SlideShare a Scribd company logo

eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards

Download as PPT, PDF
Jon Egley
Jon Egley

The eBusiness Club eBiz byte seminar delivered by Julian Turner, Senior Associate Solicitor with one of the country’s leading regional law firms Geldards demystifying both the legal issues whilst offering practical advice on how to implement effective solutions.

1 of 51
Demystifying the EU Cookie Law – eBiz byte Seminar Julian Turner, Solicitor, Geldards LLP 15th August 2012
What exactly has changed?
What exactly has changed?
What is the key change? • The requirement for a prominent up-front consent. • Higher up the political and news agenda, and more active regulator. • Tailor your approach to the privacy risk involved.
What does the law cover? • Cookies and other technologies • Little consideration to date of other technologies • Any storage or retrieval of data in relation to your customers’ computers, which you make use of. Usage based approach. • Not what the technology is, but what it is used for. • First party • Technology you use for your own purposes. • Third party • Technology used for a third party’s purposes. • Could be deployed by you or a third party. • Third party adverts / like buttons embedded in your web page (IFRAME, IMAGE, etc).
What does the law cover? • Devices • PCs, tablets, phones; even readers • Software • Web browsers / HTML e-mail. • Network connected applications (very broad category) • Technologies • Web beacons, cookies, and Flash. • JavaScripts (including XMLHTTPRequests). • HTML5 (local storage and file handling). • “Native code” in network connected applications.
What is a cookie? • Part of the Hypertext Transfer Protocol (HTTP) for transfer of web pages between computers. • See RFC 2109, 1997 • Cookies make interactions between users and web sites easier. • Used for Authentication, Personalisation, Tracking
What is a cookie? • To obtain a web page or other element from a server your browser makes a GET request 62.6.247.90 // YOUR IP ADRESSS GET /sonynewsitem_page1.htm HTTP/1.1 Host: techjournal.co.uk Referer: http://www.sony.co.uk
What is a cookie? • The TechJournal server sends back a response comprising the following:- HTTP/1.1 200 OK // or 404 NOT FOUND Content-Type : text/html;charset=ISO-8859-1 Set-Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT [followed by content of page]
What is a cookie? • We then GET page 2 from a link on page 1 62.6.247.90 // YOUR IP ADRESSS GET /sonynewsitem_page2.htm HTTP/1.1 Host: techjournal.co.uk Referer: http://www.techjournal.co.uk Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
What is a cookie? • Page 2 also contains a picture, so our browser automatically sends another GET:- 62.6.247.90 // YOUR IP ADRESSS GET /newspicture.jpg HTTP/1.1 Host: techjournal.co.uk Referer: http://www.techjournal.co.uk Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
What is a cookie? • Lets imagine that TechJournal have an advertising banner provided by Double Click:- 62.6.247.90 // YOUR IP ADRESSS GET /someadvert.jpg HTTP/1.1 Host: doubleclick.net Referer: http://www.techjournal.co.uk
What is a cookie? • Double Click now has an opportunity to set a cookie as well:- HTTP/1.1 200 OK Content-Type : image/jpeg Set-Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT [followed by jpg image]
What is a cookie? • Finally, lets say you visit Microsoft and they also have a Double Click banner:- 62.6.247.90 // YOUR IP ADRESSS GET /banner.jpg HTTP/1.1 Host: doubleclick.net Referer: http://www.microsoft.co.uk Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT
First and third party cookies First and third party:-
Can I control them? • Here are the Internet Explorer settings dialog boxes:-
Other technologies • Cookies are not the only technologies. • Download monitoring • Web beacons / Pixel gifs monitro • Local storage • Cookies • Flash • HTML5 local storage and file system access • Dynamic Data capture • Javascripts / Flash can capture key presses and mouse actions • Native applications can do anything.
Other Technologies - JavaScript • Javascripts are computer code that runs in your browser. window.onkeypress = function() { var key = window.event.charCode var http = new XMLHttpRequest(); http.open("GET", http://www.mysite.co.uk/analyse.php? keyPressed=" + key); http.send(null); }
It is all about what you do with them • Support Functionality • Session • Authentication • Shopping basket • Analyse performance • Monitor downloads • Monitor how users navigate through your site • Detect abandonments • Track • Anonymous, across sites, for advertising purposes. • Identified, e.g. facebook like buttons
What are the exemptions?
General Approach to Exemptions • Example websites we have seen do not make a distinction, and cover both exempt and non-exempt in cookies policies and consent forms. • Can’t use the same cookie for exempt and non- exempt purposes. • Governments prefer temporary / session based in their examples. More circumspect over permanent / long-term usage; but more information given to the user will help.
Exemption (a) • The transmission of the communication must not be possible otherwise. • Example given by governments is load balancing cookies.
Exemption (b) • What is strictly needed to provide the functionality or service requested by the user. • Usage based, user-centric approach.
Exemption (b) • Examples of government indications as to exempt uses:- • Session management (security, user input) • Log-in and authentication • Shopping basket • Media playback • User preference storage • Social network functionality requested by logged-in users.
Exemption (b) • Examples of non-exempt uses:- • First party analytics, statistics, audience measuring, heat map generation etc. • Social network functionality for non-logged in users. • Unique identifiers and tracking across websites. • Third party cookies and technologies (e.g. advert management and tracking, frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging).
What are the compliance requirements? • Information • You need to be much more informative about the cookies and technologies you use. • Consent • You need to obtain upfront consent, before you use any cookies or other technology for a non-exempt purpose. • Risk • Compliance measures have to be decided by you. • You will in the end have to take a risk decision. • Tailor your approach to the privacy risk involved.
Information • The law has not changed but the regulatory expectation has. • Historically, what we provided was sparse and limited. • Now the expectation is that it will be thorough and detailed.
Information • What to do:- • Look at models of good practice. • Create a separate cookies policy. • Make the link to it prominent (e.g. top of page) • Detail each cookie or other technology. • Detail its usage • Provide link to relevant third party sites / docs. • Explain any opt-out process. • Explain how you can use browser settings to block cookies. • If information is linked to an identified individual, link to the relevant privacy policy.
Information – ICO Website
Information - BBC
Information - BBC
Consent • Freely given, specific and informed • Any consent box must contain explanation and link to cookies policy. • Given by the computer user (even if not the bill payer). • Given prior to, or - the ICO recognises - quickly after use. • Cover both first and third party technologies. • No obligation to permanently store consent, but helps. • ICO would like to see options to opt-out later. • New consents for new technology. • Browser settings not currently good enough.
Express Consent • Opt-in tick box, with clear explanatory wording and link to cookies policy. • Not feasible for casual visitors. • May be feasible if combined with an account registration or subscription purchase process. • Unlikely any companies will use this.
Implied Consent • ICO latest guidance confirms this is a “reasonable proposition” and “implied consent might be the most practical and user-friendly option” • But at your own risk. • We guess this means that, they will probably tolerate it as a regulator, unless there is a severe privacy risk. • The ICO will not say definitively whether any measures you take are good enough; and without some court cases, neither the ICO nor any lawyers will be able to rubber stamp any particular solution. • All examples seen in the wild use it - see examples attached at the back of the handout – but vary in their detail and sophistication. • It is clear this is going to be the pre-dominant solution, but it involves taking a risk, and does not give regulatory certainty. • NOT VIABLE FOR SENSITIVE PERSONAL DATA
Implied Consent • What it probably requires • Really good detailed cookies policy / information (see BBC website). • Prominent link to your cookies policy at top of each page. • Bold “modal” notice / splash screen clearly stating that by continuing consent is taken to be given, with again a link to cookies policy, which requires a click to clear it and proceed to use the website. • Ability of users to change settings. • Approach tailored to your site, the technologies you are using, and the type of data you are capturing or storing. • Risk assessment • How much of the above do you implement? • Is it good enough for invasive usage (e.g. third party tracking)? • A lawyer (without court cases), cannot give you any guarantees.
Implied consent – Staples
Implied consent – Telegraph
Implied consent - Natwest
Implied consent - Nectar
Implied consent - Nectar
Implied consent - Nectar
Implied consent – BBC
Implied consent - BBC
Implied consent – BBC
Does it matter if I don’t comply? • Information commissioner’s powers:- • Notices to supply information • Undertakings to secure voluntary compliance • Enforcement notices / criminal offences • Financial penalty up to £500,000 for serious contravention likely to cause substantial damage or distress. • Civil claims by users IF damage suffered
Does it matter if I don’t comply? • We believe that the Information Commissioner’s likely approach will be:- • Reactive, rather than pro-active. • Consensual first. • Proportionate to breach. • More likely to take action the more privacy risk they think there is in all the circumstances. • Dependent on ICO resources and political agenda.
What should I be doing next? • Something, not nothing; make some effort at least. • Identify what you are using • All cookies and other technologies. • First and Third Party • Websites and apps • Exempt? • Decide whether to voluntarily apply anyway.
What should I be doing next? • Cookies policy • Remember thorough and detailed, and prominent • Offer voluntary information as well on exempt cookies.
What should I be doing next? • Implied consent method • Decide what mechanism you will use to ‘inform’ the visitor to your website that they are receiving cookies • Tailor your approach to your users / technologies / website.
What should I be doing next? • Data Protection Act 1998 • Don’t forget this. • If any information stored or retrieved is not kept anonymous (e.g. it is linked to an individual):- • verify whether such usage is Data Protection Act 1998 compliant; • cover in data protection policy as well.
Thank You

Recommended

Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)
RobertMachin
 
Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, BarclaysCookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, Barclays
theidm_quals
 
Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011
Antoine Gay
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy Primer
Irene Pollak
 
EU cookie law - What you need to know
EU cookie law - What you need to knowEU cookie law - What you need to know
EU cookie law - What you need to know
Crafted
 
10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges
Jonathan Ezor
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for youCookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
KWD Webranking
 
Cookies and European Union Law
Cookies and European Union LawCookies and European Union Law
Cookies and European Union Law
Reactive, part of Accenture Interactive
 

Recommended

Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)
RobertMachin
 
Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, BarclaysCookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, Barclays
theidm_quals
 
Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011
Antoine Gay
 
Google Policy Primer
Google Policy PrimerGoogle Policy Primer
Google Policy Primer
Irene Pollak
 
EU cookie law - What you need to know
EU cookie law - What you need to knowEU cookie law - What you need to know
EU cookie law - What you need to know
Crafted
 
10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges
Jonathan Ezor
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for youCookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
KWD Webranking
 
Cookies and European Union Law
Cookies and European Union LawCookies and European Union Law
Cookies and European Union Law
Reactive, part of Accenture Interactive
 
Trending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingTrending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted Marketing
cdasLLP
 
DMA North: Legal Update
DMA North: Legal UpdateDMA North: Legal Update
DMA North: Legal Update
Rachel Aldighieri
 
Eprivacy issues and standards -- where do we stand?
Eprivacy issues and standards -- where do we stand?Eprivacy issues and standards -- where do we stand?
Eprivacy issues and standards -- where do we stand?
Anna Long
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
TrustArc
 
Nytlegal #56866-v3-ona 2013-_ds_draft
Nytlegal #56866-v3-ona 2013-_ds_draftNytlegal #56866-v3-ona 2013-_ds_draft
Nytlegal #56866-v3-ona 2013-_ds_draft
Peter Outlaw
 
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
gallowayandcollens
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
Rachel Aldighieri
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key Issues
Adam Thierer
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
Endcode_org
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
lilianedwards
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
Endcode_org
 
Whitepaper
WhitepaperWhitepaper
Whitepaper
SALI VALERIA
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenience
Don Lovett
 
The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...
The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...
The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...
gallowayandcollens
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
Jason Haislmaier
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
Rachel Aldighieri
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3
Andy Ryu
 
Digital derbyshire conference & expo 2015 combined presentations
Digital derbyshire conference & expo 2015 combined presentationsDigital derbyshire conference & expo 2015 combined presentations
Digital derbyshire conference & expo 2015 combined presentations
Jon Egley
 
Hrv coronariopatas
Hrv coronariopatasHrv coronariopatas
Hrv coronariopatas
Jumooca
 
Resume Mostafa Ahmed
Resume Mostafa AhmedResume Mostafa Ahmed
Resume Mostafa Ahmed
eng_mostafa2010
 

More Related Content

What's hot

Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
TrustArc
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
Rachel Aldighieri
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3
Andy Ryu
 

What's hot (19)

Trending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingTrending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted Marketing
 
DMA North: Legal Update
DMA North: Legal UpdateDMA North: Legal Update
DMA North: Legal Update
 
Eprivacy issues and standards -- where do we stand?
Eprivacy issues and standards -- where do we stand?Eprivacy issues and standards -- where do we stand?
Eprivacy issues and standards -- where do we stand?
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
 
Nytlegal #56866-v3-ona 2013-_ds_draft
Nytlegal #56866-v3-ona 2013-_ds_draftNytlegal #56866-v3-ona 2013-_ds_draft
Nytlegal #56866-v3-ona 2013-_ds_draft
 
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
The Fiduciary Access to Digital Assets Act in Michigan: Now That We Have it, ...
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
 
DMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 decemberDMA Legal update winter 2013 - 17 december
DMA Legal update winter 2013 - 17 december
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key Issues
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
 
Whitepaper
WhitepaperWhitepaper
Whitepaper
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenience
 
The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...
The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...
The Fiduciary Access to Digital Assets Act in Michigan:Now That We Have it, W...
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3
 

Viewers also liked

Hrv coronariopatas
Hrv coronariopatasHrv coronariopatas
Hrv coronariopatas
Jumooca
 
Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]
Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]
Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]
Mace711
 
Fes marcha avc
Fes marcha avcFes marcha avc
Fes marcha avc
Jumooca
 
Physics of the cardiovascular system
Physics of the cardiovascular systemPhysics of the cardiovascular system
Physics of the cardiovascular system
Mace711
 

Viewers also liked (9)

Digital derbyshire conference & expo 2015 combined presentations
Digital derbyshire conference & expo 2015 combined presentationsDigital derbyshire conference & expo 2015 combined presentations
Digital derbyshire conference & expo 2015 combined presentations
 
Hrv coronariopatas
Hrv coronariopatasHrv coronariopatas
Hrv coronariopatas
 
Resume Mostafa Ahmed
Resume Mostafa AhmedResume Mostafa Ahmed
Resume Mostafa Ahmed
 
Blu ray(www.suvarnaa.blogspot.com)
Blu ray(www.suvarnaa.blogspot.com)Blu ray(www.suvarnaa.blogspot.com)
Blu ray(www.suvarnaa.blogspot.com)
 
Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]
Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]
Stages%2520of%2520criminal%2520trials%2520week%25206[1][1]
 
Do i need an ap for that 1.1
Do i need an ap for that 1.1Do i need an ap for that 1.1
Do i need an ap for that 1.1
 
Why mobile matter ppt 1.1
Why mobile matter ppt 1.1Why mobile matter ppt 1.1
Why mobile matter ppt 1.1
 
Fes marcha avc
Fes marcha avcFes marcha avc
Fes marcha avc
 
Physics of the cardiovascular system
Physics of the cardiovascular systemPhysics of the cardiovascular system
Physics of the cardiovascular system
 

Similar to eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards

Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseAgenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
agenda21
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
Adzappier
 
DMA North: The DMA legal update
DMA North: The DMA legal updateDMA North: The DMA legal update
DMA North: The DMA legal update
Rachel Aldighieri
 
The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013
blue2purple
 
Which way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleWhich way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumble
RobertMachin
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
Adzappier
 
Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...
Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...
Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...
Taste
 
Trends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the RisksTrends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the Risks
Nicole Garton
 

Similar to eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards (20)

DMA Cookies update
DMA Cookies updateDMA Cookies update
DMA Cookies update
 
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouseAgenda 21 eu cookie seminar - david naylor - field fisher waterhouse
Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
 
The DMA conference 2012
The DMA conference 2012The DMA conference 2012
The DMA conference 2012
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
 
DMA North: The DMA legal update
DMA North: The DMA legal updateDMA North: The DMA legal update
DMA North: The DMA legal update
 
Cookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspectiveCookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspective
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
 
GDPR Impact to Analytics & Marketing
GDPR Impact to Analytics & MarketingGDPR Impact to Analytics & Marketing
GDPR Impact to Analytics & Marketing
 
The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013
 
Why We Require GDPR?
Why We Require GDPR?Why We Require GDPR?
Why We Require GDPR?
 
Which way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumbleWhich way is the new cookie law starting to crumble
Which way is the new cookie law starting to crumble
 
Cookies 101 - EU Cookie Law (privacy) - Michele Neylon, Blacknight
Cookies 101 - EU Cookie Law (privacy) - Michele Neylon, BlacknightCookies 101 - EU Cookie Law (privacy) - Michele Neylon, Blacknight
Cookies 101 - EU Cookie Law (privacy) - Michele Neylon, Blacknight
 
GDPR- The Buck Stops Here
GDPR- The Buck Stops HereGDPR- The Buck Stops Here
GDPR- The Buck Stops Here
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
 
Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...
Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...
Data Restart 2022: Marina Mchedlishvili - How to build strong data strategies...
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Seers Cookie Consent.pdf
Seers Cookie Consent.pdfSeers Cookie Consent.pdf
Seers Cookie Consent.pdf
 
European Privacy Legislation - a primer
European Privacy Legislation - a primerEuropean Privacy Legislation - a primer
European Privacy Legislation - a primer
 
Trends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the RisksTrends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the Risks
 

eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards

  • 1. Demystifying the EU Cookie Law – eBiz byte Seminar Julian Turner, Solicitor, Geldards LLP 15th August 2012
  • 2. What exactly has changed?
  • 3. What exactly has changed?
  • 4. What is the key change? • The requirement for a prominent up-front consent. • Higher up the political and news agenda, and more active regulator. • Tailor your approach to the privacy risk involved.
  • 5. What does the law cover? • Cookies and other technologies • Little consideration to date of other technologies • Any storage or retrieval of data in relation to your customers’ computers, which you make use of. Usage based approach. • Not what the technology is, but what it is used for. • First party • Technology you use for your own purposes. • Third party • Technology used for a third party’s purposes. • Could be deployed by you or a third party. • Third party adverts / like buttons embedded in your web page (IFRAME, IMAGE, etc).
  • 6. What does the law cover? • Devices • PCs, tablets, phones; even readers • Software • Web browsers / HTML e-mail. • Network connected applications (very broad category) • Technologies • Web beacons, cookies, and Flash. • JavaScripts (including XMLHTTPRequests). • HTML5 (local storage and file handling). • “Native code” in network connected applications.
  • 7. What is a cookie? • Part of the Hypertext Transfer Protocol (HTTP) for transfer of web pages between computers. • See RFC 2109, 1997 • Cookies make interactions between users and web sites easier. • Used for Authentication, Personalisation, Tracking
  • 8. What is a cookie? • To obtain a web page or other element from a server your browser makes a GET request 62.6.247.90 // YOUR IP ADRESSS GET /sonynewsitem_page1.htm HTTP/1.1 Host: techjournal.co.uk Referer: http://www.sony.co.uk
  • 9. What is a cookie? • The TechJournal server sends back a response comprising the following:- HTTP/1.1 200 OK // or 404 NOT FOUND Content-Type : text/html;charset=ISO-8859-1 Set-Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT [followed by content of page]
  • 10. What is a cookie? • We then GET page 2 from a link on page 1 62.6.247.90 // YOUR IP ADRESSS GET /sonynewsitem_page2.htm HTTP/1.1 Host: techjournal.co.uk Referer: http://www.techjournal.co.uk Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
  • 11. What is a cookie? • Page 2 also contains a picture, so our browser automatically sends another GET:- 62.6.247.90 // YOUR IP ADRESSS GET /newspicture.jpg HTTP/1.1 Host: techjournal.co.uk Referer: http://www.techjournal.co.uk Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
  • 12. What is a cookie? • Lets imagine that TechJournal have an advertising banner provided by Double Click:- 62.6.247.90 // YOUR IP ADRESSS GET /someadvert.jpg HTTP/1.1 Host: doubleclick.net Referer: http://www.techjournal.co.uk
  • 13. What is a cookie? • Double Click now has an opportunity to set a cookie as well:- HTTP/1.1 200 OK Content-Type : image/jpeg Set-Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT [followed by jpg image]
  • 14. What is a cookie? • Finally, lets say you visit Microsoft and they also have a Double Click banner:- 62.6.247.90 // YOUR IP ADRESSS GET /banner.jpg HTTP/1.1 Host: doubleclick.net Referer: http://www.microsoft.co.uk Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT
  • 15. First and third party cookies First and third party:-
  • 16. Can I control them? • Here are the Internet Explorer settings dialog boxes:-
  • 17. Other technologies • Cookies are not the only technologies. • Download monitoring • Web beacons / Pixel gifs monitro • Local storage • Cookies • Flash • HTML5 local storage and file system access • Dynamic Data capture • Javascripts / Flash can capture key presses and mouse actions • Native applications can do anything.
  • 18. Other Technologies - JavaScript • Javascripts are computer code that runs in your browser. window.onkeypress = function() { var key = window.event.charCode var http = new XMLHttpRequest(); http.open("GET", http://www.mysite.co.uk/analyse.php? keyPressed=" + key); http.send(null); }
  • 19. It is all about what you do with them • Support Functionality • Session • Authentication • Shopping basket • Analyse performance • Monitor downloads • Monitor how users navigate through your site • Detect abandonments • Track • Anonymous, across sites, for advertising purposes. • Identified, e.g. facebook like buttons
  • 20. What are the exemptions?
  • 21. General Approach to Exemptions • Example websites we have seen do not make a distinction, and cover both exempt and non-exempt in cookies policies and consent forms. • Can’t use the same cookie for exempt and non- exempt purposes. • Governments prefer temporary / session based in their examples. More circumspect over permanent / long-term usage; but more information given to the user will help.
  • 22. Exemption (a) • The transmission of the communication must not be possible otherwise. • Example given by governments is load balancing cookies.
  • 23. Exemption (b) • What is strictly needed to provide the functionality or service requested by the user. • Usage based, user-centric approach.
  • 24. Exemption (b) • Examples of government indications as to exempt uses:- • Session management (security, user input) • Log-in and authentication • Shopping basket • Media playback • User preference storage • Social network functionality requested by logged-in users.
  • 25. Exemption (b) • Examples of non-exempt uses:- • First party analytics, statistics, audience measuring, heat map generation etc. • Social network functionality for non-logged in users. • Unique identifiers and tracking across websites. • Third party cookies and technologies (e.g. advert management and tracking, frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging).
  • 26. What are the compliance requirements? • Information • You need to be much more informative about the cookies and technologies you use. • Consent • You need to obtain upfront consent, before you use any cookies or other technology for a non-exempt purpose. • Risk • Compliance measures have to be decided by you. • You will in the end have to take a risk decision. • Tailor your approach to the privacy risk involved.
  • 27. Information • The law has not changed but the regulatory expectation has. • Historically, what we provided was sparse and limited. • Now the expectation is that it will be thorough and detailed.
  • 28. Information • What to do:- • Look at models of good practice. • Create a separate cookies policy. • Make the link to it prominent (e.g. top of page) • Detail each cookie or other technology. • Detail its usage • Provide link to relevant third party sites / docs. • Explain any opt-out process. • Explain how you can use browser settings to block cookies. • If information is linked to an identified individual, link to the relevant privacy policy.
  • 32. Consent • Freely given, specific and informed • Any consent box must contain explanation and link to cookies policy. • Given by the computer user (even if not the bill payer). • Given prior to, or - the ICO recognises - quickly after use. • Cover both first and third party technologies. • No obligation to permanently store consent, but helps. • ICO would like to see options to opt-out later. • New consents for new technology. • Browser settings not currently good enough.
  • 33. Express Consent • Opt-in tick box, with clear explanatory wording and link to cookies policy. • Not feasible for casual visitors. • May be feasible if combined with an account registration or subscription purchase process. • Unlikely any companies will use this.
  • 34. Implied Consent • ICO latest guidance confirms this is a “reasonable proposition” and “implied consent might be the most practical and user-friendly option” • But at your own risk. • We guess this means that, they will probably tolerate it as a regulator, unless there is a severe privacy risk. • The ICO will not say definitively whether any measures you take are good enough; and without some court cases, neither the ICO nor any lawyers will be able to rubber stamp any particular solution. • All examples seen in the wild use it - see examples attached at the back of the handout – but vary in their detail and sophistication. • It is clear this is going to be the pre-dominant solution, but it involves taking a risk, and does not give regulatory certainty. • NOT VIABLE FOR SENSITIVE PERSONAL DATA
  • 35. Implied Consent • What it probably requires • Really good detailed cookies policy / information (see BBC website). • Prominent link to your cookies policy at top of each page. • Bold “modal” notice / splash screen clearly stating that by continuing consent is taken to be given, with again a link to cookies policy, which requires a click to clear it and proceed to use the website. • Ability of users to change settings. • Approach tailored to your site, the technologies you are using, and the type of data you are capturing or storing. • Risk assessment • How much of the above do you implement? • Is it good enough for invasive usage (e.g. third party tracking)? • A lawyer (without court cases), cannot give you any guarantees.
  • 37. Implied consent – Telegraph
  • 38. Implied consent - Natwest
  • 45. Does it matter if I don’t comply? • Information commissioner’s powers:- • Notices to supply information • Undertakings to secure voluntary compliance • Enforcement notices / criminal offences • Financial penalty up to £500,000 for serious contravention likely to cause substantial damage or distress. • Civil claims by users IF damage suffered
  • 46. Does it matter if I don’t comply? • We believe that the Information Commissioner’s likely approach will be:- • Reactive, rather than pro-active. • Consensual first. • Proportionate to breach. • More likely to take action the more privacy risk they think there is in all the circumstances. • Dependent on ICO resources and political agenda.
  • 47. What should I be doing next? • Something, not nothing; make some effort at least. • Identify what you are using • All cookies and other technologies. • First and Third Party • Websites and apps • Exempt? • Decide whether to voluntarily apply anyway.
  • 48. What should I be doing next? • Cookies policy • Remember thorough and detailed, and prominent • Offer voluntary information as well on exempt cookies.
  • 49. What should I be doing next? • Implied consent method • Decide what mechanism you will use to ‘inform’ the visitor to your website that they are receiving cookies • Tailor your approach to your users / technologies / website.
  • 50. What should I be doing next? • Data Protection Act 1998 • Don’t forget this. • If any information stored or retrieved is not kept anonymous (e.g. it is linked to an individual):- • verify whether such usage is Data Protection Act 1998 compliant; • cover in data protection policy as well.