting materials. |
Now, to be sure, some companies do need to be careful because their websites do use impermissible cookies that contain personally identifiable information. Clients of Shareholder.com, for instance, should pay attention.
But most firms don’t have a cookie problem and don’t need to rent server space from a proxy service provider. And they don’t need to purge their sites of anonymous cookies or set up separate cookie-free sites.
It’s an unnecessary expense, and ultimately counterproductive because permissible anonymous cookies actually help companies to provide better user experiences for investors in a number of ways, some of which I mentioned in the earlier post.
One more thing to think about: If you work for a public company, you really have to be on your guard for the BS and misinformation that service providers dish out. You also need to read the rules closely and ask questions. If more people did this, we’d have better, clearer rules.
In that vein, I recommend you pay careful attention to what the SEC has said about the formatting requirements for online versions of proxy statements and annual reports. None of the big vendors seem to have read this properly either.
Note: Certain comments on this post have been deleted.
[...] Dispelling the “cookie myth” around e-proxy (January08, 2008) Participation plummets in e-proxy votes (October 23, 2007) Microsoft reverts to snail mail in e-proxy (October 18, 2007) AMERCO’s shareholder forum, e-proxy (July 11, 2007) Is Shareholder.com client breaching SEC privacy rules? (July 10, 2007) My bad experience with first e-proxy notice (July 04, 2007) E-proxy: do it for love, not money (June 14, 2007) 10 reasons to avoid image-based reports (February 2003) Usability guru weighs in on image-based reports (February 2003) [...]
[...] In some cases, companies that provide usable HTML reports on their own websites have paid to have duplicate, less usable image-based documents created on a vendor’s website because they have been told by vendors that they must provide their materials on a “cookie-free” website, even though that term is not used anywhere in the SEC’s rules. Ironically, the websites on which the duplicate reports are hosted are using cookies themselves. [...]
[...] on Broadridge’s servers. Companies think Broadridge’s servers are cookie-free, but they actually are not. But that’s not the [...]
From SEC doc in quotes PLUS questions??
“We do not believe that this requirement will impose any undue burden on companies. Under the rule, a company must refrain from installing cookies and other tracking features on the Web site on which the proxy materials are posted. This may require segregating those pages from the rest of the company’s regular Web site or creating a new Web site.”
This looks like the source of the no cookies info? I agree there are different types of cookies it this specific cookie information in footnotes?
Could the “new web site” be a sub domain?
proxy.company.com
“However, the rule does not require the company to turn off the Web site’s connection log, which automatically tracks numerical IP addresses that connect to that Web site. Although in most cases, this IP address does not provide companies with sufficient information to identify the accessing shareholder, companies may not use these numbers to attempt to find out more information about persons accessing the Web site.”
Is it ok to place Google Analytics tracking code on Proxy pages? As you know code based web tracking is technically different from a log connection file.
@Dave
Yes, that’s one of the paragraphs. The writer did not understand that there are cookies that do not infringe on investors’ anonymity. As your second quote illustrates, the issue is about companies identifying who is using their sites. Cookies are not always used to identify users by name or affiliation.
I don’t see any problem with a subdomain.
Google Analytics uses cookies and would be fine, as long as you do not use IP “numbers to attempt to find out more information about persons accessing the Web site.”
HOWEVER, as you know, Google Analytics does not provide IP addresses, but it automatically uses the IP address to show the domain associated with it. For example, it takes an IP number and translates it to an organization name, e.g. Citigroup.
Therefore, the IP number is being used to “find out more about the persons accessing the Web site.” There are situations where knowing that someone from Citigroup has visited the proxy materials may be useful to a company and could be abused. Say, for example, there’s a proxy contest and you see the votes for the proponent go up dramatically after Citigroup visits the proxy materials. You could extrapolate from this that Citigroup has voted against the board. If you have time, you could then get on the phone to Citigroup to try to persuade them to change their vote. That’s an abuse of the system.
However, when it comes to retail investors, the IP information is much less useful and really can’t be abused. Knowing that someone is using Comcast to access the web isn’t useful and you cannot easily find out which customer at Comcast is using the site.
Also, if I was at a big institutional investor or a regulator like the SEC, I’d be masking my IP so as not to leak any information. This is particularly important for investigations. Big funds that are researching a company prior to an investment should also mask their IPs if they don’t want to tip off anyone one about what they’re doing.