The document discusses the e-Privacy Directive and its requirements regarding cookies and consent for data processing. It provides an overview of the legal framework under the Directive and its implementation in the UK. Key points include the requirements for clear information and consent prior to storing cookies or accessing information on a user's device. Enforcement of these rules is expected to increase, with a 12-month grace period for companies to update their practices.

1. The e-Privacy Directive & Performance Marketing Andrew Tibber Senior Associate http://www.linkedin.com/in/andrewtibber @atibber

2. About Burges Salmon UK top 50 commercial law firm Service national/international clients from Bristol/London IP & Technology Team advise on: Affiliate advertising agreements Use of 3 rd party TMs in paid-for search keywords/ads Use/abuse of social media Domain name dispute resolution Data protection/privacy

3. The e-Privacy Directive Ed Vaizey, UK Minister for Culture, Communications and Creative Industries (29 March 2011) “… a good example of a well-meaning regulation that will be very difficult to make work in practice”

4. Overview How did we get here? Legal framework – e-Privacy Directive 2002 How was it implemented in the UK? What has changed? Informed (prior?) consent Possible models for informed consent Online Behavioural Advertising Browser technology – Do Not Track Compliance ICO guidance (UK) and suggested actions Other EU states

5. Legal framework

6. Legal framework ECHR, Article 8: “(1) Everyone has the right to respect for his private and family life , his home and his correspondence.” Data Protection Directive 1995, Article 1(1) “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data .”

7. Legal framework Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive 2002”) Sets out to protect rights in ECHR; and provide equal level of protection to Data Protection Directive for personal data and privacy of users of publicly available electronic communications services Part of overarching Framework Directive, setting out regulatory framework for electronic communications infrastructure and services

8. Legal framework e-Privacy Directive 2002, Recital 24 “ The use of [spyware, web bugs, hidden identifiers etc] should be allowed only for legitimate purposes, with the knowledge of the users concerned .” e-Privacy Directive 2002, Recital 25 “… ‘ cookies’… can be a legitimate and useful tool , for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions ... [such] use should be allowed on condition that users are provided with clear and precise information … about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment … The methods for giving information, offering a right to refuse or requesting consent should be made as user friendly as possible.”

9. Legal framework e-Privacy Directive 2002, Article 5(3) “ Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. ”

10. Legal framework Storage of or access to: Spyware Adware Cookies Google analytics Shopping cart Flash cookies (Local Shared Objects) Post-click Post-impression (PI)/post-view (PV)

11. Legal framework: Summary Legal obligations imposed by e-Privacy Directive on Member States to legislate in relation to storage of or access to cookies: clear and comprehensive information about purpose of cookies must be provided right to refuse must be offered UNLESS storage/access “strictly necessary” to provide service explicitly requested

12. Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) Regulation 6 reproduces Art 5(3) of e-Privacy Directive Regulated by Information Commissioner’s Office (ICO) Previous implementation in the UK

13. Previous implementation in the UK ICO guidance at the time – Information to be provided “… sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing storage and access to the information collected by the device should they wish to do so” ICO guidance at the time - Right to refuse “ At the very least … the user or subscriber should be given a clear choice as to whether or not they wish to allow a service provider to continue to store information on the terminal in question … Where the relevant information is included in a privacy policy … the policy should be clearly signposted at least on those pages where a user may enter a website.”

14. What has changed? Wide review of telecoms legislation led to revised EU Electronic Communications Framework (Directive 2009/136/EC, 25 November 2009) Includes amendments to the e-Privacy Directive 2002: Duty on providers of electronic communications services to notify “personal data breaches” to competent national authority New prohibitions on and right to bring proceedings for spam Cookies Penalties

15. What has changed? New recital 66 of the Amending Directive “… Where it is technically possible and effective … the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application ...”

16. What has changed? Amended Article 5(3) of the e-Privacy Directive 2002

17. What has changed? Implemented in the UK by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) In force: 26 May 2011 Amended reg 6 of the 2003 Regulations: “ (2) [Requirement that] the subscriber or user of that terminal equipment: (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent … (3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”

18. What has changed? Part V and sections 55A-55E of Data Protection Act 1998 to apply Gives ICO new powers to: issue enforcement/assessment/information notices (failure to comply = criminal offence) impose fines of up to £500,000 for serious breaches (“serious” = potential for “substantial damage or distress”) Continuing right for users to take civil action for damage

19. What has changed? Summary Continuing requirement to provide clear and comprehensive information Requirement of consent instead of right of refusal, ie opt-in not opt-out New enforcement powers for ICO  Informed consent

20. Informed (prior?) consent 7 April 2009 - Rejected amendment to Art 5(3) “ Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her prior consent , which may be given by way of using the appropriate settings of a browser or another application, after having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”

21. joint Council Statement, 18 November 2009 (Austria, Belgium, Estonia, Finland, Germany, Ireland, Latvia, Malta, Poland, Romania, Slovakia, Spain, UK) “ the amended Article 5(3) is not intended to alter the existing requirement that such consent be exercised as a right to refuse the use of cookies or similar technologies used for legitimate purposes” Informed (prior?) consent

22. Informed (prior?) consent Article 29 Data Protection Working Party Opinion 2/2010 on online behavioural advertising (22 June 2010) “ i) consent must be obtained before the cookie is placed and/or the information stored in the user’s terminal equipment is collected, which is usually referred to as prior consent and ii) informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user .”

23. Informed (prior?) consent Alexander Alvaro, European Parliament Deputy, e-Privacy Directive Rapporteur ( Privacy and Security Law Report , October 2010) “ the ‘prior consent’ formulation was considered and rejected in favor of a wording where the Parliament left more room for flexibility … Consent as defined and used in the Data Protection Directive does not have to be prior or explicit …”

24. ICO Guidance: “Changes to the rules on using cookies and similar technologies for storing information” (9 May 2011) “ You need to provide information about cookies and obtain consent before a cookie is set for the first time ” European Commission MEMO/11/320, Brussels, 23 May 2011 “… the new rules require Member States to ensure users have given their consent before such data is stored or accessed. Before being asked for their consent, the user must be given information about what the data collected about them is to be used for (e.g. targeted behavioural advertising).” Informed (prior?) consent

25. Informed (prior?) consent Ed Vaizey, UK Minister for Culture, Communications and Creative Industries, Open Letter, 24 May 2011 “… Article 5 of the revised e-Privacy Directive does not specify that the consent must be ‘prior consent’. The original text proposed by the European Parliament did do so but this was removed during negotiation ... it is possible that consent may be given after or during processing . [But] in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken . This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing. It also supports any approach underpinned by industry’s attempts to inform users about the specific choices available and as a result allow users to make choices (ie give consent) based on that information. Crucially, the requirement of the revised Directive is for informed consent.”

26. Possible models for informed consent Online Behavioural Advertising (OBA) Internet Advertising Bureau (IAB) UK “Good Practice Principles” (4 March 2009) N American “Self-regulatory principles for OBA (July 2009) IAB European Self-regulation for OBA (14 April 2011) 3 rd parties should give clear and comprehensible notice describing OBA collection and use practices Link to www.youronlinechoices.eu Icon in or around the ad Disclosure by web site operator of 3 rd party arrangement No segmentation for under-12s Education (eg online videos)

27. Do Not Track Response to US Federal Trade Commission proposed framework for protecting consumer privacy HTTP header notifies participants not to set tracking cookies Easy to use and understand Prevents 3 rd party cookies and flash cookies Supported by Firefox (4, 4 Mobile and 5 Beta) & IE9 Safari next BUT relies on universal buy-in “ Keep my Opt-Outs” Google Chrome extension– a “better ‘Do not Track’ mechanism” Possible models for informed consent

28. “… browsers today have not harmonized the range of cookie controls in such a way as to send one clear, standardized signal to businesses that can be used as a proxy to meet compliance and respect consumer demands … realistically it’s going to be months, if not longer, to achieve clarity at a technical level. Then there’s the question of getting users to adopt new versions of browsers with enhanced controls to further support user requirements and ease compliance efforts in this area. It’s my view that site owners and third parties need to focus on improving privacy notices and statements that inform consumers of their cookie and tracking practices. In addition, any parties engaged in tracking consumers in the EU need to address compliance as if no new browser controls emerge.” (Alex Fowler, Global Policy and Privacy Leader, Mozilla (Firefox), May 2011) Possible models for informed consent

29. What cookies are “strictly necessary”? Exception construed narrowly Includes eg shopping cart Excludes eg remembering user preferences, analytics Post-click, PI/PV cookies will be caught Browser settings cannot be used to indicate consent – for now “ You need to provide information about cookies and obtain consent before a cookie is set for the first time ” Compliance: UK ICO Guidance

30. What sort of information? Be upfront about how website operates List of cookies and description of how they work Obtaining consent Pop ups Easy option but spoils user experience Terms and conditions Make users aware of changes to Ts and Cs Positive indication that users understand & agree to changes Text in header/footer linked to further information Compliance: UK ICO Guidance

31. 3 rd party cookies “ everyone has a part to play in making sure that the user is aware of what is being collected and by whom” “ a number of initiatives that seek to ensure that users are given more and better information about how their information might be used. These will no doubt adapt to achieve compliance with the new rule but we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device” In other words, OBA initiative not currently compliant Compliance: UK ICO Guidance

32. Phased approach to implementation of changes Lead-in period of 12 months ending in May 2012 to allow organisations to develop ways of meeting cookie-related requirements No enforcement action in this period against organisations working to address their use of cookies BUT organisations are expected to take action before May 2012 Warnings can be issued in this period if no action taken Compliance: UK ICO Guidance

33. Check what cookies you use and for what purpose Which cookies are strictly necessary Clean-up unnecessary or superseded cookies Assess how intrusive your use of cookies is The more intrusive, the greater the priority for change Tracking cookies likely to fall into this category Decide what the appropriate solutions to obtain consent are and have a realistic plan for compliance Check Ts and Cs of Affiliate Agreements – require compliance with new privacy regs and indemnity for any loss suffered for breach Compliance: Suggested actions

34. Germany existing law already required prior notice and opt-in consent for tracking: enforcement now more active Netherlands Draft bill allows for opt-out consent France draft ordinance requiring consent for any use of cookies: can be tacit or implied, eg through easily accessible notice Web analytics considered exempt by CNIL Finland In line with UK approach Belgium, Ireland, Poland, Spain Legislation still in draft Compliance: Across the EU

35. Conclusion Early days for the new regime Clarification urgently needed on consent requirement harmonised across the EU Browser technology/OBA approach may hold the key BUT they need to develop further 12-month grace period in the UK In the meantime show you are taking steps to ensure you can comply by May 2012 Audit Prioritise Plan for compliance – empower users to make informed choices

36. This presentation gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content.