Agenda 21   eu cookie seminar - david naylor - field fisher waterhouse
Upcoming SlideShare
Loading in...5
×
 

Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse

on

  • 725 views

 

Statistics

Views

Total Views
725
Views on SlideShare
725
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Agenda 21   eu cookie seminar - david naylor - field fisher waterhouse Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse Presentation Transcript

  • Data Protection andthe New EU Cookie RegimeDavid NaylorPartner, Field Fisher Waterhousedavid.naylor@ffw.com18 April 2012
  • What Privacy?
  • What Privacy?
  • What Privacy? “[a]n examination of 101 popular smartphone "apps" … showed that 56 transmitted the phones unique device ID to other companies without users awareness or consent. Forty-seven apps transmitted the phones location in some way. Five sent age, gender and other personal details to outsiders… Many apps dont offer even a basic form of consumer protection: written privacy policies. Forty-five of the 101 apps didnt provide privacy policies on their websites or inside the apps at the time of testing.” Source: Wall Street Journal http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
  • What Privacy?
  • What Privacy?
  • Data Protection and the New EU Cookie Regime ICO fines Midlothian Council £140K for data breaches Monday 30 January 2012 09:58
  • Data Protection and the New EU Cookie Regime• Comprehensive European and individual Member State privacy regimes• Applies to all personal data, not just certain types of data• Applies to all businesses, not just consumer- facing businesses
  • Data Protection and the New EU Cookie RegimeMeaning of ‘personal’ data• Data protection protects ‘personal’ data• Is an individual identifiable or ‘singled out’?• ‘Anonymised’ data types can be personal: • IP addresses • UDID data • Hashed data
  • Data Protection and the New EU Cookie RegimeMeaning of ‘personal’ data• An example - QR codes• User scans code and is directly transferred to URL • Website collects IP address / system / date + time data• User scans code and is routed through QR reader servers • App publisher collects mobile UDID • Publisher may commercialise with third parties • Allows for mobile tracking• Takeaway: • Even ‘anonymised’ data can be ‘personal’… • If it’s personal, it’s protected
  • Data Protection and the New EU Cookie RegimeKey Principles: • Fair and lawful processing • Limited purposes • Adequate, relevant and not excessive • Accurate • Kept no longer than necessary • Processing in accordance with the data subjects rights • Secure • No transfer to countries without adequate protection
  • Data Protection and the New EU Cookie RegimeConsequences of compliance failures: • Certain breaches are criminal offences • Regulators may impose fines – now up to £500,000 in the UK and may be more in other EU jurisdictions • Unlimited civil liability a possibility • Disruption to business-critical data processing • Complaints from customers, employees, suppliers etc. • “Naming and shaming” – brand damage • Loss of business
  • Data Protection and the New EU Cookie Regime4. CookiesCookies – Revised E-Privacy Directive• Implementation deadline was 25th May 2011• Some states have implemented (including UK), some have not• UK: • ICO has allowed “sunrise” period of 1 year before it takes any enforcement action • IAB self-regulatory approach praised by UK Government
  • Data Protection and the New EU Cookie RegimeHow ‘cookie’ requirements have changed Member States shall ensure that the [use of electronic communications networks to store] storing of information or [to gain] the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned [is] has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. [and is offered the right to refuse such processing by the data controller.] This shall not prevent any technical storage or access for the sole purpose of carrying out [or facilitating] the transmission of a communication over an electronic communications network, or as strictly necessary in order [to provide] for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
  • Data Protection and the New EU Cookie RegimeThe new cookie consent requirement• Exemptions • ‘Strictly necessary’ to provide user-requested service • Carrying out transmission across a network• Practical consequences • Shopping basket, security and page load cookies are OK… • …but everything else needs some form of consent… • …and impacts more than just cookies (any ‘pulled’ data)• Browser and other application settings • Permitted “where technically possible and effective” • Regulatory view is that current browser settings are not enough
  • Questions?
  • Data Protection and the New EU Cookie RegimeSome common misunderstandings• “This only affects website cookie data” • No, the requirement applies whenever storing or accessing “information” (e.g. device fingerprinting and mobile data collection)• “We need pop-ups to get consent” • No, the requirement is only to get consent. How to do this is up to you• “Individuals must expressly consent” • No, with sufficient notice and control, consent for some cookies can be implied from a user’s action or inaction.
  • Data Protection and the New EU Cookie Regime Complyingwith cookie legislation• Step 1: Assess use of cookies• Step 2: Identify necessity / intrusiveness• Step 3: Enhance disclosures• Step 4: Implement a consent strategy
  • Data Protection and the New EU Cookie RegimeStep 1. Assess use of cookies
  • Data Protection and the New EU Cookie RegimeStep 2. Assess intrusiveness Points to consider: 2. Cookie purpose Session 3. Cookie expiry 4. Website itself1st party session cookie 3rd party session cookie 5. Flash cookies(e.g. language preference) (e.g. secure payment) 1st party 3rd party 1st party persistent cookie (e.g. website analytics) 3rd party persistent cookie (e.g. targeted advertising) Persistent
  • Data Protection and the New EU Cookie RegimeStep 3. Enhance disclosures …the benefits of data minimisation!
  • Data Protection and the New EU Cookie RegimeStep 4: Implement a consent strategyICO Guidance on the rules on use of cookies and similar technologiesDecember 2011The Regulations require that users or subscribers consent. Directive 95/46/EC (theData Protection Directive on which the UK Data Protection Act 1998 (the DPA) isbased) defines ‘the data subject’s consent’ as:‘any freely given specific and informed indication of his wishes by which thedata subject signifies his agreement to personal data relating to him beingprocessed’.Consent must involve some form of communication where the individual knowinglyindicates their acceptance. This may involve clicking an icon, sending an email orsubscribing to a service. The crucial consideration is that the individual must fullyunderstand that by the action in question they will be giving consent.
  • Data Protection and the New EU Cookie RegimeStep 4: Implement a consent strategy • No certainty as to what will be required• Pop-up windows? Consent Banners?• Implied consent? • Limited intrusiveness • Enhanced notice • Real control
  • Data Protection and the New EU Cookie Regime Complyingwith cookie legislation• Step 5: Other practical measures• Always provide an opt out• Cookies • Anonymise and encrypt • Use session cookies vs. persistent cookies • Reduce cookie expiry periods • Remove redundant cookies• Identify quick wins • Website registration / other customer interaction points • Mobile app download / opening
  • Data Protection and the New EU Cookie Regime Complyingwith cookie legislation• Step 5: Other practical measures (cont):• Internal processes / procedures • Implement internal standards for authorising new cookie use • Identify who should authorise – legal, IT, marketing? • Consider a ‘one in, one out’ approach • Maintain a cookie log + require periodic review• Third party providers (ad networks / analytics etc.) • Due diligence – do your providers observe good data hygiene standards? • Apportion compliance responsibility • Ensure contract reflects agreed roles • Don’t accept bad behaviour• Role of self-regulatory compliance / market practice
  • Data Protection and the New EU Cookie RegimeCookie transparency 1. Highlight new information to visitors 2. Be more descriptive
  • Data Protection and the New EU Cookie Regime CookiesExpress consent models
  • Data Protection and the New EU Cookie Regime CookiesExpress consent models
  • Data Protection and the New EU Cookie Regime CookiesImplied consent models
  • Data Protection and the New EU Cookie Regime CookiesPractical example
  • Data Protection and the New EU Cookie Regime CookiesPractical example
  • Data Protection and the New EU Cookie Regime CookiesPractical example
  • Data Protection and the New EU Cookie Regime CookiesPractical example