The New Data Protection Regulation and Cookie Compliance
Upcoming SlideShare
Loading in...5
×
 

The New Data Protection Regulation and Cookie Compliance

on

  • 1,735 views

This presentation is from Lewis Silkin’s The New Data Protection Regulation and Cookie Compliance breakfast briefing on the 23 February 2012. Simon Morrissey, Lewis Silkin, and Meriel Lenfestey, ...

This presentation is from Lewis Silkin’s The New Data Protection Regulation and Cookie Compliance breakfast briefing on the 23 February 2012. Simon Morrissey, Lewis Silkin, and Meriel Lenfestey, Foolproof, look at the new Data Protection Regulations and some of the options available when thinking about cookie compliance and the end user experience.

You can visit http://www.lewissilkin.com for more information.

Statistics

Views

Total Views
1,735
Views on SlideShare
1,432
Embed Views
303

Actions

Likes
3
Downloads
46
Comments
0

11 Embeds 303

http://lewissilkinuat.int.rroom.net 89
http://lewissilkin 52
http://blog.cmp.ly 48
http://www.lewissilkin.com 45
http://lewissilkinuat.rroom.net 29
http://212.64.130.121 24
https://blackboard.strayer.edu 9
http://212.64.130.126 3
http://localhost 2
http://www.linkedin.com 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The New Data Protection Regulation and Cookie Compliance The New Data Protection Regulation and Cookie Compliance Presentation Transcript

  • The New Data Protection Regulation & Cookie Compliance C ki C li Simon M i Si Morrissey Head of Technology and Commercial Data Group simon.morrissey@lewissilkin.com Meriel Lenfestey Director at Foolproof meriel@flow-interactive.com i l@fl i t ti 23 February 2012
  • Agenda• Part 1 New Data Protection Regulation > The Context > Key Points• Part 2 The Coo e Law – Planning for Co p a ce e Cookie a a g o Compliance
  • The Context• A complete overhaul of existing European data protection legislation in place since 1995 and in the UK since 1998• Key aim is to avoid fragmentation legacy by using a Regulation which will have direct effect in Member States• Provides more legal certainty but at the expense of being more prescriptive• Simplifies some aspects of existing compliance regime• Provides more rights to data subjects• Takes away cost of notification but increases burdens on business View slide
  • Key PointsAll consent must now be explicit (Article 4(8)) – extensionof the previous rule which applied to Sensitive Personal data• Impact This will remove t e opt o o form-based consent s e o e the option of o based co se tData must be processed in a transparent manner (Article 5(a))• Impact This will increase the level and quality of information data controllers will be required to provide data subjects View slide
  • Key Points contThe data processed must be the minimum necessary for thepurpose – compare with the old “not excessive” rule (Article5(c))5( ))• Impact p Greater scrutiny of the type of personal data collected, eg date of birthParental consent is required to collect data of children under 13 (currently no mandated age) ( ( y g ) (Article 8(1)) ( ))Wider definition of Personal Data (Article 4(1) & (2))
  • Key Points cont Article 3 - New law applies to the processing of personal data of data subjects residing in the EU where the processing relates to: the offering of goods or services to such data subjects; or Monitoring their behaviour ( g (Article 3) )
  • Key Points cont The right to be forgotten (Article 17) – includes obligations to inform third parties of a data subject’s wishes who the controller h authorised t publish personal d t t ll has th i d to bli h l data The data subject’s right to object (Article 19) The data subject’s right to object to automated profiling subject s (Article 20)
  • Key Points contNotification regime to be replaced by accountability principle(Article 22)• Impact Co t o e s Controllers will be required to de o st ate how t ey co p y equ ed demonstrate o they comply with data protection law rather than just pay a notification feeData protection by design and by default (Article 23)• Impact Controllers will be required to implement technical and organisational measures to ensure compliance
  • Key Points contNew rules relating to the engagement of data processors(Article 26) Processors may only enlist sub-processors with the prior permission of the controller Potential for data processors to become joint controllers• Impact Appointment of processors will be governed by more robust rules on controllers and processors
  • Key Points contData Security (Article 30)Processors now have statutory obligations to keep personal no ha e stat tordata secure.• Impact Under the old law, processors could only be liable contractually f data breaches. Now at risk of fi t t ll for d t b h N t i k f fines.Data breach notification now mandatory for controllers and y processors within 24 hours (Article 31)Also includes obligations on controllers to notify data subjects (Article 32)
  • Key Points contAppointment of a Data Protection Officer now mandatory for controllers and processors who are employing over 250 people or where th processing requires regular and l h the i i l d systematic monitoring of data subjects (Article 35)International Transfers of Data (Articles 40-44) territories and processing sectors can now be designated as “adequate” or “inadequate” ICO can now validate terms of a data transfer agreement as adequate simplification of Binding Corporate Rules
  • Key Points contEnforcement (Article 79) New written warning sanction for companies under 250 persons for whom processing is only an ancillary activity 0.5% fine of annual worldwide turnover for breaches of subject access requests 1% fine of annual worldwide turnover for certain breaches 2% fine of annual worldwide turnover for certain breaches
  • Questions?
  • Thank you
  • EU Cookies for Lewis Silkin Breakfast BriefingMeriel Lenfestey, Partner © Flow Interactive. All rights reserved.
  • Me ...Founder of and a Director and Partner atInteraction Designer with a strong focus on user centred methodologiesRecently worked with 6 global & national FS brands to help specify cookies solutions
  • CookiesLandscape
  • consent by the data subject (must the more privacy intrusive your activity, Feature led consent: Provided you be) based upon an appreciation the more priority you will need to give to To be valid, consent must be informed. This make it clear to the user that by and understanding of the facts and getting meaningful consent ... It might implies that all the necessary information must choosing to take a particular action implications of an action be useful to think of this in terms of a be given at the moment the consent is then certain things will happen you For consent to be unambiguous, the sliding scale, with privacy neutral lidi l ih i l requested, and that this should address the may interpret this as their consent procedure to seek and to give consent cookies at one end of the scale and substantive aspects of the processing that the consent is intended to legitimise. must leave no doubt as to the data more intrusive uses of the technology at The way the information is given (in subjects intention to deliver consent. the other. You can then focus your plain text, without use of jargon, efforts on achieving compliance The crucial understandable, conspicuous) is The indication by which the data appropriately providing more the ambiguity of a passive response consideration is that crucial in assessing whether the subject signifies his agreement will make it difficult to fulfil the information and offering more detailed the individual must fully consent is “informed”. The way in must leave no room for ambiguity choices at the intrusive end of the scale. requirements of the Directive understand that by the y which this information should be given regarding his/her intent g g action in question they depends on the context: a Any attempt to gain consent that relies on will be giving consent regular/average user should be able UNAMBIGUOUS users’ ignorance about what they are to understand it. agreeing to is unlikely to be compliant. The minimum expression of an INFORMED CONSENT indication could be any kind of signal, Both the quality of information (plain text sufficiently clear to be capable of without jargon) and the indicating a data subjects wishes, and The words “indication” and “signifying” accessibility/visibility are important. to be understandable by the data point in the direction of an action indeed controller. It is essential that the data subject is being needed (as opposed to a situation where consent could be inferred from a INFORMED TYPE OF INFORMATION given the opportunity to make a lack of action) decision and to express it, for instance ...is provided with clear Where the feature is provided by a third party by ticking the box himself, in view of the purpose of the data processing CONSENT ACTION and comprehensive you may need to make users aware of this and point them to information on how the third partyyou could ... set a cookie and could include a handwritten signature CONSENT information about the might use cookies and similar technologies so that the user is able to make an informedinfer consent from the fact that affixed at the bottom of a paper form, but purposes of the choicethe user has seen a clear notice also oral statements to signify agreement, agreementand actively indicated that they or a behaviour from which consent can be The subscriber or storage of, or access t f To be valid, consent must be specific. Inare comfortable with cookies by reasonably concluded. user... has given to, that information other words, blanket consent withoutclicking through and using the specifying the exact purpose of the his or her consentsite The Opinion distinguishes the wording of the previous article 5(3) (“and is While Article 5(3) does not use the word prior, this is a clear and obvious The LAW processing is not acceptable. conclusion from the wording of the Text should be sufficiently full and offered the right to refuse such provision.” intelligible to allow individuals to clearly processing”) with the new wording (“only ll (“ l allowed on condition th t th d diti that the TIMING OF CONSENT understand the potential consequences of allowing storage and access to the subscriber or user concerned has given his or her consent”) Obtaining consent before the APPLICATION information collected by the device processing of data starts is an essential websites should be able to demonstrate condition to legitimise the processing of data The more complex or intrusive the that they are doing as much as possible Shall not apply…where activity the more information you will to reduce the amount of time before the PROOF OF CONSENT such storage or access have to provide. user receives information about cookies and is provided with options is strictly necessary for y y consent should b verifiable t h ld be ifi bl the provision of an JUST COOKIES? information society WITHDRAWING CONSENT Aimed at any electronic communications service requested by the Key Individuals who have consented should be able to withdraw their consent, preventing subscriber or user. network that is used to store or access information held on the terminal equipment of a user (i.e. a user’s device) Privacy and Electronic Communications further processing of their data (EC Directive)Regulations 2003 Regulations also apply to similar STRICTLY NECESSARY technologies to cookies e.g. Local Article 29 data protection working party INFORMATION SOCIETY SERVICE shared objects such as Flash cookies Definition of strictly necessary is a ICO guidance on Definition ‘information society service’: any service narrow one. It might apply to a http://www.ico.gov.uk/for_organisatio normally provided for remuneration, at a distance, by [shopping basket] ns/privacy_and_electronic_communi means of electronic equipment for the processing cations/the_guide/cookies.aspx Essential ( rather than reasonably (including digital compression) and storage of data, necessary) to provide the service and at the individual request of a recipient of a service Electronic Commerce (EC Directive) requested by the user. Note this excludes Regulations 2002 what might be essential for any other uses the service provider might wish to Lewis Silkin published opinion to industry Guidance make of that data Service must have been “explicitly requested”
  • Our li t ’ CookiesO clients’ C ki Hardware & software Aggregator Targeted external content e.g. Ads (behaviour / Provider use of Service provider profile driven) analytics data (e.g. Google, Facebook) Accessibility Auto-save for return Targeted internal content (behaviour / Authentication visit profile driven) Analytics Settings & Remember me Cookies cookie preferences 3rd party content e.g. Twitter Save progress Core service e.g. Shopping basket Mortgage calculator
  • Cookie Categories C ki C t i Security Authentication Remember me Auto-tailor Cookies cookie Accessibility Targeted internal content (behaviour / profile driven) Targeted external content e.g. Hardware & software Ads (behaviour / profile driven)Manual tailor Settings & preferences 3rd party content e.g. Process Mortgage calculator Twitter Service provider Aggregator Save progress Core service e.g. Auto-save for return Shopping basket visit MI Analytics
  • Cookie Categories & L C ki C t i Levels of I t i l f Intrusiveness Level 0 Level 1 Level 2 Level 3 Strictly necessary for Mostly client* only Either not user initiated 3rd party access to the core service and and low or includes profiling. data explicitly requested intrusiveness as no Internal use only by the user profiling. Internal use only Security Authentication Remember me Auto-tailor Auto tailor Accessibility Hardware & software Targeted internal Targeted external Cookies cookie content (behaviour / content e.g. Ads profile driven) (behaviour / profile driven)Manual tailor Settings & preferences Process Core service e g e.g. Save progress Auto-save Auto save for return Aggregator Shopping basket Mortgage calculator visit Service provider 3rd party content e.g. Twitter MI Site only analytics Provider use of data (not profiling) analytics data (e.g. Google, Facebook)
  • Cookie Categories, L C ki C t Categories Levels of I t i i l f Intrusiveness & I iti ti Initiation Level 0 Level 1 Level 2 Level 3 Strictly necessary for Mostly client* only Either not user initiated 3rd party access to the core service and and low or includes profiling. data explicitly requested intrusiveness as no Internal use only by the user profiling. Internal use only Security Authentication Remember me Auto-tailor Auto tailor Accessibility Hardware & software Targeted internal Targeted external Cookies cookie content (behaviour / content e.g. Ads profile driven) (behaviour / profile driven)Manual tailor Settings & preferences Process Core service e g e.g. Save progress Auto-save Auto save for return Aggregator Shopping basket Mortgage calculator visit Service provider 3rd party content e.g. Twitter MI Site only analytics Provider use of data (not profiling) analytics data (e.g. Google, Facebook)
  • Legal requirements f C L l i t for Consent & Informed t I f d Level 0 Level 1 Level 2 Level 3 Strictly necessary for Mostly client only Either not user initiated 3rd party access to the core service and and low or includes profiling. data explicitly requested intrusiveness as no Internal use only by the user profiling. Internal use only Authentication Remember me Targeted internal Targeted external content e ge.g. Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven) Shopping basket Cookies cookie profile driven) Aggregator Settings & preferences Auto-save for return Service provider Save progress visit 3rd party content e.g. Twitter Mortgage calculator g g Provider use of analytics data y Site only analytics data (e.g. Google, Facebook) (not profiling)CONSENT Provable, prior, explicit, informed Summary to support informed Description of category of useINFORMED consent with detail available
  • Guidance f C G id for Consent & Informed t I f d Level 0 Level 1 Level 2 Level 3 Strictly necessary for Mostly client* only Either not user initiated 3rd party access to the core service and and low or includes profiling. data explicitly requested intrusiveness as no Internal use only by the user profiling. Internal use only Authentication Remember me Targeted internal Targeted external content e ge.g. Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven) Shopping basket Cookies cookie profile driven) Aggregator Settings & preferences Auto-save for return Service provider Save progress visit 3rd party content e.g. Twitter Mortgage calculator g g Provider use of analytics data y Site only analytics data (e.g. Google, Facebook) (not profiling)CONSENT Provable, prior, explicit, Inferred, ASAP informed Summary to support informed Description of category of useINFORMED consent with detail available
  • Solutions S l ti Level 0 Level 1 Level 2 Level 3 Strictly necessary for Mostly client* only Either not user initiated 3rd party access to the core service and and low or includes profiling. data explicitly requested intrusiveness as no Internal use only by the user profiling. Internal use only Authentication Remember me Targeted internal Targeted external content e ge.g. Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven) Shopping basket Cookies cookie profile driven) Aggregator Settings & preferences Auto-save for return Service provider Save progress visit 3rd party content e.g. Twitter Mortgage calculator g g Provider use of analytics data y Site only analytics data (e.g. Google, Facebook) (not profiling)INFORMED Ignore Include information in context for user initiated !!! Prior to consent for cookies. user initiated cookies or and / or or Include on cookies page for sake of Include in single consent description at start of Contracts with your openness and session: partners / providers / completeness customers “Allowing cookies lets you shape the service to your needs, use the interactive services on our site and stand up and be counted.” it d t d db t d” “We use cookies to provide a useful & relevant service for every user and understand how peop e people use the service so t at we ca keep t e se ce that e can eep improving.”
  • Solutions S l ti Level 0 Level 1 Level 2 Level 3 Strictly necessary for Mostly client* only Either not user initiated 3rd party access to the core service and and low or includes profiling. data explicitly requested intrusiveness as no Internal use only by the user profiling. Internal use only Authentication Remember me Targeted internal Targeted external content e ge.g. Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven) Shopping basket Cookies cookie profile driven) Aggregator Settings & preferences Auto-save for return Service provider Save progress visit 3rd party content e.g. Twitter Mortgage calculator g g Provider use of analytics data y Site only analytics data (e.g. Google, Facebook) (not profiling)CONSENT Do nothing RISK Do nothing Do nothing Single inform Single inform Do nothing Single inform Prior  / Informed consent Do nothing Inferred / delayed consent Prior  / Informed consent IMPACT Do nothing Prior  / Informed consent
  • Simple Rules for Design SolutionsSi l R l f D i S l tiConsent must be informed and provableConsent is needed for the purpose... not the data... or the object purpose Cookie purpose data purposeConsent must be the path of least resistance start consent use of serviceThe chance of gaining consent is a product of ease, benefit and confidence ease benefit b fit trust t t x x = probability of consent difficulty cost anxiety
  • Level 1 & 2 single consent ( li htb )L l i l t (as lightbox) Default to accept – but clearly label the button Allow continue without cookies consent (if possible) Commercial decisions: y y • Do you allow them to say no? • How many people will you lose? Or will not consent?
  • NotifyN tif on Action for Level 1 & 2 A ti f L l Consent already given Consent not given so features which will use a cookie show cookies icon ... ... and display a description of how cookie is used on rollover
  • Level 3 gateway consentL l t t Default to accept – but clearly label the button Allow continue without cookies consent (if possible) Commercial decisions: y p y y p • Should you focus on this area to remain in the spirit of the law if you are not fully compliant  elsewhere?
  • Single inform (I fSi l i f (Inferred consent) d t) Commercial Questions: Commercial Questions: • Do you write any cookies on arrival at  this page? • Do you offer people the chance to opt  ff l h h out at this stage? Perhaps via an  information page. • Do you offer the chance to ‘close’ the  y banner by providing active consent? • Is this shown whenever the user  returns? Banner visible on entry to site but not highlighted. y g g We would recommend that when a link is rolled over the banner highlights  • Does cookies ‘status’ remain on every  page? As a message, as an icon. • How can you ‘prove’ people see  y p p p banner? E.g. Eye‐tracking research,  placing more prominently
  • This isn’t going away It’s the law isn t away. It s