Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Iab cookie compliance guide


Published on

  • Be the first to comment

  • Be the first to like this

Iab cookie compliance guide

  1. 1. CookieComplianceA Practical Guide
  2. 2. Table of contents1. Introduction2. Cookie Compliance Guide A. Cookie inventory 1. Identifying cookies 2. Cookie impact assessment 3. Cookie categorisation B. Compliance path 1. Risk assessment 2. Information obligation in practice 3. Methods for obtaining consent 4. Demonstrating that you are not processing personal dataAPPENDICES:A. The new ‘cookie regulations’B. Enforcement and fines in case of non-complianceC. For whom are the cookie regulations important?D. Legal definitionsE. The Dutch Data Protection ActF. Fact sheet SOLV
  3. 3. 1. IntroductionSummaryOn 5 June 2012, the new Dutch Telecommunication Legislation became effective withwhich Article 11.7a (hereafter called “Cookie Provision”) was implemented.What does this Cookie Provision concretely mean? With the implementation of theCookie Provision, stricter rules will apply for the use of cookies. In short, this meansthat in certain cases an information and consent obligation has to be complied with.ScopeThe new Cookie Provision applies in case of the placing of or obtaining access to dataon auxiliary equipment of the user. Thereby, no difference is made between thenature of the data. For reasons of readability we will refer to “cookies” in thisdocument, but this encompasses all technology that is used in order to store dataon the auxiliary equipment of a user. Besides various types of cookies, this thereforealso concerns installed apps and/or plug-ins, information stored in the Web Storage,screen size, OS, browser type, device fingerprinting, etc.ResponsibilityThe obligations based on the Cookie Provision rest on the one who is responsible forplacing cookies and for obtaining access to the data stored. In short: if you supply anonline service and place cookies at this, in principle you will have to comply with theobligations included in the Cookie Provision.For that matter, the obligations do not always rest on the person who is responsiblefor the service requested or site visited by user. It can also happen that a third partyplaces cookies via your website, since via a site for example another site is displayed, The new Actas a result of which the third party must comply with the obligations as well. In viewof the shared responsibility to comply with the obligations, it is advisable to reach applies in casecollaboration at this. of the placing of or obtaining access to data on auxiliary equipment of the user. Thereby no difference is made between the nature of the data. For reasons of readability we will in this document refer to cookies. iab. Cookie compliance A Practical Guide | 3
  4. 4. What is the objective of this guide?This Cookie Compliance Guide provides you with a tool with regard to the newCookie Provision. The objective of this Guide is to map the process you must follow inorder to comply with the obligations from the Cookie Provision. This Guide howeverdoes not provide specific advice on how you must implement the various steps (thiswill vary per company). Since at the time of writing of this Guide still manyuncertainties remain on the exact interpretation of the Cookie Provision, this documenthas the status of a “live” document. By the time more will become clear on theinterpretation of the Cookie Provision, this document will be modified.For whom is this guide intended?This Guide is intended for everyone who has a website and wants to becomecompliant with the new legislation. It is not intended as technical manual for webdevelopers. This Cookie ComplianceOn the authorsThis document was formulated by assignment of the IAB by: Guide providesAUKE VAN DEN HOUT you with a toolAuke van den Hout is responsible for the privacy portfolio with the Management of with regard toIAB. He is co-founder of Adatus, the European market place for ‘audience targeting’ the new Cookieand has over 15 years’ experience in data-driven advertising in Europe. Provision. TheEMAIL: INFO@IAB.NL / TEL: +31 854010802 objective of thisROEL VAN RIJSEWIJK Guide is to mapRoel van Rijsewijk is Director at Deloitte with over 10 years’ experience in consultingmedia and technology companies in the field of risk management and compliance. the process youRoel is co-founder of Deloitte Online Business Innovation and leads the innovation must followprogramme in the field of confidence in the digital world. in order toEMAIL: RVANRIJSEWIJK@DELOITTE.NL / TEL: +31 652615087 comply withThis Cookie Compliance Guide was developed with the utmost the obligationscare, whereby the legal regulations as set out by or by virtue of from the Cookiethe Dutch Telecommunication Act and the Dutch Data Protection Acthave been taken into account as good as possible. Despite that, Provision. Thisthis document can contain inaccuracies or deficiencies and no rights Guide howevercan be derived from the Guide. Neither the IAB nor the makers of does not providethe Guide are liable for possible inaccuracies and/or deficiencies.Since apart from this the exact meaning of these regulations specific advicealways depends on the circumstances of the case which during the on how you mustdevelopment of this Cookie Compliance Guide could not be takeninto account, the use of this Cookie Compliance Guide is always implement thefully at the risk of the user. various steps (this will vary per company). iab. Cookie compliance A Practical Guide | 4
  5. 5. 2. Cookie Compliance GuideA. Cookie inventory1. IDENTIFYING COOKIESIntroductionIn order to be able to comply with the obligations included in the Cookie Provision it isimportant to start by making an inventory on which type of cookies – andcomparable techniques – your website places and/or which type of cookies arepossibly placed by third parties. This phase therefore consists of identifying the typeof cookies.Why?• It clarifies which obligations from the Cookie Provision you will have to comply with.• It provides insight on the way in which your management will be affected by the new Cookie Provision.• It sees to it that you can comply more easily with the information and consent obligations. Tips• You make it known to the supervising authorities that you are aware of the • There are tools available that can be problems related to the Cookie Provision and that you are willing to work on this. helpful at analysing the use of cookies on your website – mostly in the form ofFor the benefit of a thorough inventory, we advise you to answer the plug-ins for your browser.following questions. • Review all parts of your website that1. Which type of cookies is used on my website and who places them? could potentiallly place cookies, both2. Why are the cookies being used? by yourself and by third parties. Please3. Is it a persistent or a session cookie? pay special attention at that at the4. Is the cookie used over several connected websites or is the website only used on integration of external scripts, such as one single domain? Like buttons of Facebook, +15. To which data does the cookie refer / which data does the cookie contain? of Google, etc.6. How long is the data that the cookie refers to being stored?The questions are discussed step-by-step below.Step 1. Which cookies are placed by whom?• Identify which cookies are used on you website.• Pay attention thereby to cookies that you yourself have placed on your website (First Party Cookies).• Identify which cookies have been placed on your website by third parties. Pay attention thereby to cookies that are placed by for example social networks and advertising networks (Third Party Cookies).• Please do not forget to identify the flash cookies used! iab. Cookie compliance A Practical Guide | 5
  6. 6. Step 2. ObjectiveIn this step it is important to indicate per cookie with which objective the cookie isplaced.In order to help you with your investigation, among other things you may ask thefollowing questions:• Was the cookie placed in order to see to it that the products in the shopping cart are remembered?• Do the cookies see to it that the contents of the page are loaded faster?• Are the cookies used because of certain security requirements?• Is the data used/read by third parties, and why?• Are the cookies used in order to recognise a user in order to be welcomed upon returning to a website?• Is data collected by means of the cookie data on the use of the website, such as the number of unique visitors?Step 3. Life-span• Indicate per cookie whether it concerns a session cookie or a persistent cookie.• Identify how long the cookie is stored.Step 4. Number of websites• Indicate per cookie whether it is used in order to collect information from several websites, and if so: what information that is. Tips• Establish whether cookies that are used on several websites have the same functionality everywhere, or that the functionality/functionalities differ(s).Step 5. Which data the cookie refers to? forIn this step you will investigate which type of data the cookie contains and/or to whichdata the cookies refers. Indenifying cookies• Does the cookie itself contain personal data?• Which other data is stored in the cookie itself?• Establish to which data the cookie refers in your own environment and databases.• Record which data is all collected from the users in the databases. • See to it that you analyse the use of• Establish which other data from other databases can be linked to this. cookies on all pages, in each phase during which your user is on your website.Step 6. Storage termBesides the life-span of the cookie itself, you must establish how long • Ascertain that you have a completethe data to which the cookie refers will be stored. overview of all websites and webpages• Establish which procedures apply for the destruction of user data for which you are responsible. within the various databases.• Establish whether in practice these procedures are complied with. iab. Cookie compliance A Practical Guide | 6
  7. 7. 2. Cookie impact assessmentWe advise you – after you have made an inventory of the types of cookies that arebeing used on your website – to also carry out a cookie impact assessment forreasons of completeness.The objective of the Cookie Provision is namely to provide the internet user with morecontrol on his/her privacy. Thereto it is important that you gain insight in the impacton the privacy of website visitors by the use of cookies.By means of this assessment you evaluate the impact of each type of cookie on theprivacy of your website user. Subsequently you can become aware of theconsequences a visit to your website has for a user, and you can take a critical look atthe cookies that you are placing.Assess this impact by completing the following steps.Step 1. First party cookiesUse the questions and answers from the cookie inventory phase to carry out thiscookie impact assessment.It is important that you regard this impact as a moving matrix (see Figure below). Cookie Cookie Cookie Little impact Lot of impactStep 2. Third party cookiesIf via your website cookies from third parties are placed, it is also important to assessto which extent these cookies might violate the privacy of your website users and howthis party deals with the information and consent requirements.FOR THIS YOU CAN:1. Contact the party concerned in order to inform on what we advise; and/or2. Assess the privacy policy of that party.Place these cookies on the moving matrix of cookie impact as indicated aboveas well. iab. Cookie compliance A Practical Guide | 7
  8. 8. 3. Cookie categorisation guideWith the results from the inventory phase, you can subdivide the cookies into twocategories: these to categories originate from the Cookie Provision.Category 1Based on the inventory phase, you can assess whether the type of cookies that youplace is categorised under one of the following exceptions:• The technical storage or access to data is only intended to carry out the communication via an electronic communication network. The communication on the website can in some cases only take place by using a cookie. This is for example the case if a language setting is remembered.• Storage of or access to this data is strictly necessary. The legislator has determined that strictly necessary use of cookies is exempted from the cookie obligations (on the condition that you do not process personal data). An example of this is a shopping cart cookie. It is important that you reason from the perspective of the website user whether certain cookie use is strictly necessary. If this is the case, then this concerns cookies that in line with the Cookie Provision are deemed as strictly necessary.In these cases you do not have to comply with the consentrequirement as included in the Cookie Provision, on the conditionthat you do not process personal data herewith.For the benefit of transparency you might consider to inform the user on placing suchcookies. This does not have to be done via a pop-up or the like, but can also beincluded in the privacy policy.Category 2Should the cookies not resort under the first category, then in principle it concernscookies that are not strictly necessary.For these cookies prior consent is required. Besides, the user shouldbe informed on - among other things - the placing of cookies andthe consequences thereof.Do you make use of client profiling or re-targeting? Then without any doubt you mustobtain prior consent from your website users.Are you in doubt in which category a specific cookies should be placed?This will certainly be the case, since many issues are still unclear. In order to determinethe correct approach, a risk assessment would have to be carried out as described inthe next Chapter. iab. Cookie compliance A Practical Guide | 8
  9. 9. B. Compliance path1. Risk assessmentThere will be cookies of which is not completely clear whether the use thereof isdeemed strictly necessary and whether consent is therefore needed. In that case weadvise you to carry out a risk assessment to be able to choose the correct complianceapproach. A compliance approach for these cookies should take into account:• The importance of the use of a cookie and the data related to it for the organisational objectives.• The impact of the use of cookies on the privacy of the user.Thereby we provide you with the following considerations:- If the importance of the use of the cookie and the data related to it is low for theorganisational objectives, you could consider stopping using this cookie, especiallywhen the impact of the use of cookies on the privacy of the user is high.- If the importance of the use of the cookie is high for organisational objectives andthe impact on the privacy of the user is high, the explicitly requesting consent is theobvious choice. In your provision of information towards the consumer, in that caseyou also have to indicate very clearly how the data is used, stored, and protected,apart from a very sound explanation on the importance of the cookie for yourorganisation as well as the advantages and disadvantages for the consumer whenhe/she does/does not accept the cookie.- If the impact on the privacy of the user is negligible and the importance of the use ofthe cookie for the organisational objectives is high, extra steps can be taken in orderto obtain certainty on the approach, such as consulting experts, testing the approachon standards, as well as the approach of others that make use of these cookies andbuilding up a well-founded case.Now that you know which category of cookies is placed via your website, you canstart determining in which way you will comply with the information obligation andthe consent requirement. Thereby we refer to the following Chapters.n. iab. Cookie compliance A Practical Guide | 9
  10. 10. 2. Information obligation in practiceThis Chapter provides you with tools on in which way you can comply with theinformation obligation.Providing informationThe Cookie Provision does not stipulate in which way the website user must beinformed. Still, it is clear that the information provided must be unequivocally clearand complete in advance. This means that each website visitor must be informedprior to the placing of the cookie on:1. The fact that a cookie is being placed;2. By whom a cookie is being placed;3. What the objective of this cookie is;4. How long the cookie is stored;5. Who will obtain access to the data;6. Whether the cookie will be reused and if so by whom.Making information on the use of cookiestransparentIt is by all means insufficient to only describe the use of cookiesin your privacy policy.It is namely important that you can establish that the users have picked up theinformation. Tips • See to it that your users cannot evade the information • Describe the privacy and cookie policy in simple terms that can be understood by everyone iab. Cookie compliance A Practical Guide | 10
  11. 11. Grouping cookiesYou do not have to inform your website visitors on each separate use of a cookie; youmay also group the use of cookies into type and objective of the cookie.Advantages of information obligationBy being completely transparent on the use of cookies on your website, the confidenceof your visitor will increase. For the complete provision of information it is wise to addthe following to the information:• Why your websites needs these cookies• What the advantage is for your website user• Make it clear for the user that he/she can revoke the consent given at all times, as well as in which way he/she can do this.3. Obtaining consent in practiceFrom the categorisation phase it has become clear for which cookies you shouldspecifically obtain consent. This Chapter clarifies in which way you can complywith the consent requirement.It goes without saying the obtaining consent is closely related to the informationobligation. After all, it should be clear for which the user gives his/her consent.Which method is most suited in practice to obtain consent from your website usersdepends on the objective of the cookies, how privacy-sensitive the data is, and whatthe relation with your website visitors is.There are various methods to point out visitors on the presence of the cookies and toinform them in a transparent way. Below a number of examples are summed up:FEATURE LEDAt the feature-led method, the visitor is requested to give consent when he or shewants to make use of a certain feature. Prior to the use of a certain part of the website Attention:(for which cookies should be placed), the visitor can be informed and requested for • By no means are you permitted to fixconsent, instead of requesting for consent directly upon arrival on the website for all tick boxes at ‘on’. This is namely notcookies on the complete website. regarded as opt-in by the legislator but as opt-out. Herewith you wouldLOGGING IN therefore not comply with thePrior to logging in to a certain part of the website, you can indicate that you intend requirements of the Cookie place cookies. You can inform the visitor prior to logging in on the use of certaincookies, so that he/she can take an informed decision on giving consent or not. • See to it that your users can see the information and that you communicate in a transparent way why you are making use of cookies. iab. Cookie compliance A Practical Guide | 11
  12. 12. DIALOGUE WINDOWBy means of a dialogue window you force the visitor to first make a selection beforebeing able to visit the website that is behind the window. In this window you informthe visitor and you refer to the privacy policy.STATUS BARYou can make use of the status bar to inform the visitor. This can be done both on topand at the bottom of the page. This status bar informs the users on the cookies thatyou intend to place, provides access to the privacy policy, and allows visitors toaccept the use of the cookies based on the information provided. Since with this typeof information a selection is not necessarily enforced before the consumer cancontinue, you must pay attention that you place the status bar at a location where thebar is clearly visible for the user. See to it that no cookies are being used until the useractually explicitly gives his/her consent thereto.WARNING BARA similar method as the status bar method, but this one is more insistently present onyour website. Each time the website wants to place a cookie, the warning bar appears.Inform the visitor in this way, link to the privacy policy, and see to it that visitors canaccept or refuse the cookies.SETTING-LEDIf the website contains options for the user to select settings, you can also use thosesettings to switch on or off certain functionalities that require cookies. Visitors can thentake an informed decision at the settings to make use of the functionalities and to giveconsent to place the cookies. Since at this way of informing no prior selection isenforced, you must clearly explain to the user how he/she can give consent viahis/her settings. iab. Cookie compliance A Practical Guide | 12
  13. 13. Points of interestProving that you obtained consentYou need consent in order to be able to place a cookie. Realise that you also must beable to demonstrate that you have obtained this consent. See to it that you have aprocedure in place for this and record from whom you obtained the consent.Attention: the most user-friendly way to record consent obtained is by meansof a cookie!Third party cookiesIn principle, each party that places data must inform the visitor and obtain consent,third parties as well. Instead of obtaining consent separately (your cookies separatefrom third party cookies) you can also make an agreement with the third party toinclude a reference in the information provision to the privacy information of the thirdparty. This means one extra pop-up less for the visitor. Besides you can inform theuser on how to switch off third party cookies in the browser.One cookie for several websitesAre you using a cookie for several websites? Do you have various websites linked toeach other and are you using the samen cookies for those. In order to obtain consentfor all websites, you must see to it that you clearly inform the visitor for which websitesyou wish to obtain consent.Modification after cookies consenthas been obtainedIf after you have obtained consent you apply modifications in the cookies to be usedor purchase new cookie services from third parties, it is possible that you have toobtain consent once again from your visitor. You will have to ask for consent onceagain if you apply modifications to:1. The purpose of the cookie that is placed;2. By whom the cookie has been placed;3. How long the cookie is being stored;4. Who will have access to the data;5. Whether the cookie will be reused and by whom.Revoking consentConsent once give can always be revoked.Do not forget to offer visitors the opportunity to simply revoke their consent. iab. Cookie compliance A Practical Guide | 13
  14. 14. 4. Demonstrate that you do not process personal dataFrom 1 January 2013, the new Cookie Provision will be enforced in which the use of‘commercial’ cookies (a cookie that has the objective to collect, combine, or analysedata on the use of various services of the information agency by the user orsubscriber for commercial, charitable, or idealistic purposes) will be regarded as theprocessing of personal data, as a result of which the privacy legislation becomesapplicable. Hereby the legislator has made use of the concept of ‘legal presumption’:you are deemed to process personal data, unless you can demonstrate that this is notthe case. See Appendix E in case the suspicion that you process personal data isjustified, and you have not made arrangements for this yet. I you find that thissuspicion is not justified and you are of the opinion that you are not processingpersonal data, this Chapter describes what you must do.Demonstrating that you are not processing personal data is not easy. A soundpreparation is important so that by the time you need to provide the proof you arenot standing empty-handed but can act pro-actively. By following the subsequentsteps you will obtain a sound idea on the use of data within the organisation, and youhave your file with proof ready in order to demonstrate that you are not processingpersonal data.erkt.Step 1. Record in a management statement why you are not processing personal dataKnow what you want to demonstrate. Formulate (management) statements in whichyou indicate why you are not processing personal data. These should also indicatewhich measures you have taken in order to keep data anonymous. By following theYOU CAN FOR EXAMPLE STATE: subsequent steps• The data collected, stored, and edited by [your organisation] can not be reduced to the individual internet user or computer from which the data originates; you will obtain a sound idea on the use of data within the organisation, and you have your file with proof ready in order to demonstrate that you are not processing personal data. iab. Cookie compliance A Practical Guide | 14
  15. 15. Step 2. Map processes and information flowsMap the relevant processes and information flows in relation to the use of the cookies.• Which cookies do you use?• Where does all information go to?• What sort of information is being collected?• Who makes use of that information?By mapping the processes and information flows, you yourself will obtain a clearoverview of the organisation of information. Because of this you see to it that you arecertain that you have taken all information collections into account.Step 3. Establish how you can demonstrate that itdoes not concern personal dataWhat can you show so that you can demonstrate that you are not processingpersonal data? Show for example which data you collect, which measures you havetaken to make data anonymous, and what sort of use you make of the data(for example: only for statistical purposes).Step 4. Carry out a gap analysisA gap analysis is a method to make a comparison between an existing and a desiredsituation. Check whether you are not unexpectedly still collecting data that can bereduced to the internet user or computer. Use the information flows and processes asmapped in step 2. Try by means of the already collected data whether his canbe reduced to a computer or person.Step 5. If applicable:repair the gaps encountered and report theactual use of dataShould you have established during the previous step that so-called gaps still exist,then try to repair those. Make data anonymous where necessary or take othermeasures to see to it that you comply with the desired situation. Finally report on theactual use of data within your organisation so that you can demonstrate that you– if applicable – do not process personal data and therefore as far as this data isconcerned to not have to comply with the Dutch Data Protection Act. iab. Cookie compliance A Practical Guide | 15
  16. 16. Appendix A.The new ‘cookie regulations’The law amendment in shortBased on the new Cookie Provision in the Dutch Telecommunication Act, one shouldfirst obtain consent from the user before placing cookies on the computer (orobtaining access thereto).Information obligationOne should provide the user in advance with clear and complete information on theobjectives for which one wants to place or read the cookies.ConsentThe consent should take place in advance and to comply with the concept of ‘consent’as described in Article 1 of the Dutch Data Protection Act: it should concern a free,specific, and information-based expression of will. Consent does not have to be givenseparately for each individual cookie by the various parties. The users must be ableto revoke this consent at all times. “Consent: a free, specific and information- based expression of will with which the party involved accepts that personal data concerning him is processed.” iab. Cookie compliance A Practical Guide | 16
  17. 17. Exception to the rule: strictly necessary cookiesThe information obligation and the consent requirement of the Cookie Provision donot apply if the cookies are strictly necessary. You should thereby reason fromcookies that are strictly necessary for the website user and not for you asperson/entity responsible for the website. Article 11.7a 1. Without prejudice to the Dutch Data Protection Act, anyone who wishes to obtain access by means of electronic communication networks to data that is stored on auxiliary equipment of a user and/or wishes to store data on the auxiliary equipment of the user shall: a. provide the user with clear and complete information in accordance with the Dutch Data Protection Act, and at least on the purposes for which one wishes to obtain access to the respective data and/or for which one wishes to store data, and b. have obtained consent from the user for the respective action. An action as intended in the preamble that has the objective to collect, combine, or analyse data on the use of various services fro the information company by the user or the subscriber for commercial, charitable, or idealistic objectives, is assumed to be a processing of personal data as intended in Article 1, sub b, of the Dutch Data Protection Act. 2. The requirements mentioned in the first Section, sub a and b, also apply in case in a different way than by an electronic communication network is arranged that via an electronic communication network data is stored or access is provided to the data stored on the auxiliary equipment. 3. What is determined in Section one and two does not apply, in as far as it concerns the technical storage of or access to data with the exclusive objective to: a. carry out the communication via an electronic communication network, or b. the service to be supplied by the information company requested by the subscriber or user and the storage of or access to data thereto is strictly necessary. 4. By means of an Order in Council, in agreement with Our Minister of Safety and Justice, further regulations can be issued with regard to the requirements mentioned in the first Section, sub a and b. The Dutch Data Protection Authority will be requested to advise on a draft of the intended Order in Council. iab. Cookie compliance A Practical Guide | 17
  18. 18. Appendix B.What if you do not complywith these regulations?Enforcement OPTAOPTA can impose a maximum penalty of € 450,000 per violation of the DutchTelecommunication Act and decide to impose a burden under penalty.Enforcement CBPIf personal data is processed with the text files to be placed or to be read, then youare also confronted with the Dutch Data Protection Act, whereby the Data ProtectionAuthority is the enforcing authority.Civil penalties If you for example to not report data processing with the CBP or with an officer fordata protection, the Authority can impose a civil penalty of at most € 4,500. Whendetermining the height of the penalty, the culpability, the seriousness, and the durationof the violation are taken into account.Burdens and civil enforcement If to the judgment of the CBP the obligations as set forth in the Dutch Data Protectionact are violated, the CBP can decide to impose a burden under civil enforcement or aburden under penalty. First a preliminary investigation by the CBP will have to takeplace. The violator will then be granted a term to unto the respective violation beforea burden on civil enforcement or a burden under penalty will be imposed. iab. Cookie compliance A Practical Guide | 18
  19. 19. Appendix C.For who are the cookieregulations important?It is important that all stakeholders are informed on the new obligations anddetermine a strategy on how to be able to become compliant.The new cookie obligations will at least be of importancefor the following stakeholders:• Ad network providers;• Publishers;• Social media• Advertisers• Digital media developers and ad serving technology;• Affiliates and affiliate networks;• Data providers;• Online ad traders;• Media agenciesThe new regulations for that matter apply to each party that wants to storeinformation or provide itself access to information that is available on auxiliaryequipment of each Dutch internet user. In short: also the websites of foreign partiesthat are visited by Dutch website users should comply with the obligations from theCookie Provision. iab. Cookie compliance A Practical Guide | 19
  20. 20. Appendix D.Legal definitionsUser:a natural person who makes use of a public electronic communication service forprivate or business purposes without necessarily being subscribed to that service;End user:a natural person or legal person who makes use or wants to make use of a publicelectronic communication service and who does not also offer public electroniccommunication networks or public electronic communication services;Communication:information that is exchanged or transferred between a definite amount of parties bymeans of a public electronic communication service; this does not encompass theinformation that is transferred via a broadcasting service via an electroniccommunication network, except when the information can be related to theidentifiable subscriber or user who receives the information;Consent from a user or subscriber:consent from a party involved as intended in Article 1 sub i,of the Dutch Data Protection Act, on the understanding thatthe consent can also be related to data from subscribersthat are not natural persons; iab. Cookie compliance A Practical Guide | 20
  21. 21. Appendix E.Dutch Data Protection ActIt is possible that your personal data is processed by placing or reading cookies. Inthat case, the Dutch Data Protection Act (Wbp) applies. For the Wbp a strongerregime applies than for cookies without personal data. If you also process cookies,then you should follow the following steps in order to comply with the Wbp.Step 1. Is personal data being processed?Establish whether you store or read personal data. This is the case when theinformation you store in or read from a cookie concerns information on a naturalperson, also when this is not directly related to that person but a person can bereduced from this information. For example: name and address data,or an IP address.Step 2. Report the processing ofpersonal data to the Dutch Data ProtectionAuthorityIf it has been established that personal data is processed as you have establishedunder ‘Step 1’, you should inform the Dutch Data Protection Authority (CBP) on this,unless it concerns processing which is exempted from the obligation to report.Step 3. Inform the person from whom you arecollecting dataOne objective of the privacy legislation is to see to transparency on the processing ofpersonal data. You should make it clear to your website visitors in a comprehensiblemanner what you are going to do with the data, for what you need this data, andwhether u will forward the personal data to other parties. You must also make yourown identity known.Step 4. For which purpose do you need thepersonal data?The personal data may only be processed for a previously determined purpose.Therefore it is important that you properly think in advance for what you need thedata, and whether you are not collecting more data than is necessary to achieve thispurpose. You will have to make this objective known to both the CBP and the partyinvolved from who you collect the personal data. iab. Cookie compliance A Practical Guide | 21
  22. 22. It is important that you may not store the data that is collected for the specific purposelonger than necessary for the materialisation of these purposes. What you can do isstore this data in an anonymous form, so that you can still use it for statistic purposesfor example.Step 5. See to it that you only process databased on one of the foundations of the WbpYou cannot just collect personal data from someone; this is only permitted if afoundation can be found for that in the Dutch Data Protection Act (Wbp).The Act states six foundations, of which one of the most important ones is obtainingunequivocal consent from the party involved. The Act describes consent as a ‘free,specific, and information-based expression of will’, meaning that the party involvedhas been properly informed in advance on the collection of personal data, and hasexplicitly gives his or her consent for that.You can for example combine this with the already existing information obligationbased on the Cookie Provision, although stricter regulations apply for that!Step 6. Do you comply with the qualityrequirements?The Wbp has formulated a number of quality requirements that should see to it thatthe personal data is correct and accurate. In other words: no more data thannecessary, but certainly also no less!• See to it that you therefore collect all what you need, and that this data is also correct and complete.• Regularly check your database on outdated information, and• Try to clear as many faulty and incomplete data as possible.If you no longer need the data, you must remove it(or make it anonymous/aggregate it). iab. Cookie compliance A Practical Guide | 22
  23. 23. Step 7 Establish procedures to be able to comply .with the rights of parties involvedWithin the framework of the transparency and quality of the data, persons of whomyou collect data were allotted a number of rights.If a person would like to know which data you collected of him/her, he can file arequest for perusal. The Law has formulated a number a requirements for that, suchas the obligation to inform the party involved within four weeks on whether personaldata on him/her is being processed. If the person establishes errors based on theperusal, he/she can request to correct this error.• See to it that the party involved knows whom they can address in order to exert their rights.• Formulate a procedure to be able to comply with the exertion of those rights.Step 8. Take suitable organisational andtechnical security measuresAscertain that measures have been taken to protect personal data against loss or anyform of illegal processing. Depending on the sensitivity of the data, the security levelis determined. If for example concerns very sensitive medical data is concerned, youshould take stricter measures than when you are for example only collecting IPaddresses.• See to it that malevolent people cannot access the personal data, or that unauthorised persons (both internally and externally) cannot access the data.• If necessary, have yourself consulted by security experts in order to obtain a ‘suitable protection level’.Step 9. Do you outsource the processing ofpersonal data to a third party?If you have another party store the data for you, you should make proper agreementson this processing. By means of an agreement/contract you must agree that the thirdparty complies with the Wbp requirements, such as taking suitable organisational andtechnical measures.• See to it that you periodically check the compliance with the agreement and the obligations resulting from it.Step 10. Do you transfer the data outside theEU? Then please take extra measuresCheck whether it concerns a non-EU country that offers a so-called ‘suitableprotection level’. You can inform yourself on the CBP website on this ( this not be the case, then you will be confronted with additional requirementsfrom the Wbp. iab. Cookie compliance A Practical Guide | 23
  24. 24. Appendix F.SOLV Factsheet – ‘New Cookie Rules’WHATLate 2009 the European legislator introduced new, stricter legislation with regard tobehavioral targeting and the use of cookies. This legislation is laid down in theamended ePrivacy Directive of 25 November 2009 and should have beenimplemented in the laws of the Member States by 25 May 2011.On 8 May 2012 the Dutch passed a Bill to amend the Dutch Telecommunications Act(Telecommunicatiewet, hereinafter ‘DTA’). This introduces a legal regime governing theuse of cookies which is stricter than the ePrivacy Directive prescribes. The new regimefor the use of cookies boils down to the requirement of informed consent based on anopt-in system:• Prior to installing or reading cookies on the terminal equipment of the end user, the end user should be informed, and consent of the end user should be obtained.• the cookies are used to collect, combine or analyze information on the use If of different services of the information society by the end user for commercial, charitable or non-profit purposes, this is presumed to be a procession of personal data. That means the Dutch Data Protection Act is applicable.• Functional cookies are exempted.Principal rule: prior informed consentTECHNOLOGYThe new legislation doesn’t specifically apply to cookies. It applies to any technology• by which information is stored on the terminal equipment of a user, or• by which information already stored is being accessed.It concerns not only personal computers,but also mobile phones and other mobile devices.Examples of cookies that fall within the exemption are cookies that are stored andread to remember the personal settings and preferences of a user, such as thepreferred language, cookies used for the processing of online orders and theexecution of transactions.The new rules do apply to any other cookies, flash-cookies, Java-scripts, web tapsand spyware or similar software such as dialler programmes. Device fingerprintingand digital television are also covered.The Bill makes no distinctions between first party or third party cookies. iab. Cookie compliance A Practical Guide | 24
  25. 25. PRIOR INFORMATIONThe information that has to be provided prior to placing or reading the cookie, needsto be ‘clear and comprehensive’. It needs to inform the end user of the purpose of thecookie and the further processing of the data collected by the cookie.This means that the end user should at least be providedwith the following information:• the identity of the user of the cookie technology;• the fact that the cookie is being stored on the terminal equipment;• the purpose of the cookie;• the period it remains active;• if the cookie is being used to track online behaviour for targeted advertising this should be mentioned too, including with whom the information is being shared.The information has to be easily accessible and understandable to the users.PRIOR CONSENTThere has been a lot of debate about the question how consent can be obtained. Thelegal requirement is that consent has to be free, specific and informed. Unambiguousconsent is not a requirement, although some parties argue the law has to beinterpreted as such. The preamble of the ePrivacy Directive it is made clear thatbrowser settings may possibly be an adequate means of giving consent.Dutch government has confirmed that the present browsers are insufficient, mainlybecause they are set to accept cookies by default.In line with the European Commission, the Dutch government is in favor of aDo-Not-Track standard as a means to obtain prior consent. However, the currentstandard, implemented in is deemed to be insufficient.Dutch data protection act (Wet bescherming persoonsgegevens)The requirement of obtaining informed consent before placing or further accessingcookies is in line with the ePrivacy Directive.However, the adopted Dutch Bill goes considerably further and introduces anadditional legal regime for the use of cookies. Any cookie used to collect, combineor analyze information of the user with regard to his online surfing behaviour,is presumed to involve personal data. As a consequence, the Dutch Data ProtectionAct is applicable to many different cookies, entailing an even stricter legal regimeto the use of cookies.This ‘cookie plus’ regime is applicable to all cookies used for behavioural targeting,but may also apply to analytics cookies such as Google Analytics. iab. Cookie compliance A Practical Guide | 25
  26. 26. WHOAny party that places cookies on the terminal equipment of the user or accessesinformation already stored on this equipment should comply with the new rules.The regulatory authorities have stressed that there can be a shared responsibility,imposing at least some responsibly for the publishers.The new rules are applicable to anyone who wants to store information or accessinformation already stored on the terminal equipment of internet users in theNetherlands. Thus, also companies established outside the Netherlands are governedby the Dutch rules for the use of cookies.WHENThe new rules have come into effect as of 5 June 2012. The Dutch government hasstated that it wants to await further developments of a Do-Not-Track standard withinthe European Union. For this reason it said that the new rules with respect tothe consent requirement shall not be enforced before 1 January 2013. However, theresponsible regulatory authority, OPTA, is an independent authority and thereforemay enforce despite such promises of the government.HOWThe information that needs to be provided prior to placing the cookies has to beeasily accessible and understandable to the users. This implies that a clearly visiblelink to the information most likely does suffice, however, a privacy policy as solesource of information is insufficient.It is obvious that publishers and users of the cookie technology have to work togetheron this since the most logical place to provide information is on the website theconsumer is visiting when the cookie is dropped. The consent of the user must be aclear indication of his wishes. A pop-up screen with clear and comprehensiveinformation and a tick-box stating “I accept” seems at present the only way to complyto the new cookie rules.The regulatory authorities have expressed that consent is not required for eachindividual cookie. Once the user has agreed to cookies of a specific ad networkprovider, this ad network provider doesn’t need to obtain additional consent forcookies serving the same purpose.Users should always be given to possibility to opt-out.Please note that at present it is still unclear how parties should comply to the consentrequirement. The responsible regulatory authority OPTA has not given any guidelines,opinions or such on this subject yet. The responsible Minister has only expressed thatbrowsers are currently not sufficient. Other than that he confirms there is no consensusin the EU and that therefore he cannot give any indication on how to practicallyobtain adequate consent. iab. Cookie compliance A Practical Guide | 26
  27. 27. IAB The NetherlandsPrins Hendriklaan 291075 AZ AmsterdamT: +31 85 401 08 02