Embed Size (px)
Citation preview
Demystifying the EU Cookie Law – eBiz byte Seminar Julian Turner, Solicitor, Geldards LLP15th August 2012
What exactly has changed?
What exactly has changed?
What is the key change?• The requirement for a prominent up-front
consent.• Higher up the political and news agenda, and
more active regulator.• Tailor your approach to the privacy risk
involved.
What does the law cover?• Cookies and other technologies
• Little consideration to date of other technologies• Any storage or retrieval of data in relation to your customers’
computers, which you make use of. Usage based approach. • Not what the technology is, but what it is used for.
• First party• Technology you use for your own purposes.
• Third party• Technology used for a third party’s purposes.• Could be deployed by you or a third party.• Third party adverts / like buttons embedded in your web page
(IFRAME, IMAGE, etc).
What does the law cover?• Devices
• PCs, tablets, phones; even readers• Software
• Web browsers / HTML e-mail.• Network connected applications (very broad category)
• Technologies• Web beacons, cookies, and Flash.• JavaScripts (including XMLHTTPRequests).• HTML5 (local storage and file handling).• “Native code” in network connected applications.
What is a cookie?• Part of the Hypertext Transfer Protocol (HTTP)
for transfer of web pages between computers.• See RFC 2109, 1997• Cookies make interactions between users and
web sites easier.• Used for Authentication, Personalisation,
Tracking
What is a cookie?• To obtain a web page or other element from a
server your browser makes a GET request62.6.247.90 // YOUR IP ADRESSS
GET /sonynewsitem_page1.htm HTTP/1.1
Host: techjournal.co.uk
Referer: http://www.sony.co.uk
What is a cookie?• The TechJournal server sends back a response
comprising the following:-HTTP/1.1 200 OK // or 404 NOT FOUND
Content-Type : text/html;charset=ISO-8859-1
Set-Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
[followed by content of page]
What is a cookie?• We then GET page 2 from a link on page 1
62.6.247.90 // YOUR IP ADRESSS
GET /sonynewsitem_page2.htm HTTP/1.1
Host: techjournal.co.uk
Referer: http://www.techjournal.co.uk
Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
What is a cookie?• Page 2 also contains a picture, so our browser
automatically sends another GET:-
62.6.247.90 // YOUR IP ADRESSS
GET /newspicture.jpg HTTP/1.1
Host: techjournal.co.uk
Referer: http://www.techjournal.co.uk
Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
What is a cookie?• Lets imagine that TechJournal have an
advertising banner provided by Double Click:-
62.6.247.90 // YOUR IP ADRESSS
GET /someadvert.jpg HTTP/1.1
Host: doubleclick.net
Referer: http://www.techjournal.co.uk
What is a cookie?• Double Click now has an opportunity to set a
cookie as well:-
HTTP/1.1 200 OK
Content-Type : image/jpeg
Set-Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT
[followed by jpg image]
What is a cookie?• Finally, lets say you visit Microsoft and they
also have a Double Click banner:-
62.6.247.90 // YOUR IP ADRESSS
GET /banner.jpg HTTP/1.1
Host: doubleclick.net
Referer: http://www.microsoft.co.uk
Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT
First and third party cookiesFirst and third party:-
Can I control them?• Here are the Internet Explorer settings dialog
boxes:-
Other technologies• Cookies are not the only technologies.• Download monitoring
• Web beacons / Pixel gifs monitro• Local storage
• Cookies• Flash• HTML5 local storage and file system access
• Dynamic Data capture• Javascripts / Flash can capture key presses and mouse
actions• Native applications can do anything.
Other Technologies - JavaScript• Javascripts are computer code that runs in
your browser.
window.onkeypress = function() {
var key = window.event.charCodevar http = new XMLHttpRequest();http.open("GET",
http://www.mysite.co.uk/analyse.php?keyPressed=" + key);
http.send(null);}
It is all about what you do with them• Support Functionality
• Session• Authentication• Shopping basket
• Analyse performance• Monitor downloads• Monitor how users navigate through your site• Detect abandonments
• Track• Anonymous, across sites, for advertising purposes.• Identified, e.g. facebook like buttons
What are the exemptions?
General Approach to Exemptions• Example websites we have seen do not make a
distinction, and cover both exempt and non-exempt in cookies policies and consent forms.
• Can’t use the same cookie for exempt and non-exempt purposes.
• Governments prefer temporary / session based in their examples. More circumspect over permanent / long-term usage; but more information given to the user will help.
Exemption (a)• The transmission of the communication must
not be possible otherwise.• Example given by governments is load
balancing cookies.
Exemption (b)• What is strictly needed to provide the
functionality or service requested by the user.• Usage based, user-centric approach.
Exemption (b)• Examples of government indications as to exempt
uses:-• Session management (security, user input)• Log-in and authentication• Shopping basket• Media playback• User preference storage• Social network functionality requested by logged-in users.
Exemption (b)• Examples of non-exempt uses:-
• First party analytics, statistics, audience measuring, heat map generation etc.
• Social network functionality for non-logged in users.• Unique identifiers and tracking across websites.• Third party cookies and technologies (e.g. advert
management and tracking, frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging).
What are the compliance requirements?• Information
• You need to be much more informative about the cookies and technologies you use.
• Consent• You need to obtain upfront consent, before you use any
cookies or other technology for a non-exempt purpose.• Risk
• Compliance measures have to be decided by you.• You will in the end have to take a risk decision.• Tailor your approach to the privacy risk involved.
Information• The law has not changed but the regulatory
expectation has.• Historically, what we provided was sparse and
limited.• Now the expectation is that it will be thorough
and detailed.
Information• What to do:-
• Look at models of good practice. • Create a separate cookies policy.• Make the link to it prominent (e.g. top of page)• Detail each cookie or other technology.• Detail its usage• Provide link to relevant third party sites / docs.• Explain any opt-out process.• Explain how you can use browser settings to block cookies.• If information is linked to an identified individual, link to
the relevant privacy policy.
Information – ICO Website
Information - BBC
Information - BBC
Consent• Freely given, specific and informed• Any consent box must contain explanation and link to cookies
policy.• Given by the computer user (even if not the bill payer).• Given prior to, or - the ICO recognises - quickly after use.• Cover both first and third party technologies.• No obligation to permanently store consent, but helps.• ICO would like to see options to opt-out later.• New consents for new technology.• Browser settings not currently good enough.
Express Consent• Opt-in tick box, with clear explanatory
wording and link to cookies policy.• Not feasible for casual visitors.• May be feasible if combined with an account
registration or subscription purchase process.• Unlikely any companies will use this.
Implied Consent• ICO latest guidance confirms this is a “reasonable proposition” and
“implied consent might be the most practical and user-friendly option”• But at your own risk.• We guess this means that, they will probably tolerate it as a regulator,
unless there is a severe privacy risk.• The ICO will not say definitively whether any measures you take are good
enough; and without some court cases, neither the ICO nor any lawyers will be able to rubber stamp any particular solution.
• All examples seen in the wild use it - see examples attached at the back of the handout – but vary in their detail and sophistication.
• It is clear this is going to be the pre-dominant solution, but it involves taking a risk, and does not give regulatory certainty.
• NOT VIABLE FOR SENSITIVE PERSONAL DATA
Implied Consent• What it probably requires
• Really good detailed cookies policy / information (see BBC website).• Prominent link to your cookies policy at top of each page.• Bold “modal” notice / splash screen clearly stating that by continuing consent
is taken to be given, with again a link to cookies policy, which requires a click to clear it and proceed to use the website.
• Ability of users to change settings.• Approach tailored to your site, the technologies you are using, and the type of
data you are capturing or storing.• Risk assessment
• How much of the above do you implement?• Is it good enough for invasive usage (e.g. third party tracking)?• A lawyer (without court cases), cannot give you any guarantees.
Implied consent – Staples
Implied consent – Telegraph
Implied consent - Natwest
Implied consent - Nectar
Implied consent - Nectar
Implied consent - Nectar
Implied consent – BBC
Implied consent - BBC
Implied consent – BBC
Does it matter if I don’t comply?• Information commissioner’s powers:-
• Notices to supply information• Undertakings to secure voluntary compliance• Enforcement notices / criminal offences• Financial penalty up to £500,000 for serious
contravention likely to cause substantial damage or distress.
• Civil claims by users IF damage suffered
Does it matter if I don’t comply?• We believe that the Information
Commissioner’s likely approach will be:-• Reactive, rather than pro-active.• Consensual first.• Proportionate to breach.• More likely to take action the more privacy risk
they think there is in all the circumstances.• Dependent on ICO resources and political agenda.
What should I be doing next?• Something, not nothing; make some effort at least.• Identify what you are using
• All cookies and other technologies.• First and Third Party• Websites and apps
• Exempt?• Decide whether to voluntarily apply anyway.
What should I be doing next?• Cookies policy
• Remember thorough and detailed, and prominent• Offer voluntary information as well on exempt
cookies.
What should I be doing next?• Implied consent method
• Decide what mechanism you will use to ‘inform’ the visitor to your website that they are receiving cookies
• Tailor your approach to your users / technologies / website.
What should I be doing next?• Data Protection Act 1998
• Don’t forget this.• If any information stored or retrieved is not kept
anonymous (e.g. it is linked to an individual):- • verify whether such usage is Data Protection
Act 1998 compliant;• cover in data protection policy as well.
Thank You
