SlideShare une entreprise Scribd logo

Cookie Law (Dwf 190511)

R
RobertMachin
1  sur  5
Télécharger pour lire hors ligne
DWF E-Brief (May 2011) The law on cookies is about to change – what every website owner needs to do On 26 May 2011 the law on cookies is going to change. The shift is small but potentially very significant: an opt-out approach was previously acceptable, now consent will be needed to each cookie from each end user. The change is relevant to all but the simplest of websites; those seeking to ride the cusp of the impending behavioural advertising wave will be particularly affected. Regrettably, full details have come very late in the day (the relevant regulations and guidance only came out earlier this month) so there is little time for businesses to adapt. As a result, the Information Commissioner’s Office (ICO) is not expected to require 100% compliance on day one, but has made it clear that it expects every website owner to demonstrate what it is doing to comply in the event of a complaint. We look at the steps your organisation will need to take. Speed read The new law covers all technologies that involve the storing and accessing of information on an end user’s computer, not just cookies. In order to comply with the new law you need to: Establish what cookies you store on end user machines (including those generated by third party software embedded in your site); Establish how, when and where you use those cookies and the data they generate; Identify who uses those cookies and such data, in particular any third parties; Risk assess your cookie usage and prioritise the ones you need to tackle first (i.e. those with greatest privacy implications); and Decide what methods you are going to use to obtain “consent” (you will need to differentiate between different classes of end user, and the relative privacy implications of your cookies in doing so). The ICO recognise that obtaining consent is likely to be challenging in many cases. The ICO have the power to (amongst other things) levy fines of up to £500,000 for breaches of the new law, and we would expect them to make examples of particular cases in due course. You should stay alive to other legal implications when implementing any solution, for example, new or increasing use of personal data regulated by the Data Protection Act 1998. Scope of the new law It is worth pointing out at this stage that this note talks about cookies, but the new law is of wider effect. It applies to all technologies which involve storing information on an end user’s computer for subsequent access. It therefore covers, for example, Adobe Flash’s “locally stored objects” (otherwise known as “flash cookies”). Locally stored objects have been the cause of particular privacy concerns, © DWF LLP 2011
as until relatively recently they could not be managed by any mainstream web browser, unlike “normal” http cookies. Step 1 - what cookies do you store on end user machines? You may already have an exhaustive list, but if not an audit would be appropriate. Ultimately, you need to identify all files stored and accessed from time to time, without any exceptions. You need to consider cookies which enable end user functionality, but also those that power aspects otherwise hidden to users – e.g. that track how they use your site. Don’t forget arrangements you have with third parties – e.g. if you run Google Analytics, or other third party advertising software through your website. Such applications may generate cookies for which you are responsible. Check the terms of your related contracts and/or contact the relevant supplier in each case to ensure you understand the position in full. The ICO recognises this is a potentially thorny area given that some of these suppliers will be operating from other jurisdictions which apply different standards (e.g the US) but there is no carve out for their activities in the new law. Step 2 - how, when and where do you use those cookies, and the data they generate? Amongst other things, you need to know the purpose for which each file is created, stored and accessed, when you access it, and what the implications would be for both you and the end user if you did not access it. This question is particularly key because cookies and files which are “strictly necessary” for performing a service an end user has “explicitly requested” are exempt from the need for consent. No statutory definition of these terms has been given, but the ICO has confirmed it will interpret this exemption narrowly. One example would be a cookie to ensure selected goods are transferred into an electronic shopping basket and then to checkout on a shopping website because a customer wants to buy them. Each cookie will need to be assessed separately to see if they are “strictly necessary”: if you have any doubts, we’d recommend erring on the side of caution because that is what the ICO is most likely to do. Don’t forget that the data created by the file is also significant – depending on its nature and purpose it may be personal data the use of which is separately regulated by the Data Protection Act 1998. Step 3 - who uses those cookies and the resulting data? Again this information needs to be obtained without exceptions. Third parties in particular need to be identified and explicitly flagged to end users. Step 4 - risk assess your usage and prioritise the cookies to tackle The law is being changed to help address the growing privacy concerns over collection and usage of data relating to individuals’ behaviour, without them being aware this is going on. However, the ICO tends to take a holistic approach and recognises that not all cookies stored on end user machines have the same privacy concerns: some have more implications than others. With this in mind, and given the rushed timescale with which this change in law has been brought in, we’d suggest the following prioritised approach: © DWF LLP 2011
High 3 1 (Low privacy + (High privacy + Functional / high need) high need) Commercial Need 4 2 (Low privacy + (High privacy + low need) low need) High Low Privacy Implications Step 5 – Decide how to obtain “consent” First of all, it is worth restating that some (but not many) cookies may fall outside of the requirement for consent because they are “strictly necessary” for you to provide a service “explicitly requested” by a user. For all other cookies, you will need to obtain the end user’s consent. To date, the standard approach has been to include cookies as a topic in a website’s privacy policy with a link from each page, or from the site’s terms of use. This policy would set out some basic details of the cookie and leave the position at that. For practical reasons, this approach on its own will not suffice under the new law if your use of cookies is anything other than vanilla and fundamental to the service your site provides. In particular, it is static and does not allow your site to deal with the consequences of consent being declined. Furthermore, it is increasingly open to challenge because it gives the sense of “burying the issue in the small print”. What you should be aiming for is an interactive page which seeks an “unambiguous, freely given, specific and informed indication” of an end user’s wishes. This phrase really boils down to one concept: transparency. However, it is not the same as saying you must put a page in front of every end user that dryly goes on about all cookies and other technical terms en masse (although this would be useful for a person to check back to on occasion, in particular so as to vary his/her consents over time). The ICO guidance makes it clear that you can seek in effect “consent as you go” - highlighting the need for a cookie to access particular features and/or functionality when an end user first accesses them – a far more dynamic and less off-putting approach. Consider the following: Differentiate between types of end users. For casual visitors to your site the existing privacy policy-only approach alluded to above will probably have to remain – its lack of intrusion means it will not drive away traffic - although it is very debatable whether this gives © DWF LLP 2011
rise to any consent worthy of the name (e.g if a casual user automatically receives a session cookie). To mitigate the risk of substantive complaints, the cookies such casual visitors receive should be the most vanilla possible, their numbers kept very low, and ideally only used to provide basic functionality. For registered users who access more functionality, (and whose usage is probably more cookie intensive) far clearer means will certainly be required, managed through the log-on process. New users also have to be treated differently to existing users. For existing users, ideally you should not be relying on the position that has gone before unless this is examined and sufficient to constitute “consent”. Any attempt to seek consent now may involve changing your terms and conditions of use. You will need to comply with any express right and/or the general law of contract in doing so. How do you want to display your information on cookies? As alluded to above, it would be sensible to maintain an up-to-date privacy policy page that an end user can refer back to which outlines all cookies used on your site. Ideally this should be dynamic so an end user can see all their consents in one go, and vary them. This can be used in combination with other techniques though, such a pop ups for new areas of functionality. How do you want an end user to actually convey consent? It will be hard to avoid the need for a tick box, “ok” or other acceptance button for any action in which a cookie or similar file having material privacy implications will be stored on an end-user’s machine. Once given, such consent would not have to be renewed periodically, provided the end user has the opportunity to change its mind, and the means of doing so have been flagged up. How much information do you need to provide for each cookie? The basic requirement remains unchanged in the new law. You have to give “clear and comprehensive information about the purposes of the storage of, or access to” each cookie. That said, a lot of privacy policies only touched upon cookies at the highest of levels, and it is open to question as to whether this is enough to create “unambiguous, freely given, specific and informed” consent. Furthermore, the ICO guidance on the changes suggest additional areas of information that are relevant. As a general rule, if in doubt, it is worth being more transparent. The more invasive the information being collected, the more information you should be giving. We would suggest best practice would involve providing the following for each cookie: o Whether it is a session cookie or permanent cookie o Its purpose o What it will enable (and conversely what will be disabled without it) o Whether there is any other means of achieving the same end without that cookie o When and how often you will access it o Whether any third parties access it, and if so, who they are, where they access it from (plus the purpose(s) they use it for, and what it enables, if different to your position) o How an end user can change his/her mind regarding that cookie and remove it o What will happen to the information you obtain from the cookie (this strays into data protection law – see below) For ease of understanding, a standardised table or similar format would work well. Aim to convey the information simply, but accurately. Don’t use technical terms and sweeping generalisations. If you want to use “consent as you go” features as well, this is fine, but make sure you do not scrimp on appropriate context (an obvious link to more information would be ok though). © DWF LLP 2011
You may want to re-write your site in part to minimise its use of cookies and/or better track consents. This could be time consuming because it is likely to involve changes to all architectural layers, but could be beneficial down the line. Society (and the law) appears to be slowly moving towards better practices and more regulation in this area. Keep track of what your competitors are doing. Complying with best practice sooner rather than later may be a source of competitive advantage. Beware other legal implications. For example (and as mentioned above) by differentiating between individuals regarding cookies, you may be straying into use of personal data, which is separately regulated by the Data Protection Act 1998. If you are not already up to speed on the obligations this Act imposes, you should seek legal advice. Watch this space. The ICO has still to issue its enforcement guidance, which should further clarify the position, and has intimated it may provide examples regarding particular types of cookies. Furthermore, keep track of general progress within the website industry and especially regarding browsers (see below). The entire EU is grappling with the same problem and it is likely that practice will converge towards an accepted form over time. It would not be surprising if we end up with pop-ups for cookies being downloaded, in the same way that firewalls presently ask if you want to download a file from a particular source and warn you of the risks of virus’ etc. Overall, as a rough litmus test it is worth bearing in mind that the “unambiguous consent” test to be used is only one, somewhat grey, step down from the “explicit consent” test to be applied when using sensitive personal data under the Data Protection Act 1998. Ask yourself “Have we given nearly as much information to end users regarding our use of cookies, and taken almost as many steps to obtain their consent to that use, as we would have done if we were looking to collect and use details of their medical conditions / political beliefs / sex life / trade union membership?” If not, you have probably not done enough. Use of browser settings The government has engaged with the major browser developers with a view to adding functionality to allow cookies and similar files to be fully administered in accordance with the new law via an end user’s browser. This remains work in progress though; most (if not all) browsers are not sufficiently sophisticated at present to enable consent to be inferred from their settings, and none have been approved by the ICO for the purpose of the new law. Why doing nothing is not an option. We’ve touched upon the way in which society and the law is moving regarding issues of privacy. If that isn’t enough of a reason, in line with the recent beefing up of its powers across the aboard, the ICO can (amongst other things) levy fines for up to £500,000 for breach of the new law. Furthermore, the ICO is increasingly looking to exercise its powers. We would not be surprised if it sought to make examples out of particular cases in due course “pour encourager les autres”. That said, the ICO’s normal approach is to seek binding undertakings to get entities to change their practices before using heavier sanctions. It recognises that “gaining consent will, in many cases, be a challenge”. It has also gone on record to say (in essence) that it will be applying more of a softly softly approach to begin with given the relatively little time between the publication of the relevant regulations and guidance, and the law coming into effect. UK business has some breathing space as a result, but should not be too complacent about what is coming down the road. Robert Machin (Senior Solicitor) © DWF LLP 2011

Recommandé

EU cookie law - What you need to know
EU cookie law - What you need to knowEU cookie law - What you need to know
EU cookie law - What you need to knowCrafted
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardsJon Egley
 
Cookies and European Union Law
Cookies and European Union LawCookies and European Union Law
Cookies and European Union LawReactive, part of Accenture Interactive
 
Here comes the Cookie Monster
Here comes the Cookie MonsterHere comes the Cookie Monster
Here comes the Cookie MonsterBANNER
 
Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, BarclaysCookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, Barclaystheidm_quals
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy PrimerIrene Pollak
 
10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy ChallengesJonathan Ezor
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3Andy Ryu
 

Recommandé

EU cookie law - What you need to know
EU cookie law - What you need to knowEU cookie law - What you need to know
EU cookie law - What you need to knowCrafted
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardsJon Egley
 
Cookies and European Union Law
Cookies and European Union LawCookies and European Union Law
Cookies and European Union LawReactive, part of Accenture Interactive
 
Here comes the Cookie Monster
Here comes the Cookie MonsterHere comes the Cookie Monster
Here comes the Cookie MonsterBANNER
 
Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, BarclaysCookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, Barclaystheidm_quals
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy PrimerIrene Pollak
 
10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy ChallengesJonathan Ezor
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3Andy Ryu
 
Generating and producing effective reports to promote education
Generating and producing effective reports to promote educationGenerating and producing effective reports to promote education
Generating and producing effective reports to promote educationDevcoms
 
Tp220
Tp220Tp220
Tp220youri59490
 
EPA CAA PowerPoint 2
EPA CAA PowerPoint 2EPA CAA PowerPoint 2
EPA CAA PowerPoint 2Obama White House
 
Informazione Online
Informazione OnlineInformazione Online
Informazione OnlineMarco Tosi
 
GASleader
GASleaderGASleader
GASleaderGuido Brugnara
 
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)Stefano Dall'Agata
 
Incontro zerouno executive dinner
Incontro zerouno executive dinnerIncontro zerouno executive dinner
Incontro zerouno executive dinnerNetConsultingMilano
 
Flash e software libero
Flash e software liberoFlash e software libero
Flash e software liberoStefano Sabatini
 
D_12BSP0854_PIYUSHJAIN VISUAL CV
D_12BSP0854_PIYUSHJAIN VISUAL CVD_12BSP0854_PIYUSHJAIN VISUAL CV
D_12BSP0854_PIYUSHJAIN VISUAL CVPIYUSHDADA
 
HP Pro x2 612 G1
HP Pro x2 612 G1HP Pro x2 612 G1
HP Pro x2 612 G1HP Enterprise Italia
 
Hp application performance center software
Hp application performance center softwareHp application performance center software
Hp application performance center softwareHP Enterprise Italia
 
Esperienza atv 30mar2009
Esperienza atv 30mar2009Esperienza atv 30mar2009
Esperienza atv 30mar2009Giuseppe Orietta
 
Portale EDU
Portale EDUPortale EDU
Portale EDUdavidemontoro
 
Alessandra Borgatti a SCE 2012
Alessandra Borgatti a SCE 2012Alessandra Borgatti a SCE 2012
Alessandra Borgatti a SCE 2012SmartCityExhibition
 
SplunkLive! San Francisco Dec 2012 - Socialize
SplunkLive! San Francisco Dec 2012 - SocializeSplunkLive! San Francisco Dec 2012 - Socialize
SplunkLive! San Francisco Dec 2012 - SocializeSplunk
 
2009 10-21 effetto-csi
2009 10-21 effetto-csi2009 10-21 effetto-csi
2009 10-21 effetto-csiDavide Gabrini
 
Bozza legge stabilità ottobre 2012
Bozza legge stabilità ottobre 2012Bozza legge stabilità ottobre 2012
Bozza legge stabilità ottobre 2012ilfattoquotidiano.it
 
Flame
FlameFlame
FlameValerija Colovic
 
Liberta E Scelta Linuxday 2006 Marco Guardigli
Liberta E Scelta Linuxday 2006 Marco GuardigliLiberta E Scelta Linuxday 2006 Marco Guardigli
Liberta E Scelta Linuxday 2006 Marco GuardigliMarco Guardigli
 
Which way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleWhich way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleRobertMachin
 
Barclays
BarclaysBarclays
Barclayskedwards100
 
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseAgenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseagenda21
 

Contenu connexe

En vedette

Generating and producing effective reports to promote education
Generating and producing effective reports to promote educationGenerating and producing effective reports to promote education
Generating and producing effective reports to promote educationDevcoms
 
Informazione Online
Informazione OnlineInformazione Online
Informazione OnlineMarco Tosi
 
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)Stefano Dall'Agata
 
Incontro zerouno executive dinner
Incontro zerouno executive dinnerIncontro zerouno executive dinner
Incontro zerouno executive dinnerNetConsultingMilano
 
D_12BSP0854_PIYUSHJAIN VISUAL CV
D_12BSP0854_PIYUSHJAIN VISUAL CVD_12BSP0854_PIYUSHJAIN VISUAL CV
D_12BSP0854_PIYUSHJAIN VISUAL CVPIYUSHDADA
 
Hp application performance center software
Hp application performance center softwareHp application performance center software
Hp application performance center softwareHP Enterprise Italia
 
SplunkLive! San Francisco Dec 2012 - Socialize
SplunkLive! San Francisco Dec 2012 - SocializeSplunkLive! San Francisco Dec 2012 - Socialize
SplunkLive! San Francisco Dec 2012 - SocializeSplunk
 
2009 10-21 effetto-csi
2009 10-21 effetto-csi2009 10-21 effetto-csi
2009 10-21 effetto-csiDavide Gabrini
 
Bozza legge stabilità ottobre 2012
Bozza legge stabilità ottobre 2012Bozza legge stabilità ottobre 2012
Bozza legge stabilità ottobre 2012ilfattoquotidiano.it
 
Liberta E Scelta Linuxday 2006 Marco Guardigli
Liberta E Scelta Linuxday 2006 Marco GuardigliLiberta E Scelta Linuxday 2006 Marco Guardigli
Liberta E Scelta Linuxday 2006 Marco GuardigliMarco Guardigli
 

En vedette (19)

Generating and producing effective reports to promote education
Generating and producing effective reports to promote educationGenerating and producing effective reports to promote education
Generating and producing effective reports to promote education
 
Tp220
Tp220Tp220
Tp220
 
EPA CAA PowerPoint 2
EPA CAA PowerPoint 2EPA CAA PowerPoint 2
EPA CAA PowerPoint 2
 
Informazione Online
Informazione OnlineInformazione Online
Informazione Online
 
GASleader
GASleaderGASleader
GASleader
 
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
NON ESISTONO COMPUTER VECCHI (Da xp a linux - Treviso 15/4/2014)
 
Incontro zerouno executive dinner
Incontro zerouno executive dinnerIncontro zerouno executive dinner
Incontro zerouno executive dinner
 
Flash e software libero
Flash e software liberoFlash e software libero
Flash e software libero
 
D_12BSP0854_PIYUSHJAIN VISUAL CV
D_12BSP0854_PIYUSHJAIN VISUAL CVD_12BSP0854_PIYUSHJAIN VISUAL CV
D_12BSP0854_PIYUSHJAIN VISUAL CV
 
HP Pro x2 612 G1
HP Pro x2 612 G1HP Pro x2 612 G1
HP Pro x2 612 G1
 
Hp application performance center software
Hp application performance center softwareHp application performance center software
Hp application performance center software
 
Esperienza atv 30mar2009
Esperienza atv 30mar2009Esperienza atv 30mar2009
Esperienza atv 30mar2009
 
Portale EDU
Portale EDUPortale EDU
Portale EDU
 
Alessandra Borgatti a SCE 2012
Alessandra Borgatti a SCE 2012Alessandra Borgatti a SCE 2012
Alessandra Borgatti a SCE 2012
 
SplunkLive! San Francisco Dec 2012 - Socialize
SplunkLive! San Francisco Dec 2012 - SocializeSplunkLive! San Francisco Dec 2012 - Socialize
SplunkLive! San Francisco Dec 2012 - Socialize
 
2009 10-21 effetto-csi
2009 10-21 effetto-csi2009 10-21 effetto-csi
2009 10-21 effetto-csi
 
Bozza legge stabilità ottobre 2012
Bozza legge stabilità ottobre 2012Bozza legge stabilità ottobre 2012
Bozza legge stabilità ottobre 2012
 
Flame
FlameFlame
Flame
 
Liberta E Scelta Linuxday 2006 Marco Guardigli
Liberta E Scelta Linuxday 2006 Marco GuardigliLiberta E Scelta Linuxday 2006 Marco Guardigli
Liberta E Scelta Linuxday 2006 Marco Guardigli
 

Similaire à Cookie Law (Dwf 190511)

Which way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleWhich way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleRobertMachin
 
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseAgenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseagenda21
 
Bootlaw Cookies
Bootlaw CookiesBootlaw Cookies
Bootlaw Cookiesdbaillieu
 
Complying With The New Cookie Regime (April 2012)
Complying With The New Cookie Regime (April 2012)Complying With The New Cookie Regime (April 2012)
Complying With The New Cookie Regime (April 2012)Stuart Miller
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfAdzappier
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfAdzappier
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for youCookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for youKWD Webranking
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you Comprend
 
Ico advice on_the_new_cookies_regulations_may2011
Ico advice on_the_new_cookies_regulations_may2011Ico advice on_the_new_cookies_regulations_may2011
Ico advice on_the_new_cookies_regulations_may2011Osnat Ben-Nesher Zaretsky
 
Cookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspectiveCookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspectiveCastlebridge Associates
 
Kieon cookie law presentation Jan 2012
Kieon cookie law presentation Jan 2012Kieon cookie law presentation Jan 2012
Kieon cookie law presentation Jan 2012Kieon
 
Cookie Law – How to meet the deadline for compliance: The Legal Context
Cookie Law – How to meet the deadline for compliance: The Legal ContextCookie Law – How to meet the deadline for compliance: The Legal Context
Cookie Law – How to meet the deadline for compliance: The Legal ContextCIVIC Digital
 
What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s SakeWhat Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s SakePiwik PRO
 
DMA North: The DMA legal update
DMA North: The DMA legal updateDMA North: The DMA legal update
DMA North: The DMA legal updateRachel Aldighieri
 

Similaire à Cookie Law (Dwf 190511) (20)

Which way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleWhich way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumble
 
Barclays
BarclaysBarclays
Barclays
 
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseAgenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
 
Cookies Update
Cookies UpdateCookies Update
Cookies Update
 
4 ps cookies
4 ps cookies4 ps cookies
4 ps cookies
 
Bootlaw Cookies
Bootlaw CookiesBootlaw Cookies
Bootlaw Cookies
 
Complying With The New Cookie Regime (April 2012)
Complying With The New Cookie Regime (April 2012)Complying With The New Cookie Regime (April 2012)
Complying With The New Cookie Regime (April 2012)
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for youCookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
 
Ico advice on_the_new_cookies_regulations_may2011
Ico advice on_the_new_cookies_regulations_may2011Ico advice on_the_new_cookies_regulations_may2011
Ico advice on_the_new_cookies_regulations_may2011
 
Cookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspectiveCookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspective
 
Kieon cookie law presentation Jan 2012
Kieon cookie law presentation Jan 2012Kieon cookie law presentation Jan 2012
Kieon cookie law presentation Jan 2012
 
Cookie Law – How to meet the deadline for compliance: The Legal Context
Cookie Law – How to meet the deadline for compliance: The Legal ContextCookie Law – How to meet the deadline for compliance: The Legal Context
Cookie Law – How to meet the deadline for compliance: The Legal Context
 
DMA Cookies update
DMA Cookies updateDMA Cookies update
DMA Cookies update
 
What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s SakeWhat Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
 
The DMA conference 2012
The DMA conference 2012The DMA conference 2012
The DMA conference 2012
 
DMA North: Legal Update
DMA North: Legal UpdateDMA North: Legal Update
DMA North: Legal Update
 
DMA North: The DMA legal update
DMA North: The DMA legal updateDMA North: The DMA legal update
DMA North: The DMA legal update
 

Cookie Law (Dwf 190511)

  • 1. DWF E-Brief (May 2011) The law on cookies is about to change – what every website owner needs to do On 26 May 2011 the law on cookies is going to change. The shift is small but potentially very significant: an opt-out approach was previously acceptable, now consent will be needed to each cookie from each end user. The change is relevant to all but the simplest of websites; those seeking to ride the cusp of the impending behavioural advertising wave will be particularly affected. Regrettably, full details have come very late in the day (the relevant regulations and guidance only came out earlier this month) so there is little time for businesses to adapt. As a result, the Information Commissioner’s Office (ICO) is not expected to require 100% compliance on day one, but has made it clear that it expects every website owner to demonstrate what it is doing to comply in the event of a complaint. We look at the steps your organisation will need to take. Speed read The new law covers all technologies that involve the storing and accessing of information on an end user’s computer, not just cookies. In order to comply with the new law you need to: Establish what cookies you store on end user machines (including those generated by third party software embedded in your site); Establish how, when and where you use those cookies and the data they generate; Identify who uses those cookies and such data, in particular any third parties; Risk assess your cookie usage and prioritise the ones you need to tackle first (i.e. those with greatest privacy implications); and Decide what methods you are going to use to obtain “consent” (you will need to differentiate between different classes of end user, and the relative privacy implications of your cookies in doing so). The ICO recognise that obtaining consent is likely to be challenging in many cases. The ICO have the power to (amongst other things) levy fines of up to £500,000 for breaches of the new law, and we would expect them to make examples of particular cases in due course. You should stay alive to other legal implications when implementing any solution, for example, new or increasing use of personal data regulated by the Data Protection Act 1998. Scope of the new law It is worth pointing out at this stage that this note talks about cookies, but the new law is of wider effect. It applies to all technologies which involve storing information on an end user’s computer for subsequent access. It therefore covers, for example, Adobe Flash’s “locally stored objects” (otherwise known as “flash cookies”). Locally stored objects have been the cause of particular privacy concerns, © DWF LLP 2011
  • 2. as until relatively recently they could not be managed by any mainstream web browser, unlike “normal” http cookies. Step 1 - what cookies do you store on end user machines? You may already have an exhaustive list, but if not an audit would be appropriate. Ultimately, you need to identify all files stored and accessed from time to time, without any exceptions. You need to consider cookies which enable end user functionality, but also those that power aspects otherwise hidden to users – e.g. that track how they use your site. Don’t forget arrangements you have with third parties – e.g. if you run Google Analytics, or other third party advertising software through your website. Such applications may generate cookies for which you are responsible. Check the terms of your related contracts and/or contact the relevant supplier in each case to ensure you understand the position in full. The ICO recognises this is a potentially thorny area given that some of these suppliers will be operating from other jurisdictions which apply different standards (e.g the US) but there is no carve out for their activities in the new law. Step 2 - how, when and where do you use those cookies, and the data they generate? Amongst other things, you need to know the purpose for which each file is created, stored and accessed, when you access it, and what the implications would be for both you and the end user if you did not access it. This question is particularly key because cookies and files which are “strictly necessary” for performing a service an end user has “explicitly requested” are exempt from the need for consent. No statutory definition of these terms has been given, but the ICO has confirmed it will interpret this exemption narrowly. One example would be a cookie to ensure selected goods are transferred into an electronic shopping basket and then to checkout on a shopping website because a customer wants to buy them. Each cookie will need to be assessed separately to see if they are “strictly necessary”: if you have any doubts, we’d recommend erring on the side of caution because that is what the ICO is most likely to do. Don’t forget that the data created by the file is also significant – depending on its nature and purpose it may be personal data the use of which is separately regulated by the Data Protection Act 1998. Step 3 - who uses those cookies and the resulting data? Again this information needs to be obtained without exceptions. Third parties in particular need to be identified and explicitly flagged to end users. Step 4 - risk assess your usage and prioritise the cookies to tackle The law is being changed to help address the growing privacy concerns over collection and usage of data relating to individuals’ behaviour, without them being aware this is going on. However, the ICO tends to take a holistic approach and recognises that not all cookies stored on end user machines have the same privacy concerns: some have more implications than others. With this in mind, and given the rushed timescale with which this change in law has been brought in, we’d suggest the following prioritised approach: © DWF LLP 2011
  • 3. High 3 1 (Low privacy + (High privacy + Functional / high need) high need) Commercial Need 4 2 (Low privacy + (High privacy + low need) low need) High Low Privacy Implications Step 5 – Decide how to obtain “consent” First of all, it is worth restating that some (but not many) cookies may fall outside of the requirement for consent because they are “strictly necessary” for you to provide a service “explicitly requested” by a user. For all other cookies, you will need to obtain the end user’s consent. To date, the standard approach has been to include cookies as a topic in a website’s privacy policy with a link from each page, or from the site’s terms of use. This policy would set out some basic details of the cookie and leave the position at that. For practical reasons, this approach on its own will not suffice under the new law if your use of cookies is anything other than vanilla and fundamental to the service your site provides. In particular, it is static and does not allow your site to deal with the consequences of consent being declined. Furthermore, it is increasingly open to challenge because it gives the sense of “burying the issue in the small print”. What you should be aiming for is an interactive page which seeks an “unambiguous, freely given, specific and informed indication” of an end user’s wishes. This phrase really boils down to one concept: transparency. However, it is not the same as saying you must put a page in front of every end user that dryly goes on about all cookies and other technical terms en masse (although this would be useful for a person to check back to on occasion, in particular so as to vary his/her consents over time). The ICO guidance makes it clear that you can seek in effect “consent as you go” - highlighting the need for a cookie to access particular features and/or functionality when an end user first accesses them – a far more dynamic and less off-putting approach. Consider the following: Differentiate between types of end users. For casual visitors to your site the existing privacy policy-only approach alluded to above will probably have to remain – its lack of intrusion means it will not drive away traffic - although it is very debatable whether this gives © DWF LLP 2011
  • 4. rise to any consent worthy of the name (e.g if a casual user automatically receives a session cookie). To mitigate the risk of substantive complaints, the cookies such casual visitors receive should be the most vanilla possible, their numbers kept very low, and ideally only used to provide basic functionality. For registered users who access more functionality, (and whose usage is probably more cookie intensive) far clearer means will certainly be required, managed through the log-on process. New users also have to be treated differently to existing users. For existing users, ideally you should not be relying on the position that has gone before unless this is examined and sufficient to constitute “consent”. Any attempt to seek consent now may involve changing your terms and conditions of use. You will need to comply with any express right and/or the general law of contract in doing so. How do you want to display your information on cookies? As alluded to above, it would be sensible to maintain an up-to-date privacy policy page that an end user can refer back to which outlines all cookies used on your site. Ideally this should be dynamic so an end user can see all their consents in one go, and vary them. This can be used in combination with other techniques though, such a pop ups for new areas of functionality. How do you want an end user to actually convey consent? It will be hard to avoid the need for a tick box, “ok” or other acceptance button for any action in which a cookie or similar file having material privacy implications will be stored on an end-user’s machine. Once given, such consent would not have to be renewed periodically, provided the end user has the opportunity to change its mind, and the means of doing so have been flagged up. How much information do you need to provide for each cookie? The basic requirement remains unchanged in the new law. You have to give “clear and comprehensive information about the purposes of the storage of, or access to” each cookie. That said, a lot of privacy policies only touched upon cookies at the highest of levels, and it is open to question as to whether this is enough to create “unambiguous, freely given, specific and informed” consent. Furthermore, the ICO guidance on the changes suggest additional areas of information that are relevant. As a general rule, if in doubt, it is worth being more transparent. The more invasive the information being collected, the more information you should be giving. We would suggest best practice would involve providing the following for each cookie: o Whether it is a session cookie or permanent cookie o Its purpose o What it will enable (and conversely what will be disabled without it) o Whether there is any other means of achieving the same end without that cookie o When and how often you will access it o Whether any third parties access it, and if so, who they are, where they access it from (plus the purpose(s) they use it for, and what it enables, if different to your position) o How an end user can change his/her mind regarding that cookie and remove it o What will happen to the information you obtain from the cookie (this strays into data protection law – see below) For ease of understanding, a standardised table or similar format would work well. Aim to convey the information simply, but accurately. Don’t use technical terms and sweeping generalisations. If you want to use “consent as you go” features as well, this is fine, but make sure you do not scrimp on appropriate context (an obvious link to more information would be ok though). © DWF LLP 2011
  • 5. You may want to re-write your site in part to minimise its use of cookies and/or better track consents. This could be time consuming because it is likely to involve changes to all architectural layers, but could be beneficial down the line. Society (and the law) appears to be slowly moving towards better practices and more regulation in this area. Keep track of what your competitors are doing. Complying with best practice sooner rather than later may be a source of competitive advantage. Beware other legal implications. For example (and as mentioned above) by differentiating between individuals regarding cookies, you may be straying into use of personal data, which is separately regulated by the Data Protection Act 1998. If you are not already up to speed on the obligations this Act imposes, you should seek legal advice. Watch this space. The ICO has still to issue its enforcement guidance, which should further clarify the position, and has intimated it may provide examples regarding particular types of cookies. Furthermore, keep track of general progress within the website industry and especially regarding browsers (see below). The entire EU is grappling with the same problem and it is likely that practice will converge towards an accepted form over time. It would not be surprising if we end up with pop-ups for cookies being downloaded, in the same way that firewalls presently ask if you want to download a file from a particular source and warn you of the risks of virus’ etc. Overall, as a rough litmus test it is worth bearing in mind that the “unambiguous consent” test to be used is only one, somewhat grey, step down from the “explicit consent” test to be applied when using sensitive personal data under the Data Protection Act 1998. Ask yourself “Have we given nearly as much information to end users regarding our use of cookies, and taken almost as many steps to obtain their consent to that use, as we would have done if we were looking to collect and use details of their medical conditions / political beliefs / sex life / trade union membership?” If not, you have probably not done enough. Use of browser settings The government has engaged with the major browser developers with a view to adding functionality to allow cookies and similar files to be fully administered in accordance with the new law via an end user’s browser. This remains work in progress though; most (if not all) browsers are not sufficiently sophisticated at present to enable consent to be inferred from their settings, and none have been approved by the ICO for the purpose of the new law. Why doing nothing is not an option. We’ve touched upon the way in which society and the law is moving regarding issues of privacy. If that isn’t enough of a reason, in line with the recent beefing up of its powers across the aboard, the ICO can (amongst other things) levy fines for up to £500,000 for breach of the new law. Furthermore, the ICO is increasingly looking to exercise its powers. We would not be surprised if it sought to make examples out of particular cases in due course “pour encourager les autres”. That said, the ICO’s normal approach is to seek binding undertakings to get entities to change their practices before using heavier sanctions. It recognises that “gaining consent will, in many cases, be a challenge”. It has also gone on record to say (in essence) that it will be applying more of a softly softly approach to begin with given the relatively little time between the publication of the relevant regulations and guidance, and the law coming into effect. UK business has some breathing space as a result, but should not be too complacent about what is coming down the road. Robert Machin (Senior Solicitor) © DWF LLP 2011