Cookies and Data Protection - a Practitioner's perspective


Published on

This is a presentation prepared and delivered to the International Bar Association Conference in 2012 on behalf of the Interactive Direct Marketing Association. It looks at some of the pragmatic challenges that exist in getting organisations to adopt and adapt to the requirements of the Cookies regulations.

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cookies and Data Protection - a Practitioner's perspective

  1. 1. COOKIESThe Practitioner‟s PerspectivePresentation by Daragh O Brien, Regulatory Advisor IDMA and MD Castlebridge Associates.
  2. 2. • This slide deck was prepared foran Interactive Direct MarketingAssociation presentation to theInternational Bar AssociationConference 2012
  3. 3. Confusion
  4. 4. What is a Cookie? “…is usually a small piece of data sent from a website and stored in a users web browser while a user is browsing a website” (Wikipedia) …”cookies are small, often encrypted text files, located in browser directories” ( “A cookie is information that a Web site puts on your hard disk so that it can remember something about you at a later time.” ( definition/cookie)
  5. 5. What SI336 says…• (3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless (a) the subscriber or user has given his or her consent to that use, and (b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which— • (i) is both prominently displayed and easily accessible, and • (ii) includes, without limitation, the purposes of the processing of the information.• (4) For the purpose of paragraph (3), the methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user‟s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent.• (5) Paragraph (3) does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
  6. 6. Which Means? The Legislation covers a LOT more than just text Cookies and Browsers
  7. 7. • Flash Local Objects • Apps storing data • SQLite databases • HTML 5 Local Storage• Traditional browser cookies (plus SQLite, Flash, HTML5 • Traditional • Data browser cookies logging (plus SQLite, • Usage Flash, HTML5 data
  8. 8. Exceptions? Strictly Necessary? Information Society Service? Explicitly Requested?
  9. 9. “So far, for 50 years, the information revolution has centered on data—their collection, storage,transmission, analysis, and presentation. It has centered on the "T" in IT. The next informationrevolution asks, what is the MEANING of information,and what is its PURPOSE?”
  10. 10. Directive does not specify how consentQuestions of Consent & Guidance should be obtained. ICO in the UK allowed “implied consent” at the last minute. A29 Working Group Opinion (subsequently) focused on “informed consent”. Guidance (to date) has focused on traditional web browser and flash cookies.
  11. 11. DPC Guidance• Non-third party cookies: • Prominent Notice giving information on Cookies with ability to click through and make an informed choice re: consent• Cookies in General: • Consent should be user friendly as possible • Require clear communication about what the user is being asked to consent to • A means of giving or refusing consent to data being stored or retrieved
  12. 12. Varying Degrees of Compliance utilities telecomms media legal insuranceindustry group government financial consulting charity 0% 20% 40% 60% 80% 100% Mentioned in Privacy Statement No Notice Given Cookies Policy Cookie Notice
  13. 13. An example of Compliance Confusion UK Website for a major multinational professional services firm.
  14. 14. An example of Compliance Confusion Irish Website of same Professional Services firm.
  15. 15. Announcement on 5th September by leading UK web design firm that developed a leading Cookie Compliance solution
  16. 16. Don’t endorse this approach But can understandScreen grab of’s “No Cookie Law” website (
  17. 17. Motivation
  18. 18. • Unaware of what needs to be done?• Aware but not willing to make changes until their peers are making changes?
  19. 19. Yes, I know we are not compliant but none ofour competitors are either. Given the limits onour budgets we can‟t even begin to put thosechanges on the table for discussion until ourcompetitors are also being forced to make thechange.We don‟t see a “first mover advantage” here ifthere is no enforcement and if the penalty isless than the cost of development. It doesn’t help that Government and EU departments have failed to bring their websites and mobile apps into compliance.
  20. 20. A change of mind set and culture is requiredCompliance = GOOD!! Cookies need to be seen as data assets that your organisation wants to store in someone else’s property The focus needs to shift to PRIVACY not the Technology. Meaning and intent of the stored data is imperative Professional bodies like IDMA can promote good practice. Regulators must enforce Legal Counsel must look to the Meaning and Purpose of Cookies
  21. 21. Is Self Regulation an Option? • Comments here are not necessarily the views of the IDMA and are the speaker‟s personal opinions. © Adam Zyglis2008,
  22. 22. Self-Regulation  Light Touch  Rigid RulesSelf Policing / SensiblePeer Policing Enforcement & Enforceability
  23. 23. Self-Regulation  Light Touch  Rigid Rules Need to learn from mistakes and successes of other Regulatory regimes and laws.
  24. 24. Evidence based policy objectives and governance requirements are key“The Information Commissioner ChristopherGraham has questioned the effectiveness of theEU cookie directive, suggesting that it was„dreamed up by politicians in Brussels‟ without theappropriate market research to back it up.” - quoted in, 15/09/2012
  25. 25. "More and more citizens andconsumers are waking up to theimplications of sharing personal data online," he said. "By fresh thinking that recognises where the consumer is coming from, we can develop policies that really work.“ (speaking at launch of “Data Dialogue” Report, Sept 2012)
  26. 26. Solutions ?
  27. 27. Good Information Management culture1. Recognise cookies as a data asset • Bring in advisors who understand Data Governance principles if necessary • Think “Privacy” first, then “Technology”2. Think in terms of the process that is using the Data Asset • Is the use of the asset essential to the objective/purpose of the process? • Does the process require data to be shared with 3rd parties? • How „invasive‟ is the process? • Is the process adding value or creating risk?3. Document4. Promote transparency • A GOOD Privacy Statement that can be read by HUMANS!!!5. Keep under regular review6. Consider spirit and intent of Directive, not just the literal interpretation.7. Implement appropriate (often low cost) solutions to design compliance and privacy controls into your processes.8. Think about PRIVACY then about TECHNOLOGY