Privacy and cookies crm inspiration days 2013

117
-1

Published on

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
117
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privacy and cookies crm inspiration days 2013

  1. 1. Privacy & cookies The Reference CRM inspiration day 2013 Bart Van den Brande Advocaat – partner Sirius Legal advocaten www.siriuslegal.be bart@siriuslegal.be @BartVdBrande
  2. 2. Short update on privacy
  3. 3. Short update on privacy Current Situation Current privacy directive (including Belgian privacy law of 1992 based on that directive) is no longer effective No unified rules between member states Lack of control over big player (a.o. Ireland has very liberal rules) Basic principle of server location or company location is no longer relevant in cloud computing era Potential loss of business due to ineffective legal system: 2,3 billion euro/year according to EU
  4. 4. Short update on privacy Basic principles of Belgian privacy law of 8 December 1992 There is no general “right to privacy” Definition of personal data is very broad Prior opt-in required for all data collecting and processing “Free and informed” opt-in Separate opt-in for data transfer to third party Demand of opt-in by “data controller” (as opposed to “data processor”) Declaration at privacy commission required in most cases (online at www.privacycommission.be, cost is 25 euro) Limited exceptions (if processing is unavoidably needed)
  5. 5. Short update on privacy Basic principles of Belgian privacy law of 8 December 1992 Individual’s rights Right to refuse Right to access and correct Right to oppose to future processing Right to be informed (through privacy policy)
  6. 6. Short update on privacy Proposal of new EU regulation Regulation ≠ directive: uniform rules througout entire EU Work in progress since 2012 First draft text released in May 2013 Currently being amended and voted by committees LIBE Committee voted on 21 October 2013 (civil liberties, justice and home affairs) Next steps: Agreement of Counsel of Ministers and Commission is sought If no agreement, Plenary vote in EU Parliament in April 2014 (?)
  7. 7. Short update on privacy Main objectives One stop shop throughout EU Greater hamonization Strengthening individual rights Less administrative burden More effective enforcement of rules
  8. 8. Short update on privacy Main principles Applicable to anyone offering services on the EU territory (LIBE: “even free services”) Personal data = any data allowing identification, including online identifiers, “pseudonymous data” Consent has to be given explicitely (LIBE: “purpose limited”) Extended information obligation (LIBE: use of standard icons)
  9. 9. Short update on privacy Main principles Obligation to notify data subjects and authorities of data breach (LIBE: “without undue delay”) “Data protection by design” and “data protection impact assessment” “Data protection officer” if + 250 employees, with obligation to document processes (LIBE: “or +5000 data subjects processed over last 12 months”) Cross border data transfer: current system to remain in force for 5 more years Sanctions: LIBE: up to 5% of annual sales or 100 million
  10. 10. Short update on privacy Main principles Right of erasure Right of data portability Prohibition against profiling Article 29 Working party (advisory body) replaced by European Data Protection Board (official body)
  11. 11. Short update on privacy Practical tips (if nothing changes) Stay up to date with regulation drafts Review notice forms, consent forms, privacy policies, data controller/data processor contracts Implement data breach notification readiness Implement data processing documentation system Data protection by design and data protection by default Conduct data processing impact assessment Pseudonimize/Anonymize/encrypt data where possible to escape stringent rules Secure personal data adequatly
  12. 12. One last time: the truth about cookies Again with the cookies?
  13. 13. One last time: the truth about cookies Again with the cookies? Tools like Kméléo: Remarketing/OBA tools Do not use cookies Read out users browser history just before page landing Display advertisements based on that browsr history Claim not to use personal data Claim to escape cookie regulations
  14. 14. One last time: the truth about cookies So yes, once last time again with the cookies
  15. 15. A bit of background What are cookies?
  16. 16. A bit of background What are cookies? A cookie is a small amount of data generated by a website and saved on your computer by your web browser. Its purpose is to remember information about you, similar to a preference file created by a software application. Why all the fuss about cookies? In one word: privacy…
  17. 17. A bit of background What are cookies? first party cookies vs. placed by website functional cookies placed by Google Analytics or ad brokers vs. log-in, registration, language permanent cookies remain present third-party cookies non-functional cookies: statistics, remarketing, OBA vs. session cookies erased after surfing session
  18. 18. A bit of background The legal small print
  19. 19. A bit of background The legal small print EU e-privacy directive 2002/58/EC Obligation for member states to adapt national law before end 2012 Belgium: new article 129 in Telecom law since October 2012
  20. 20. A bit of background The legal small print “De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker is slechts toegestaan op voorwaarde dat : 1° de betrokken abonnee of gebruiker, overeenkomstig de voorwaarden bepaald in de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens, duidelijke en precieze informatie krijgt over de doeleinden van de verwerking en zijn rechten op basis van de wet van 8 december 1992; 2° de abonnee of eindgebruiker zijn toestemming heeft gegeven na ingelicht te zijn overeenkomstig de bepalingen in 1°. Het eerste lid is niet van toepassing voor de technische opslag van informatie of de toegang tot informatie opgeslagen in de eindapparatuur van een abonnee of een eindgebruiker met als uitsluitend doel de verzending van een communicatie via een elektronische- communicatienetwerk uit te voeren of een uitdrukkelijk door de abonnee of eindgebruiker gevraagde dienst te leveren wanneer dit hiervoor strikt noodzakelijk is. De toestemming in de zin van het eerste lid of de toepassing van het tweede lid, stelt de verantwoordelijke voor de verwerking niet vrij van de verplichtingen van de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens die niet opgelegd worden in dit artikel. De verantwoordelijke voor de verwerking biedt de abonnees of eindgebruikers gratis de mogelijkheid om op eenvoudige wijze de gegeven toestemming in te trekken.“
  21. 21. A bit of background The legal small print Belgian law does not contain any further details on How to warn and inform How to obtain opt-in How to enable opt-out Who is responsible Law is vague, unclear and leaves room for interpretation Entire sector is waiting for clear guidelines from Privacy Commission or BIPT/IBPT
  22. 22. A bit of background The legal small print Meanwhile EU standpoint is clear (directive + declarations commissioners Kroes and Reding) “Working Party 29” standpoint is clear (Belgian Privacy Commission is part of WP29) Neighbouring countries regulations are clear
  23. 23. What does this mean for you?
  24. 24. What does this mean for you? By deduction: Functional first party cookies (language, shopping cart, settings, password, technical): No need to obtain opt-in, but obligation to inform (e.g. in privacy policy) Non-functional cookies or third party cookies (remarketing and OBA, Google Analytics, …): Obligation to inform prior to placing cookies Obligation to obtain explicit opt-in prior to placing cookies Possibility to opt-out in future
  25. 25. What does this mean for you? By deduction:
  26. 26. What does this mean for you? So, by deduction: Opt-in has to be Free of obligation (i.e. be able to visit website even without opt-in) Explicite (requires active intervention of visitor) Informed (requires prior information of visitor) Given before any cookie is installed Revocable
  27. 27. What does this mean for you? So, by deduction: From a practical point of view Information on use of cookies, type of cookies used, aim of cookies (in privacy policy) Clear warning upon first visit + link to information Clear free choice for visitor to opt-in or not (possibility of layered approach) Clear information about opt-out possibility (in privacy policy)
  28. 28. What does this mean for you? So, by deduction: Pop-up? Splash screen? Warning in banner or footer? “Implicite opt-in”? All seem acceptable as long as active decision by visitor is required and free choice is guaranteed (this excludes “by visiting this website you accept…”)
  29. 29. What does this mean for you?
  30. 30. What does this mean for you?
  31. 31. What does this mean for you?
  32. 32. What does this mean for you? Oh, and also: If cookie is used to store and/or process personal, prior opt-in under privacy law is required on top of cookie warning and privacy law applies… This means Declaration at privacy commission Right to access, correct and oppose Obligation of information through privacy policy No transfer of data outside EU, unless under very strict conditions Warning: almost all data is personal data, including IP address, browser history, any data that might allow to identify someone directly or indirectly
  33. 33. What does this mean for you? Consequences of cookie law
  34. 34. What does this mean for you? Consequences of cookie law Not very effective Disturbing for visitor Loss of traffic and/or data for websites
  35. 35. What does this mean for you? Consequences of cookie law Trying to escape cookie law obligations Alternative solutions sought Browser fingerprinting (Kméléo and others) Web beacons
  36. 36. What does this mean for you? Browser fingerprinting Does not use cookies Reads out users browser history just before page landing Displays advertisements based on that browser history Claims not to use personal data Claims to escape cookie regulations
  37. 37. What does this mean for you? Browser fingerprinting Unfortunately, article 129 Telecom law is quite clear: “De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker…”
  38. 38. What does this mean for you? Browser fingerprinting Unfortunately, article 129 Telecom law is quite clear: “De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker…” As is the Working Party 29’s advise 1/2008 (doc 00737/NL WP 148), which confirms that browser history data should be considered personal data under privacy law
  39. 39. What does this mean for you? Browser fingerprinting Consequently, even if no cookie is placed, but data from a visitor’s computer is in any way collected, accesed or analysed, prior consent is required. This includes browser fingerprinting, web beacons, plugins, …
  40. 40. What does this mean for you? And what if I do not comply?
  41. 41. What does this mean for you? International context
  42. 42. What does this mean for you? International context As many laws as there are member states All differ slightly, definitions vary, opt-in requirements vary, … Problem: as soon as you target audience in one member state, local authorities will claim te be competent (e.g. local extension, local language, local content, …) Need to comply to most stringent legal systems seems to be the consequence
  43. 43. What does this mean for you? International context Working Party 29 advise of October 2013: Basis for pan-European cookie requirements Carefull: this is only an advise
  44. 44. What does this mean for you? International context Working Party 29 advise of October 2013: Opt-in should concern only cookies (not combine privacy or direct marketing) Opt-in should occur prior to placing or activating cookie Opt-in requiers active decision (which may show through decision to continue visit to website) Opt-in should be free and may be layered Visit to website has to be possible without opt-in (although this seems to exclude “by visiting you accept…”?) Explicite warning from WP29 for tracking cookies: if personal data is collected, prior and separate opt-in for data processing is required
  45. 45. Specific questions? Need quick advise? www.campaignchecker.be Sirius Legal Campaign Checker service Specific service for (digital) agencies, advertizers, sweepstake organizers, website owners, … Quick legal check of campagne, campagne site, landing page, … Pragmatical and useable advise Online available First contact within 1 hour Advise within 24 hours Fixed price: 300 euro
  46. 46. Specific questions? Need quick advise? www.campaignchecker.be All questions concerning: copyright trademarks Comparative advertising Consumer protection rules Contests, sweepstakes, lotteries Privacy and cookies Direct marketing actions and member-get-member actions Actions via social media, respect for Facebook rules and guidelines, … Viral actions
  47. 47. Need more elaborate help for your website? www.websitecertifier.be Sirius Legal Website Certifier service Extensive legal check of websites and webshops Full analyses of website set up, legal documents and disclaimers, legals mentions, communication towards visitor/consumer Analyses document Changes to legal texts where needed or draft of general terms, disclaimer, privacy policy and cookie policy 2 languages NL/FR or NL/UK included Fixed price: 650 euro First contact withing 1 hour Full report withing 5 business days
  48. 48. Need more elaborate help for your website? www.websitecertifier.be Check includes Obligatory mentions for all websites Privacy law and cookies for all websites Respect for market practices and consumer protection in e-commerce (pricing, delivery, 14 day cooling down period, sales) – comparative and misleading advertisement and information of consumers Set up of your sales process in e-commerce Content of your general terms of sale or use in e-commerce, auction sites, discussion forums
  49. 49. Privacy & cookies The Reference CRM inspiration day 2013 Bart Van den Brande Advocaat – partner Sirius Legal advocaten www.siriuslegal.be bart@siriuslegal.be @BartVdBrande
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×