• Share
  • Email
  • Embed
  • Like
  • Private Content
Cookies and the EU privacy directive: what it means for you
 

Cookies and the EU privacy directive: what it means for you

on

  • 1,524 views

Simon Lande, CEO Magus Research

Simon Lande, CEO Magus Research

Statistics

Views

Total Views
1,524
Views on SlideShare
1,524
Embed Views
0

Actions

Likes
0
Downloads
23
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Session cookies: These are temporary and last only for the duration of the user’s active visitPersistent or tracker cookies: These are stored on the user’s computer and can be accessed again by the domain that set it whenever browser contact is madeFirst party cookies: These are set by the website itself (the same domain as in the browser’s address bar)Third party cookies: These are set by different domains from the one shown on the browser address bar
  • In most other European states, however, no national law transposing the Directive has yet been passed, so it’s a “wait and see” situation.
  • In most other European states, however, no national law transposing the Directive has yet been passed, so it’s a “wait and see” situation.
  • The Information Commissioner’s Office (ICO)The ICO is the government body responsible for enforcing the new legislation in the UKThey’ve opted for a white box at the top of every page, and it never goes away unless you check the box and click the button to consent to cookies.Virtues of the solution:It’s accessible (unlike pop up windows), and prominentProblems with this solution:The text assumes you know what cookies are – if you don’t it’s meaningless. They also don’t tell users what their cookies do – which is to track visitors using google analytics.The ICO says on their own website “Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.”It’s ugly and off puttingGoogle analytics tracking tags are excluded until users tick to give their consent. The result – a 90% drop in recorded visits. Could you live without analytics?
  • BAIncludeda link to their cookies policy on the landing page.Virtues of the solutionUnobtrusive, and integrated within the existing website navigation. They’ve simply added a link to their cookies policy to a pre-existing site-selection landing page - all users are presented with this page on their first visit to the BA websiteProblems with this solutionIf you don’t have JavaScript enabled you won’t be able to view itIt doesn’t specifically request consentA closer look at the BA cookies policy reveals that it tells visitors rather bluntly that if they don’t accept all their cookies, they can’t use the site – not quite what the legislation is aiming at. Though of course many of their cookies will be “strictly necessary” to the core purpose of the site, and therefore exempt from this legislation. BA clearly don’t want to be doing this and they are making it known!
  • BBCOpted to include a “Privacy and cookies” link in its footer navigation. It provides detailed information about the cookies they use, and how to remove them if you want to.Virtues:Clear, accessible and non-technicalProblems:It doesn’t address consent
  • Info on challenge to UK position on cookie consent:http://www.i-policy.org/2011/07/eu-privacy-watchdogs-contradict-uk-position-on-cookie-consent.html

Cookies and the EU privacy directive: what it means for you Cookies and the EU privacy directive: what it means for you Presentation Transcript

  • Introduction to the EU Cookies LawAnd what it means for your organisationSimon Lande, CEO, Magussimon.lande@magus.co.uk24th November 2011
  • A brief history of EU Cookies Law • July 2002: EU passes a law (Directive 2002/58/EC) which states that anyone who wants to insert cookies into the browsers of users has to give notice of this and offer an opt-out • December 2009: EU amends the Directive to state that users must provide their consent before websites can download non-essential cookies onto the user’s machine via the browser • 25 May 2011: The date by which all EU countries are required to implement this change into their national legislation (most have not yet done so!) • The amended Directive is likely to apply to all organisations who download cookies onto the machines of users based in the EU, whether those organisations are based in the EU or not • In the UK, organisations could be subject to enforcement notices and actions, and potentially a fine of up to £500K for failing to comply
  • What are cookies? • A piece of text stored on a user’s computer by their web browser • They have a range of uses, including: o Authentication o Storing site preferences o Storing shopping basket contentsCookies which are necessary to provide a service that the user hasasked for, for example to fill a shopping trolley, are exempt from thislegislationHowever, cookies can also be used to track user activity, build up profilesand carry out other non-essential activities – this is what the fuss is allabout
  • Types of cookiesCookies are categorised according to:• Their duration Session• Who sets them cookies Persistent / Tracker cookies First party cookies Third party cookies
  • How’s the legislation being interpreted? Sweden: • Directive transposed into national law on 1 July 2011 requiring user consent for the use of cookies. The relevant Swedish authority has provided little guidance on the crucial question of how to obtain consent. • In addition, the Swedish Internet Advertising Bureau has issued draft recommendations that: (i) information on the use of cookies, and how consent may be denied and withdrawn, should be provided to users; and (ii) user consent must be obtained by means appropriate to the circumstances (e.g. use through browser settings which allow cookies, following user’s receipt of sufficient information). Norway: • National law to implement the Directive is currently under consideration. It is expected to come into force in 2012. Denmark: • Draft executive order is under consultation and Denmark have asked the European Commission to clarify certain aspects of the Directive. • It is intended that the final version of the executive order will be agreed and come into effect by the end of December this year.
  • How’s the legislation being interpreted? UK: • Directive became law on the 25th May 2011, and the ICO has given organisations 1 year to comply, before enforcement action may be imposed • But they must currently be able to show "they have a realistic plan to achieve compliance" France: • Draft bill exists and is in the process of public consultation. If implemented, this would require organisations to obtain user consent. Such consent need not necessarily be expressed, as it may be implied from users’ browser settings. Netherlands: • Proposed national legislation is to be voted on by the Dutch Senate this year. If approved, it will likely come into effect early next year, setting out the obligation that organisations must obtain user consent before cookies can be installed or stored on users’ computers. • They’ll also need to prove they have it! (This requirement goes beyond the provisions of the Directive.)
  • What’s everyone doing about cookies? Example 1: The Information Commissioner’s Office
  • What’s everyone doing about cookies? Example 2: British Airways
  • What’s everyone doing about cookies? Example 3: BBC
  • What should you be doing about it? • The perfect solution is not yet out there • There’s no advantage to being an early adopter o For example, some companies have already taken down their pop-up windows and warning layers due to negative impacts on usability • Cookies law is on the move o Majority of European counties have yet to implement the Directive o Some of the European countries which have implemented the Directive have not provided clear guidance as to how organisations should comply o There are different views on whether the UK has correctly implemented the Directive (e.g. the EU committee of national data protection regulators has issued an opinion that contradicts the UK’s implementation relating to the time at which user consent must be obtained) • Technical (e.g. browser-based) solutions, may be around the cornerSo, best to sit back and “Do nothing?”
  • A realistic plan You need to be able to demonstrate that you have a “realistic plan to achieve compliance”… Current best practice is for all companies to take the following three actions: 1. Check what type of cookies and similar technologies you use and how you use them 2. Assess how intrusive your use of cookies is 3. Decide what solution to obtain consent will be best in your circumstances
  • Compliance optionsOption Regulatory Usability Business Comments Compliance impactRemove all Very High Low High Possible to remove all cookies from a website other thannon-essential those strictly necessary for the provision of services to thecookies user. However, this is likely to require redesign work and could significantly degrade website functionality. It is also likely to impact the business model for the website e.g. by removing the ability to collect important information.Pop Up High Low Medium/High Non-essential cookies are only used if the user clicks “Accept”Windows on a pop-up window. This is an intrusive and annoying option (not least because those refusing cookies will get the pop-up again and again). Reduced usability/functionality will negatively affect traffic. Partial acceptance of cookies will make tracking information meaningless.Banner Tick High Medium Medium/High A banner is placed at the top of the page allowing users toBox click to accept cookies. This is the option selected by the UK Information Commissioner. In practice, very few people click to accept cookies. Partial acceptance of cookies will make tracking information meaningless.Acceptance Medium Medium Low Users give consent to cookies when they accept the terms ofof T&C’s use of a website. This only works if users are expressly required to agree to those terms of use in order to use the website.Website Low Low Low A prominent notice is provided indicating that cookies areNotes used, linking to details of each cookie. This is the option taken by the UK Department of Culture, Media and Sport who are responsible for implementing the new cookies laws in the UK.
  • How Magus can helpAudit in conjunction with Linklaters will enable you to address therecommendations and provides the basis for your implementation plan. Itincludes: Report and Cookies briefing Cookies audit recommendations• Overview of the relevant • Social media widgets • Key findings legislation and its known to set cookies • Advice (e.g. appropriate implications for your • Flash files which need to action could be website be checked for Flash considered on an cookies enforcement risk-based • Third party domains and approach, and scripts known to set potentially an EU wide cookies approach) and recommendations (see • JavaScript files likely to table above) contain cookies • What you need to do • Potential web beacons next known to set cookies • Pages not containing a link to a privacy / cookies policy
  • Thank you Questions?