SlideShare a Scribd company logo

Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse

Download as PPT, PDF
agenda21
agenda21
TechnologyNews & Politics
1 of 33
Data Protection and the New EU Cookie Regime David Naylor Partner, Field Fisher Waterhouse david.naylor@ffw.com 18 April 2012
What Privacy?
What Privacy?
What Privacy? “[a]n examination of 101 popular smartphone "apps" … showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders… Many apps don't offer even a basic form of consumer protection: written privacy policies. Forty-five of the 101 apps didn't provide privacy policies on their websites or inside the apps at the time of testing.” Source: Wall Street Journal http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
What Privacy?
What Privacy?
Data Protection and the New EU Cookie Regime ICO fines Midlothian Council £140K for data breaches Monday 30 January 2012 09:58
Data Protection and the New EU Cookie Regime • Comprehensive European and individual Member State privacy regimes • Applies to all personal data, not just certain types of data • Applies to all businesses, not just consumer- facing businesses
Data Protection and the New EU Cookie Regime Meaning of ‘personal’ data • Data protection protects ‘personal’ data • Is an individual identifiable or ‘singled out’? • ‘Anonymised’ data types can be personal: • IP addresses • UDID data • Hashed data
Data Protection and the New EU Cookie Regime Meaning of ‘personal’ data • An example - QR codes • User scans code and is directly transferred to URL • Website collects IP address / system / date + time data • User scans code and is routed through QR reader servers • App publisher collects mobile UDID • Publisher may commercialise with third parties • Allows for mobile tracking • Takeaway: • Even ‘anonymised’ data can be ‘personal’… • If it’s personal, it’s protected
Data Protection and the New EU Cookie Regime Key Principles: • Fair and lawful processing • Limited purposes • Adequate, relevant and not excessive • Accurate • Kept no longer than necessary • Processing in accordance with the data subject's rights • Secure • No transfer to countries without adequate protection
Data Protection and the New EU Cookie Regime Consequences of compliance failures: • Certain breaches are criminal offences • Regulators may impose fines – now up to £500,000 in the UK and may be more in other EU jurisdictions • Unlimited civil liability a possibility • Disruption to business-critical data processing • Complaints from customers, employees, suppliers etc. • “Naming and shaming” – brand damage • Loss of business
Data Protection and the New EU Cookie Regime 4. Cookies Cookies – Revised E-Privacy Directive • Implementation deadline was 25th May 2011 • Some states have implemented (including UK), some have not • UK: • ICO has allowed “sunrise” period of 1 year before it takes any enforcement action • IAB self-regulatory approach praised by UK Government
Data Protection and the New EU Cookie Regime How ‘cookie’ requirements have changed Member States shall ensure that the [use of electronic communications networks to store] storing of information or [to gain] the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned [is] has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. [and is offered the right to refuse such processing by the data controller.] This shall not prevent any technical storage or access for the sole purpose of carrying out [or facilitating] the transmission of a communication over an electronic communications network, or as strictly necessary in order [to provide] for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
Data Protection and the New EU Cookie Regime The new cookie consent requirement • Exemptions • ‘Strictly necessary’ to provide user-requested service • Carrying out transmission across a network • Practical consequences • Shopping basket, security and page load cookies are OK… • …but everything else needs some form of consent… • …and impacts more than just cookies (any ‘pulled’ data) • Browser and other application settings • Permitted “where technically possible and effective” • Regulatory view is that current browser settings are not enough
Questions?
Data Protection and the New EU Cookie Regime Some common misunderstandings • “This only affects website cookie data” • No, the requirement applies whenever storing or accessing “information” (e.g. device fingerprinting and mobile data collection) • “We need pop-ups to get consent” • No, the requirement is only to get consent. How to do this is up to you • “Individuals must expressly consent” • No, with sufficient notice and control, consent for some cookies can be implied from a user’s action or inaction.
Data Protection and the New EU Cookie Regime Complying with cookie legislation • Step 1: Assess use of cookies • Step 2: Identify necessity / intrusiveness • Step 3: Enhance disclosures • Step 4: Implement a consent strategy
Data Protection and the New EU Cookie Regime Step 1. Assess use of cookies
Data Protection and the New EU Cookie Regime Step 2. Assess intrusiveness Points to consider: 2. Cookie purpose Session 3. Cookie expiry 4. Website itself 1st party session cookie 3rd party session cookie 5. Flash cookies (e.g. language preference) (e.g. secure payment) 1st party 3rd party 1st party persistent cookie (e.g. website analytics) 3rd party persistent cookie (e.g. targeted advertising) Persistent
Data Protection and the New EU Cookie Regime Step 3. Enhance disclosures …the benefits of data minimisation!
Data Protection and the New EU Cookie Regime Step 4: Implement a consent strategy ICO Guidance on the rules on use of cookies and similar technologies December 2011 The Regulations require that users or subscribers consent. Directive 95/46/EC (the Data Protection Directive on which the UK Data Protection Act 1998 (the DPA) is based) defines ‘the data subject’s consent’ as: ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.
Data Protection and the New EU Cookie Regime Step 4: Implement a consent strategy • No certainty as to what will be required • Pop-up windows? Consent Banners? • Implied consent? • Limited intrusiveness • Enhanced notice • Real control
Data Protection and the New EU Cookie Regime Complying with cookie legislation • Step 5: Other practical measures • Always provide an opt out • Cookies • Anonymise and encrypt • Use session cookies vs. persistent cookies • Reduce cookie expiry periods • Remove redundant cookies • Identify quick wins • Website registration / other customer interaction points • Mobile app download / opening
Data Protection and the New EU Cookie Regime Complying with cookie legislation • Step 5: Other practical measures (cont): • Internal processes / procedures • Implement internal standards for authorising new cookie use • Identify who should authorise – legal, IT, marketing? • Consider a ‘one in, one out’ approach • Maintain a cookie log + require periodic review • Third party providers (ad networks / analytics etc.) • Due diligence – do your providers observe good data hygiene standards? • Apportion compliance responsibility • Ensure contract reflects agreed roles • Don’t accept bad behaviour • Role of self-regulatory compliance / market practice
Data Protection and the New EU Cookie Regime Cookie transparency 1. Highlight new information to visitors 2. Be more descriptive
Data Protection and the New EU Cookie Regime Cookies Express consent models
Data Protection and the New EU Cookie Regime Cookies Express consent models
Data Protection and the New EU Cookie Regime Cookies Implied consent models
Data Protection and the New EU Cookie Regime Cookies Practical example
Data Protection and the New EU Cookie Regime Cookies Practical example
Data Protection and the New EU Cookie Regime Cookies Practical example
Data Protection and the New EU Cookie Regime Cookies Practical example

Recommended

Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, BarclaysCookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, Barclays
theidm_quals
 
Privacy and cookies crm inspiration days 2013
Privacy and cookies crm inspiration days 2013Privacy and cookies crm inspiration days 2013
Privacy and cookies crm inspiration days 2013
Bart Van Den Brande
 
Legal Perspective: Privacy, compliance and legal implications of location bas...
Legal Perspective: Privacy, compliance and legal implications of location bas...Legal Perspective: Privacy, compliance and legal implications of location bas...
Legal Perspective: Privacy, compliance and legal implications of location bas...
HitReach
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
Jon Egley
 
120119 ukgc12-cookies
120119 ukgc12-cookies120119 ukgc12-cookies
120119 ukgc12-cookies
Peter McClymont
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
Rachel Aldighieri
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3
Andy Ryu
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
Rachel Aldighieri
 

Recommended

Cookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, BarclaysCookies: best practice September 2012 by Fedelma Good, Barclays
Cookies: best practice September 2012 by Fedelma Good, Barclays
theidm_quals
 
Privacy and cookies crm inspiration days 2013
Privacy and cookies crm inspiration days 2013Privacy and cookies crm inspiration days 2013
Privacy and cookies crm inspiration days 2013
Bart Van Den Brande
 
Legal Perspective: Privacy, compliance and legal implications of location bas...
Legal Perspective: Privacy, compliance and legal implications of location bas...Legal Perspective: Privacy, compliance and legal implications of location bas...
Legal Perspective: Privacy, compliance and legal implications of location bas...
HitReach
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
Jon Egley
 
120119 ukgc12-cookies
120119 ukgc12-cookies120119 ukgc12-cookies
120119 ukgc12-cookies
Peter McClymont
 
DMA Scotland: Legal update
DMA Scotland: Legal updateDMA Scotland: Legal update
DMA Scotland: Legal update
Rachel Aldighieri
 
Cookies guidance v3
Cookies guidance v3Cookies guidance v3
Cookies guidance v3
Andy Ryu
 
DMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 OctoberDMA Legal update: autumn 2013 - Tuesday 1 October
DMA Legal update: autumn 2013 - Tuesday 1 October
Rachel Aldighieri
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe
 
EU Cookie Directive Report On Compliance In The UK And Ireland
EU Cookie Directive Report On Compliance In The UK And IrelandEU Cookie Directive Report On Compliance In The UK And Ireland
EU Cookie Directive Report On Compliance In The UK And Ireland
Krishna De
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingMagento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Erwin Otten
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
BCC - Solutions for IBM Collaboration Software
 
The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013
blue2purple
 
Rtia'05 an introduction
Rtia'05 an introductionRtia'05 an introduction
Rtia'05 an introduction
Bhim Thatal
 
Worldwide Laws Privacy Presentation 2006
Worldwide Laws Privacy Presentation 2006Worldwide Laws Privacy Presentation 2006
Worldwide Laws Privacy Presentation 2006
Kimberly Verska
 
Legal update
Legal updateLegal update
Legal update
Rachel Aldighieri
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
AltheimPrivacy
 
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
Pietro Calorio
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
AltheimPrivacy
 
10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges
Jonathan Ezor
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
This account is closed
 
[Utsoa] Enews 4.11.2008
[Utsoa] Enews 4.11.2008[Utsoa] Enews 4.11.2008
[Utsoa] Enews 4.11.2008
duanehutson
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
fool2fish
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
salissal
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & session
Jamshid Hashimi
 
2014 troop cookie manager training power point
2014 troop cookie manager training power point2014 troop cookie manager training power point
2014 troop cookie manager training power point
Teresa Stephens
 
The Cookie Jar Theatre and Milton Parsons Chatsworth California
The Cookie Jar Theatre and Milton Parsons Chatsworth CaliforniaThe Cookie Jar Theatre and Milton Parsons Chatsworth California
The Cookie Jar Theatre and Milton Parsons Chatsworth California
Chatsworth Historical Society
 
The DMA conference 2012
The DMA conference 2012The DMA conference 2012
The DMA conference 2012
Rachel Aldighieri
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
Adzappier
 

More Related Content

What's hot

Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
BCC - Solutions for IBM Collaboration Software
 
The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013
blue2purple
 
Rtia'05 an introduction
Rtia'05 an introductionRtia'05 an introduction
Rtia'05 an introduction
Bhim Thatal
 
Worldwide Laws Privacy Presentation 2006
Worldwide Laws Privacy Presentation 2006Worldwide Laws Privacy Presentation 2006
Worldwide Laws Privacy Presentation 2006
Kimberly Verska
 

What's hot (14)

IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulation
 
EU Cookie Directive Report On Compliance In The UK And Ireland
EU Cookie Directive Report On Compliance In The UK And IrelandEU Cookie Directive Report On Compliance In The UK And Ireland
EU Cookie Directive Report On Compliance In The UK And Ireland
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingMagento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013The Cookie Law in Belgium - April 2013
The Cookie Law in Belgium - April 2013
 
Rtia'05 an introduction
Rtia'05 an introductionRtia'05 an introduction
Rtia'05 an introduction
 
Worldwide Laws Privacy Presentation 2006
Worldwide Laws Privacy Presentation 2006Worldwide Laws Privacy Presentation 2006
Worldwide Laws Privacy Presentation 2006
 
Legal update
Legal updateLegal update
Legal update
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
 
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
GDPR ed Explainable AI - Intelligenza Artificiale e Regolamento Europeo sulla...
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
 
10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges10-22-13 Presentation on Google Glass and Privacy Challenges
10-22-13 Presentation on Google Glass and Privacy Challenges
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
 

Viewers also liked

[Utsoa] Enews 4.11.2008
[Utsoa] Enews 4.11.2008[Utsoa] Enews 4.11.2008
[Utsoa] Enews 4.11.2008
duanehutson
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
salissal
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & session
Jamshid Hashimi
 

Viewers also liked (6)

[Utsoa] Enews 4.11.2008
[Utsoa] Enews 4.11.2008[Utsoa] Enews 4.11.2008
[Utsoa] Enews 4.11.2008
 
Http only cookie
Http only cookieHttp only cookie
Http only cookie
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Php file upload, cookies & session
Php file upload, cookies & sessionPhp file upload, cookies & session
Php file upload, cookies & session
 
2014 troop cookie manager training power point
2014 troop cookie manager training power point2014 troop cookie manager training power point
2014 troop cookie manager training power point
 
The Cookie Jar Theatre and Milton Parsons Chatsworth California
The Cookie Jar Theatre and Milton Parsons Chatsworth CaliforniaThe Cookie Jar Theatre and Milton Parsons Chatsworth California
The Cookie Jar Theatre and Milton Parsons Chatsworth California
 

Similar to Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse

Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
Adzappier
 
DMA North: The DMA legal update
DMA North: The DMA legal updateDMA North: The DMA legal update
DMA North: The DMA legal update
Rachel Aldighieri
 
Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)
RobertMachin
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
Adzappier
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
TrustArc
 
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc
 
Marketing Meets Privacy_ What You Need to Know in 2023.pdf
Marketing Meets Privacy_ What You Need to Know in 2023.pdfMarketing Meets Privacy_ What You Need to Know in 2023.pdf
Marketing Meets Privacy_ What You Need to Know in 2023.pdf
John Doyle
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
PECB
 
Agenda21 eu cookie seminar - dominic trigg - rocket fuel
Agenda21 eu cookie seminar - dominic trigg - rocket fuelAgenda21 eu cookie seminar - dominic trigg - rocket fuel
Agenda21 eu cookie seminar - dominic trigg - rocket fuel
agenda21
 

Similar to Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse (20)

The DMA conference 2012
The DMA conference 2012The DMA conference 2012
The DMA conference 2012
 
Cookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdfCookie Consent and Authorized Data Collection_Mar23.pdf
Cookie Consent and Authorized Data Collection_Mar23.pdf
 
DMA Cookies update
DMA Cookies updateDMA Cookies update
DMA Cookies update
 
DMA North: Legal Update
DMA North: Legal UpdateDMA North: Legal Update
DMA North: Legal Update
 
DMA North: The DMA legal update
DMA North: The DMA legal updateDMA North: The DMA legal update
DMA North: The DMA legal update
 
Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)Cookie Law (Dwf 190511)
Cookie Law (Dwf 190511)
 
Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011Web Marketing Wednesday Ottawa Oct 12th 2011
Web Marketing Wednesday Ottawa Oct 12th 2011
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
 
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working TogetherTrustArc Webinar-Advertising, Privacy, and Data Management Working Together
TrustArc Webinar-Advertising, Privacy, and Data Management Working Together
 
Cookies and European Union Law
Cookies and European Union LawCookies and European Union Law
Cookies and European Union Law
 
Your Big Data Opportunity
Your Big Data OpportunityYour Big Data Opportunity
Your Big Data Opportunity
 
Marketing Meets Privacy_ What You Need to Know in 2023.pdf
Marketing Meets Privacy_ What You Need to Know in 2023.pdfMarketing Meets Privacy_ What You Need to Know in 2023.pdf
Marketing Meets Privacy_ What You Need to Know in 2023.pdf
 
Bootlaw Cookies
Bootlaw CookiesBootlaw Cookies
Bootlaw Cookies
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Agenda21 eu cookie seminar - dominic trigg - rocket fuel
Agenda21 eu cookie seminar - dominic trigg - rocket fuelAgenda21 eu cookie seminar - dominic trigg - rocket fuel
Agenda21 eu cookie seminar - dominic trigg - rocket fuel
 
EU-US Privacy Shield - Safe Harbor Replacement
EU-US Privacy Shield - Safe Harbor ReplacementEU-US Privacy Shield - Safe Harbor Replacement
EU-US Privacy Shield - Safe Harbor Replacement
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for youCookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
 
Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you Cookies and the EU privacy directive: what it means for you
Cookies and the EU privacy directive: what it means for you
 
Eprivacy issues and standards -- where do we stand?
Eprivacy issues and standards -- where do we stand?Eprivacy issues and standards -- where do we stand?
Eprivacy issues and standards -- where do we stand?
 

More from agenda21

agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward
agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward
agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward
agenda21
 

More from agenda21 (9)

Audience and Google RLSA Overview from agenda21
Audience and Google RLSA Overview from agenda21Audience and Google RLSA Overview from agenda21
Audience and Google RLSA Overview from agenda21
 
Useful data presentation from DataShaka
Useful data presentation from DataShakaUseful data presentation from DataShaka
Useful data presentation from DataShaka
 
Agenda21 - Optimising Paid Search campaigns
Agenda21 - Optimising Paid Search campaignsAgenda21 - Optimising Paid Search campaigns
Agenda21 - Optimising Paid Search campaigns
 
Optimising online video agenda21 event - Be On's Recommendation
Optimising online video agenda21 event - Be On's RecommendationOptimising online video agenda21 event - Be On's Recommendation
Optimising online video agenda21 event - Be On's Recommendation
 
Optimising online video agenda21 event - Youtube's Perspective
Optimising online video agenda21 event - Youtube's PerspectiveOptimising online video agenda21 event - Youtube's Perspective
Optimising online video agenda21 event - Youtube's Perspective
 
Optimising online video agenda21 event - videology
Optimising online video agenda21 event - videologyOptimising online video agenda21 event - videology
Optimising online video agenda21 event - videology
 
agenda21 The Future of Search - @mattjbush talks about the Moments that matter
agenda21 The Future of Search - @mattjbush talks about the Moments that matteragenda21 The Future of Search - @mattjbush talks about the Moments that matter
agenda21 The Future of Search - @mattjbush talks about the Moments that matter
 
agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward
agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward
agenda21 The Future of Search - dcoplin from Microsoft talks Future Forward
 
Addictive Mobile Presentation
Addictive Mobile PresentationAddictive Mobile Presentation
Addictive Mobile Presentation
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Agenda 21 eu cookie seminar - david naylor - field fisher waterhouse

  • 1. Data Protection and the New EU Cookie Regime David Naylor Partner, Field Fisher Waterhouse david.naylor@ffw.com 18 April 2012
  • 4. What Privacy? “[a]n examination of 101 popular smartphone "apps" … showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders… Many apps don't offer even a basic form of consumer protection: written privacy policies. Forty-five of the 101 apps didn't provide privacy policies on their websites or inside the apps at the time of testing.” Source: Wall Street Journal http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
  • 7. Data Protection and the New EU Cookie Regime ICO fines Midlothian Council £140K for data breaches Monday 30 January 2012 09:58
  • 8. Data Protection and the New EU Cookie Regime • Comprehensive European and individual Member State privacy regimes • Applies to all personal data, not just certain types of data • Applies to all businesses, not just consumer- facing businesses
  • 9. Data Protection and the New EU Cookie Regime Meaning of ‘personal’ data • Data protection protects ‘personal’ data • Is an individual identifiable or ‘singled out’? • ‘Anonymised’ data types can be personal: • IP addresses • UDID data • Hashed data
  • 10. Data Protection and the New EU Cookie Regime Meaning of ‘personal’ data • An example - QR codes • User scans code and is directly transferred to URL • Website collects IP address / system / date + time data • User scans code and is routed through QR reader servers • App publisher collects mobile UDID • Publisher may commercialise with third parties • Allows for mobile tracking • Takeaway: • Even ‘anonymised’ data can be ‘personal’… • If it’s personal, it’s protected
  • 11. Data Protection and the New EU Cookie Regime Key Principles: • Fair and lawful processing • Limited purposes • Adequate, relevant and not excessive • Accurate • Kept no longer than necessary • Processing in accordance with the data subject's rights • Secure • No transfer to countries without adequate protection
  • 12. Data Protection and the New EU Cookie Regime Consequences of compliance failures: • Certain breaches are criminal offences • Regulators may impose fines – now up to £500,000 in the UK and may be more in other EU jurisdictions • Unlimited civil liability a possibility • Disruption to business-critical data processing • Complaints from customers, employees, suppliers etc. • “Naming and shaming” – brand damage • Loss of business
  • 13. Data Protection and the New EU Cookie Regime 4. Cookies Cookies – Revised E-Privacy Directive • Implementation deadline was 25th May 2011 • Some states have implemented (including UK), some have not • UK: • ICO has allowed “sunrise” period of 1 year before it takes any enforcement action • IAB self-regulatory approach praised by UK Government
  • 14. Data Protection and the New EU Cookie Regime How ‘cookie’ requirements have changed Member States shall ensure that the [use of electronic communications networks to store] storing of information or [to gain] the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned [is] has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. [and is offered the right to refuse such processing by the data controller.] This shall not prevent any technical storage or access for the sole purpose of carrying out [or facilitating] the transmission of a communication over an electronic communications network, or as strictly necessary in order [to provide] for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
  • 15. Data Protection and the New EU Cookie Regime The new cookie consent requirement • Exemptions • ‘Strictly necessary’ to provide user-requested service • Carrying out transmission across a network • Practical consequences • Shopping basket, security and page load cookies are OK… • …but everything else needs some form of consent… • …and impacts more than just cookies (any ‘pulled’ data) • Browser and other application settings • Permitted “where technically possible and effective” • Regulatory view is that current browser settings are not enough
  • 17. Data Protection and the New EU Cookie Regime Some common misunderstandings • “This only affects website cookie data” • No, the requirement applies whenever storing or accessing “information” (e.g. device fingerprinting and mobile data collection) • “We need pop-ups to get consent” • No, the requirement is only to get consent. How to do this is up to you • “Individuals must expressly consent” • No, with sufficient notice and control, consent for some cookies can be implied from a user’s action or inaction.
  • 18. Data Protection and the New EU Cookie Regime Complying with cookie legislation • Step 1: Assess use of cookies • Step 2: Identify necessity / intrusiveness • Step 3: Enhance disclosures • Step 4: Implement a consent strategy
  • 19. Data Protection and the New EU Cookie Regime Step 1. Assess use of cookies
  • 20. Data Protection and the New EU Cookie Regime Step 2. Assess intrusiveness Points to consider: 2. Cookie purpose Session 3. Cookie expiry 4. Website itself 1st party session cookie 3rd party session cookie 5. Flash cookies (e.g. language preference) (e.g. secure payment) 1st party 3rd party 1st party persistent cookie (e.g. website analytics) 3rd party persistent cookie (e.g. targeted advertising) Persistent
  • 21. Data Protection and the New EU Cookie Regime Step 3. Enhance disclosures …the benefits of data minimisation!
  • 22. Data Protection and the New EU Cookie Regime Step 4: Implement a consent strategy ICO Guidance on the rules on use of cookies and similar technologies December 2011 The Regulations require that users or subscribers consent. Directive 95/46/EC (the Data Protection Directive on which the UK Data Protection Act 1998 (the DPA) is based) defines ‘the data subject’s consent’ as: ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.
  • 23. Data Protection and the New EU Cookie Regime Step 4: Implement a consent strategy • No certainty as to what will be required • Pop-up windows? Consent Banners? • Implied consent? • Limited intrusiveness • Enhanced notice • Real control
  • 24. Data Protection and the New EU Cookie Regime Complying with cookie legislation • Step 5: Other practical measures • Always provide an opt out • Cookies • Anonymise and encrypt • Use session cookies vs. persistent cookies • Reduce cookie expiry periods • Remove redundant cookies • Identify quick wins • Website registration / other customer interaction points • Mobile app download / opening
  • 25. Data Protection and the New EU Cookie Regime Complying with cookie legislation • Step 5: Other practical measures (cont): • Internal processes / procedures • Implement internal standards for authorising new cookie use • Identify who should authorise – legal, IT, marketing? • Consider a ‘one in, one out’ approach • Maintain a cookie log + require periodic review • Third party providers (ad networks / analytics etc.) • Due diligence – do your providers observe good data hygiene standards? • Apportion compliance responsibility • Ensure contract reflects agreed roles • Don’t accept bad behaviour • Role of self-regulatory compliance / market practice
  • 26. Data Protection and the New EU Cookie Regime Cookie transparency 1. Highlight new information to visitors 2. Be more descriptive
  • 27. Data Protection and the New EU Cookie Regime Cookies Express consent models
  • 28. Data Protection and the New EU Cookie Regime Cookies Express consent models
  • 29. Data Protection and the New EU Cookie Regime Cookies Implied consent models
  • 30. Data Protection and the New EU Cookie Regime Cookies Practical example
  • 31. Data Protection and the New EU Cookie Regime Cookies Practical example
  • 32. Data Protection and the New EU Cookie Regime Cookies Practical example
  • 33. Data Protection and the New EU Cookie Regime Cookies Practical example