Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

European Privacy Legislation - a primer

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 13 Publicité

European Privacy Legislation - a primer

Télécharger pour lire hors ligne

On February 18th 2015, TagCommander and AT Internet hosted a seminar on the subject of Data Privacy. By popular demand, we are making the presentations available. You can now view the presentation of Vincent Toubiana, IT Expert at the French data protection authority on Slideshare.

In it you will learn about:
- The issues at stake in European data protection legislation with a focus on France
- Site and app functionality addressed, exemptions, informed consent
- Cookie and tracking functionality and the evolving law
- Some tips for technical compliance

On February 18th 2015, TagCommander and AT Internet hosted a seminar on the subject of Data Privacy. By popular demand, we are making the presentations available. You can now view the presentation of Vincent Toubiana, IT Expert at the French data protection authority on Slideshare.

In it you will learn about:
- The issues at stake in European data protection legislation with a focus on France
- Site and app functionality addressed, exemptions, informed consent
- Cookie and tracking functionality and the evolving law
- Some tips for technical compliance

Publicité
Publicité

Plus De Contenu Connexe

Similaire à European Privacy Legislation - a primer (20)

Publicité

Plus par Commanders Act (12)

Plus récents (20)

Publicité

European Privacy Legislation - a primer

  1. 1. CNIL European Privacy Legislation: A Primer Vincent Toubiana 18 February 2015
  2. 2. Agenda 2  Cookies, tracking functionality and the law  The role of CNIL, the French data protection authority  Compliance issues
  3. 3. Context and Scope of Legislation 3 Individual privacy protection.  An EU directive implemented at the national level  In France: Article 32-II of the Act of 6 January 1978 :  Clear, informed consent required  Broadly framed to cover all technical methods  Interpretation guidelines are provided at the national level (In France – CNIL is the competent authority)  A business trust issue  A consultative approach to find pragmatic solutions to protect individual privacy while promoting the digital economy
  4. 4. What technologies are covered? 4 All tracking technologies:  Reading and setting HTTP cookies  “Flash” cookies  Invisible pixels (web bugs / beacons)  Application, OS and hardware identifiers  “Fingerprinting” All media:  Browsing a web site  Reading an email  Installing or using software and mobile apps  All devices: computers, tablets, smartphones, smart TVs, connected game consoles, etc.
  5. 5. What cookies are affected?  Certain cookie types are exempted: When they are strictly necessary for the service to work Examples:  Basket cookies  Language option cookies  Authentication cookies  Analytics cookies under certain conditions (ability to opt out, for anonymous statistics gathering only, etc.)  Informed consent for other cookies: Examples:  Targeted advertising  Analytics (with some exceptions)  Social networks
  6. 6. Who is concerned by consent collection?  Publishers of Internet sites and mobile apps  Third-party service providers Examples  Web Analytics vendors  Advertising networks  Social networks
  7. 7. How to obtain consent on the Internet? 7 “Consent must be a positive, informed choice”  No consent, no cookie  Two-step mechanism (for each site): 1. An information banner: example: By continuing to use this site you accept the use of cookies to offer targeted advertising and measure usage statistics. To learn more and to configure my cookie settings 2. Clicking on on the link offers choices for consent.  Don’t set cookies (or use fingerprinting) until the user has continued to using the site  Continuing to use the site can take the form of a click on an item in the page (not necessarily the “OK” button)  In general, the browser options are not sufficient.  Do not link setting cookies to accessing the site  Maximum cookie lifespan of 13 months, not renewed at each visit
  8. 8. Web sites and functionality concerned Consent functionality is integrated Require consent YOUR OBLIGATIONS YOUR OBLIGATIONS DECLARE A DATABASE / LIST CNIL TEMPLATES WEB SITES, COOKIES AND TRACKING TECHNOLOGIES  What does the law say?  Tools and source code • Web Analytics • Social buttons • Advertising  Test your site with Cookieviz
  9. 9. Web analytics exempted  In order to be exempted, a Web analytics tool must meet 5 conditions:  Information contained in the user conditions (not necessarily a banner);  The user must be able to opt out easily;  Web analytics must be the only use. No crossing with other data or processes. The cookie must be limited to a single publisher and not used across different sites;  No geo-location more granular than the town level; IP must be suppressed or anonymised;  Cookies must have a lifespan of 13 months and any data collected must be held for 13 months maximum.
  10. 10. Compliant Web analytics tools  AT-Internet: Under discussion  Exempted -> no consent required,  Certain points remain to be validated.  Piwik: OK  Exempted -> no consent required  No data crossed.  Google Analytics: Consent required (Google crosses data)  CNIL offers a tag on its site with the following functionality: – Blocks cookies at the first visit, – Requests consent, – Provides the means to opt out.
  11. 11. Compliant sharing buttons  “Like”, “Tweet”, and “+1” buttons are used by social networks to track which pages users are visiting  Recommended tool: “Social Share Privacy” – Before activation doesn’t send information to third parties, – Only requires a small modification to the page, – Look and feel of buttons can be tailored, – Available as a plug-in for the major CMSes (WordPress, Drupal, Typo3), – Otherwise as a jQuery module. Learn more: http://panzi.github.io/SocialSharePrivacy/
  12. 12. Tag managers  A global solution for the site: • Consent is requested once for all cookies • Ability to opt-out by “family” of cookies • Blocks tags from firing and asks for consent (Like, Analytics, Consent)  Paid solutions: • Note: Some solutions are not yet compliant (install opt-out cookies with identifiers)  Free solutions: “Cookie-Cuttr”, “Tarte-Au-Citron”  Note: Be careful with terms and conditions of third-party solutions (what is compliant today may not be tomorrow) Refuse Social Refuse AdsThis site uses cookies for analytics, ad serving, and social networks Learn More Refuse Analytics
  13. 13. From compliance to enforcement  Since 2014, CNIL is responsible for enforcement nationally,  First actions year end 2014,  We’ve seen up to 350 cookies per site!  Some examples of what is not compliant  No free consent,  Many cookies set before consent (when landing on the page),  Compliance is often very simple to achieve (using recommended tools)

×