eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards


Published on

The eBusiness Club eBiz byte seminar delivered by Julian Turner, Senior Associate Solicitor with one of the country’s leading regional law firms Geldards demystifying both the legal issues whilst offering practical advice on how to implement effective solutions.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards

  1. 1. Demystifying the EU Cookie Law – eBizbyte SeminarJulian Turner, Solicitor, Geldards LLP15th August 2012
  2. 2. What exactly has changed?
  3. 3. What exactly has changed?
  4. 4. What is the key change?• The requirement for a prominent up-front consent.• Higher up the political and news agenda, and more active regulator.• Tailor your approach to the privacy risk involved.
  5. 5. What does the law cover?• Cookies and other technologies • Little consideration to date of other technologies • Any storage or retrieval of data in relation to your customers’ computers, which you make use of. Usage based approach. • Not what the technology is, but what it is used for.• First party • Technology you use for your own purposes.• Third party • Technology used for a third party’s purposes. • Could be deployed by you or a third party. • Third party adverts / like buttons embedded in your web page (IFRAME, IMAGE, etc).
  6. 6. What does the law cover?• Devices • PCs, tablets, phones; even readers• Software • Web browsers / HTML e-mail. • Network connected applications (very broad category)• Technologies • Web beacons, cookies, and Flash. • JavaScripts (including XMLHTTPRequests). • HTML5 (local storage and file handling). • “Native code” in network connected applications.
  7. 7. What is a cookie?• Part of the Hypertext Transfer Protocol (HTTP) for transfer of web pages between computers.• See RFC 2109, 1997• Cookies make interactions between users and web sites easier.• Used for Authentication, Personalisation, Tracking
  8. 8. What is a cookie?• To obtain a web page or other element from a server your browser makes a GET request // YOUR IP ADRESSS GET /sonynewsitem_page1.htm HTTP/1.1 Host: techjournal.co.uk Referer: http://www.sony.co.uk
  9. 9. What is a cookie?• The TechJournal server sends back a response comprising the following:- HTTP/1.1 200 OK // or 404 NOT FOUND Content-Type : text/html;charset=ISO-8859-1 Set-Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT [followed by content of page]
  10. 10. What is a cookie?• We then GET page 2 from a link on page 1 // YOUR IP ADRESSS GET /sonynewsitem_page2.htm HTTP/1.1 Host: techjournal.co.uk Referer: http://www.techjournal.co.uk Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
  11. 11. What is a cookie?• Page 2 also contains a picture, so our browser automatically sends another GET:- // YOUR IP ADRESSS GET /newspicture.jpg HTTP/1.1 Host: techjournal.co.uk Referer: http://www.techjournal.co.uk Cookie: name=value; id=12345; Expires= Wed, 10 September 2012 12:06:00 GMT
  12. 12. What is a cookie?• Lets imagine that TechJournal have an advertising banner provided by Double Click:- // YOUR IP ADRESSS GET /someadvert.jpg HTTP/1.1 Host: doubleclick.net Referer: http://www.techjournal.co.uk
  13. 13. What is a cookie?• Double Click now has an opportunity to set a cookie as well:- HTTP/1.1 200 OK Content-Type : image/jpeg Set-Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT [followed by jpg image]
  14. 14. What is a cookie?• Finally, lets say you visit Microsoft and they also have a Double Click banner:- // YOUR IP ADRESSS GET /banner.jpg HTTP/1.1 Host: doubleclick.net Referer: http://www.microsoft.co.uk Cookie: trackingid=8910; Expires= Wed, 10 September 2200 12:06:00 GMT
  15. 15. First and third party cookiesFirst and third party:-
  16. 16. Can I control them?• Here are the Internet Explorer settings dialog boxes:-
  17. 17. Other technologies• Cookies are not the only technologies.• Download monitoring • Web beacons / Pixel gifs monitro• Local storage • Cookies • Flash • HTML5 local storage and file system access• Dynamic Data capture • Javascripts / Flash can capture key presses and mouse actions • Native applications can do anything.
  18. 18. Other Technologies - JavaScript• Javascripts are computer code that runs in your browser. window.onkeypress = function() { var key = window.event.charCode var http = new XMLHttpRequest(); http.open("GET", http://www.mysite.co.uk/analyse.php? keyPressed=" + key); http.send(null); }
  19. 19. It is all about what you do with them• Support Functionality • Session • Authentication • Shopping basket• Analyse performance • Monitor downloads • Monitor how users navigate through your site • Detect abandonments• Track • Anonymous, across sites, for advertising purposes. • Identified, e.g. facebook like buttons
  20. 20. What are the exemptions?
  21. 21. General Approach to Exemptions• Example websites we have seen do not make a distinction, and cover both exempt and non-exempt in cookies policies and consent forms.• Can’t use the same cookie for exempt and non- exempt purposes.• Governments prefer temporary / session based in their examples. More circumspect over permanent / long-term usage; but more information given to the user will help.
  22. 22. Exemption (a)• The transmission of the communication must not be possible otherwise.• Example given by governments is load balancing cookies.
  23. 23. Exemption (b)• What is strictly needed to provide the functionality or service requested by the user.• Usage based, user-centric approach.
  24. 24. Exemption (b)• Examples of government indications as to exempt uses:- • Session management (security, user input) • Log-in and authentication • Shopping basket • Media playback • User preference storage • Social network functionality requested by logged-in users.
  25. 25. Exemption (b)• Examples of non-exempt uses:- • First party analytics, statistics, audience measuring, heat map generation etc. • Social network functionality for non-logged in users. • Unique identifiers and tracking across websites. • Third party cookies and technologies (e.g. advert management and tracking, frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging).
  26. 26. What are the compliance requirements?• Information • You need to be much more informative about the cookies and technologies you use.• Consent • You need to obtain upfront consent, before you use any cookies or other technology for a non-exempt purpose.• Risk • Compliance measures have to be decided by you. • You will in the end have to take a risk decision. • Tailor your approach to the privacy risk involved.
  27. 27. Information• The law has not changed but the regulatory expectation has.• Historically, what we provided was sparse and limited.• Now the expectation is that it will be thorough and detailed.
  28. 28. Information• What to do:- • Look at models of good practice. • Create a separate cookies policy. • Make the link to it prominent (e.g. top of page) • Detail each cookie or other technology. • Detail its usage • Provide link to relevant third party sites / docs. • Explain any opt-out process. • Explain how you can use browser settings to block cookies. • If information is linked to an identified individual, link to the relevant privacy policy.
  29. 29. Information – ICO Website
  30. 30. Information - BBC
  31. 31. Information - BBC
  32. 32. Consent• Freely given, specific and informed• Any consent box must contain explanation and link to cookies policy.• Given by the computer user (even if not the bill payer).• Given prior to, or - the ICO recognises - quickly after use.• Cover both first and third party technologies.• No obligation to permanently store consent, but helps.• ICO would like to see options to opt-out later.• New consents for new technology.• Browser settings not currently good enough.
  33. 33. Express Consent• Opt-in tick box, with clear explanatory wording and link to cookies policy.• Not feasible for casual visitors.• May be feasible if combined with an account registration or subscription purchase process.• Unlikely any companies will use this.
  34. 34. Implied Consent• ICO latest guidance confirms this is a “reasonable proposition” and “implied consent might be the most practical and user-friendly option”• But at your own risk.• We guess this means that, they will probably tolerate it as a regulator, unless there is a severe privacy risk.• The ICO will not say definitively whether any measures you take are good enough; and without some court cases, neither the ICO nor any lawyers will be able to rubber stamp any particular solution.• All examples seen in the wild use it - see examples attached at the back of the handout – but vary in their detail and sophistication.• It is clear this is going to be the pre-dominant solution, but it involves taking a risk, and does not give regulatory certainty.• NOT VIABLE FOR SENSITIVE PERSONAL DATA
  35. 35. Implied Consent• What it probably requires • Really good detailed cookies policy / information (see BBC website). • Prominent link to your cookies policy at top of each page. • Bold “modal” notice / splash screen clearly stating that by continuing consent is taken to be given, with again a link to cookies policy, which requires a click to clear it and proceed to use the website. • Ability of users to change settings. • Approach tailored to your site, the technologies you are using, and the type of data you are capturing or storing.• Risk assessment • How much of the above do you implement? • Is it good enough for invasive usage (e.g. third party tracking)? • A lawyer (without court cases), cannot give you any guarantees.
  36. 36. Implied consent – Staples
  37. 37. Implied consent – Telegraph
  38. 38. Implied consent - Natwest
  39. 39. Implied consent - Nectar
  40. 40. Implied consent - Nectar
  41. 41. Implied consent - Nectar
  42. 42. Implied consent – BBC
  43. 43. Implied consent - BBC
  44. 44. Implied consent – BBC
  45. 45. Does it matter if I don’t comply?• Information commissioner’s powers:- • Notices to supply information • Undertakings to secure voluntary compliance • Enforcement notices / criminal offences • Financial penalty up to £500,000 for serious contravention likely to cause substantial damage or distress.• Civil claims by users IF damage suffered
  46. 46. Does it matter if I don’t comply?• We believe that the Information Commissioner’s likely approach will be:- • Reactive, rather than pro-active. • Consensual first. • Proportionate to breach. • More likely to take action the more privacy risk they think there is in all the circumstances. • Dependent on ICO resources and political agenda.
  47. 47. What should I be doing next?• Something, not nothing; make some effort at least.• Identify what you are using • All cookies and other technologies. • First and Third Party • Websites and apps• Exempt? • Decide whether to voluntarily apply anyway.
  48. 48. What should I be doing next?• Cookies policy • Remember thorough and detailed, and prominent • Offer voluntary information as well on exempt cookies.
  49. 49. What should I be doing next?• Implied consent method • Decide what mechanism you will use to ‘inform’ the visitor to your website that they are receiving cookies • Tailor your approach to your users / technologies / website.
  50. 50. What should I be doing next?• Data Protection Act 1998 • Don’t forget this. • If any information stored or retrieved is not kept anonymous (e.g. it is linked to an individual):- • verify whether such usage is Data Protection Act 1998 compliant; • cover in data protection policy as well.
  51. 51. Thank You