This presentation is from Lewis Silkin’s The New Data Protection Regulation and Cookie Compliance breakfast briefing on the 23 February 2012. Simon Morrissey, Lewis Silkin, and Meriel Lenfestey, Foolproof, look at the new Data Protection Regulations and some of the options available when thinking about cookie compliance and the end user experience.
You can visit http://www.lewissilkin.com for more information.
Lewis Silkin Seminar - Warranties and Indemnities - 8th March 2012Lewis Silkin
This is the first presentation from Lewis Silkin's recent "Warranties and Indemnities" seminar on the 8th March 2012 by Julian Parry and Lucy Lewis.
You can view the case study slides here: http://www.slideshare.net/LewisSilkin/lewis-silkin-whats-trending-in-tupe
If you would like more information please get in touch.
http://www.lewissilkin.com
Julian Parry
http://uk.linkedin.com/in/tupeguru
Lucy Lewis
http://uk.linkedin.com/in/lucylewis
Lewis Silkin Seminar - What's Trending in TUPE - 8th March 2012Lewis Silkin
This is the case study presentation from Lewis Silkin's recent "Warranties and Indemnities" seminar on the 8th March 2012 by Julian Parry and Lucy Lewis. If you would like more information please get in touch.
http://www.lewissilkin.com
Julian Parry
http://uk.linkedin.com/in/tupeguru
Lucy Lewis
http://uk.linkedin.com/in/lucylewis
Developing branded products - A toolkit for agencies Lewis Silkin
Agencies are increasingly leveraging the opportunities afforded by the digital ecosystem to develop products which have the potential to be exploited by the agency’s brand owner clients, but which do not sit comfortably within the traditional client-agency business model.
Lewis Silkin's Don't get it wrong #socialmedia Seminar PresentationLewis Silkin
This presentation is from Lewis Silkin’s Don't get it wrong #socialmedia semina on the 17th April 2012. Simon Morrissey and Jo Farmer, Partners in the Media, Brands and Technology department look at social media and the legal and regulatory aspects of its use in advertising.
You can view the youtube playlist of the videos that accompany this presentation here: http://youtu.be/4edioYoxClM; or on our website here: http://www.lewissilkin.com/Knowledge/2012/April/Dont-get-it-wrong-socialmedia.aspx
Large employers will have to produce their first gender pay gap reports by April 2018 at the latest, based on payroll data from April 2017. While the final version of the regulations isn’t expected until summer 2016, the main elements are now clear. These slides set out what the Regulations require and the issues that employers should be thinking about now.
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
A joint webinar between Contino and Delphix explaining how DevOps, Cloud and Data Virtualization can be used to accelerate application delivery, yet still allow organisations to remain GDPR compliant.
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
The Data Protection Act 2019, was enacted on November 8th, 2019, ushering a new era of accountability and responsibility with regard to processing of personal data and information. Naturally, there has been a resurrection of the chatter around data protection in increasingly data-driven social and economic settings. The question on everyone’s mind being what does this mean for me?
Lewis Silkin Seminar - Warranties and Indemnities - 8th March 2012Lewis Silkin
This is the first presentation from Lewis Silkin's recent "Warranties and Indemnities" seminar on the 8th March 2012 by Julian Parry and Lucy Lewis.
You can view the case study slides here: http://www.slideshare.net/LewisSilkin/lewis-silkin-whats-trending-in-tupe
If you would like more information please get in touch.
http://www.lewissilkin.com
Julian Parry
http://uk.linkedin.com/in/tupeguru
Lucy Lewis
http://uk.linkedin.com/in/lucylewis
Lewis Silkin Seminar - What's Trending in TUPE - 8th March 2012Lewis Silkin
This is the case study presentation from Lewis Silkin's recent "Warranties and Indemnities" seminar on the 8th March 2012 by Julian Parry and Lucy Lewis. If you would like more information please get in touch.
http://www.lewissilkin.com
Julian Parry
http://uk.linkedin.com/in/tupeguru
Lucy Lewis
http://uk.linkedin.com/in/lucylewis
Developing branded products - A toolkit for agencies Lewis Silkin
Agencies are increasingly leveraging the opportunities afforded by the digital ecosystem to develop products which have the potential to be exploited by the agency’s brand owner clients, but which do not sit comfortably within the traditional client-agency business model.
Lewis Silkin's Don't get it wrong #socialmedia Seminar PresentationLewis Silkin
This presentation is from Lewis Silkin’s Don't get it wrong #socialmedia semina on the 17th April 2012. Simon Morrissey and Jo Farmer, Partners in the Media, Brands and Technology department look at social media and the legal and regulatory aspects of its use in advertising.
You can view the youtube playlist of the videos that accompany this presentation here: http://youtu.be/4edioYoxClM; or on our website here: http://www.lewissilkin.com/Knowledge/2012/April/Dont-get-it-wrong-socialmedia.aspx
Large employers will have to produce their first gender pay gap reports by April 2018 at the latest, based on payroll data from April 2017. While the final version of the regulations isn’t expected until summer 2016, the main elements are now clear. These slides set out what the Regulations require and the issues that employers should be thinking about now.
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
A joint webinar between Contino and Delphix explaining how DevOps, Cloud and Data Virtualization can be used to accelerate application delivery, yet still allow organisations to remain GDPR compliant.
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
The Data Protection Act 2019, was enacted on November 8th, 2019, ushering a new era of accountability and responsibility with regard to processing of personal data and information. Naturally, there has been a resurrection of the chatter around data protection in increasingly data-driven social and economic settings. The question on everyone’s mind being what does this mean for me?
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
We will discuss the Evolving International Privacy Regulations. Cross Border Data Transfer for GDPR under Schrems II is now ruled by an EU court that defined what is required. This ruling can be far reaching for many businesses.
Learn about the Kantara Consent & Information Sharing WG and their major deliverable the digital Consent Receipt - an Alpha project designed to upgrade the way a person provides consent on-line. This is an open standardization project.
This Blue Paper was prepared as a result of a roundtable discussion organised by the Takshashila Institution on 4 September 2017, based on the Discussion Document, Beyond Consent: A New Paradigm for Data Protection.
The discussion document brings forth a rights-based model (Rights Model) to help secure the interests of a data subject sharing his data with data controllers. This Rights Model assures to every individual, an inalienable right over his personal data. Any data collector that wishes to access a data subject's personal data must ensure that they do so in a manner that does not violate this inherent data right.
The Blue Paper highlights the recommendations of the all participants at the roundtable discussion, which was chaired by Rahul Matthan.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Implicitly or explicitly all competing businesses employ a strategy to select a mix
of marketing resources. Formulating such competitive strategies fundamentally
involves recognizing relationships between elements of the marketing mix (e.g.,
price and product quality), as well as assessing competitive and market conditions
(i.e., industry structure in the language of economics).
buy old yahoo accounts buy yahoo accountsSusan Laney
As a business owner, I understand the importance of having a strong online presence and leveraging various digital platforms to reach and engage with your target audience. One often overlooked yet highly valuable asset in this regard is the humble Yahoo account. While many may perceive Yahoo as a relic of the past, the truth is that these accounts still hold immense potential for businesses of all sizes.
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
In the Adani-Hindenburg case, what is SEBI investigating.pptxAdani case
Adani SEBI investigation revealed that the latter had sought information from five foreign jurisdictions concerning the holdings of the firm’s foreign portfolio investors (FPIs) in relation to the alleged violations of the MPS Regulations. Nevertheless, the economic interest of the twelve FPIs based in tax haven jurisdictions still needs to be determined. The Adani Group firms classed these FPIs as public shareholders. According to Hindenburg, FPIs were used to get around regulatory standards.
Top mailing list providers in the USA.pptxJeremyPeirce1
Discover the top mailing list providers in the USA, offering targeted lists, segmentation, and analytics to optimize your marketing campaigns and drive engagement.
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
Recruiting in the Digital Age: A Social Media MasterclassLuanWise
In this masterclass, presented at the Global HR Summit on 5th June 2024, Luan Wise explored the essential features of social media platforms that support talent acquisition, including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok.
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
Discover the innovative and creative projects that highlight my journey throu...
The New Data Protection Regulation and Cookie Compliance
1. The New Data Protection Regulation &
Cookie Compliance
C ki C li
Simon M i
Si Morrissey
Head of Technology and Commercial Data Group
simon.morrissey@lewissilkin.com
Meriel Lenfestey
Director at Foolproof
meriel@flow-interactive.com
i l@fl i t ti
23 February 2012
2. Agenda
• Part 1
New Data Protection Regulation
> The Context
> Key Points
• Part 2
The Coo e Law – Planning for Co p a ce
e Cookie a a g o Compliance
3. The Context
• A complete overhaul of existing European data protection
legislation in place since 1995 and in the UK since 1998
• Key aim is to avoid fragmentation legacy by using a
Regulation which will have direct effect in Member States
• Provides more legal certainty but at the expense of being
more prescriptive
• Simplifies some aspects of existing compliance regime
• Provides more rights to data subjects
• Takes away cost of notification but increases burdens on
business
4. Key Points
All consent must now be explicit (Article 4(8)) – extension
of the previous rule which applied to Sensitive Personal data
• Impact
This will remove t e opt o o form-based consent
s e o e the option of o based co se t
Data must be processed in a transparent manner (Article
5(a))
• Impact
This will increase the level and quality of information data
controllers will be required to provide data subjects
5. Key Points cont
The data processed must be the minimum necessary for the
purpose – compare with the old “not excessive” rule (Article
5(c))
5( ))
• Impact
p
Greater scrutiny of the type of personal data collected, eg
date of birth
Parental consent is required to collect data of children under
13 (currently no mandated age) (
( y g ) (Article 8(1))
( ))
Wider definition of Personal Data (Article 4(1) & (2))
6. Key Points cont
Article 3 - New law applies to the processing of personal
data of data subjects residing in the EU where the
processing relates to:
the offering of goods or services to such data subjects; or
Monitoring their behaviour (
g (Article 3)
)
7. Key Points cont
The right to be forgotten (Article 17) – includes obligations
to inform third parties of a data subject’s wishes who the
controller h authorised t publish personal d t
t ll has th i d to bli h l data
The data subject’s right to object (Article 19)
The data subject’s right to object to automated profiling
subject s
(Article 20)
8. Key Points cont
Notification regime to be replaced by accountability principle
(Article 22)
• Impact
Co t o e s
Controllers will be required to de o st ate how t ey co p y
equ ed demonstrate o they comply
with data protection law rather than just pay a notification fee
Data protection by design and by default (Article 23)
• Impact
Controllers will be required to implement technical and
organisational measures to ensure compliance
9. Key Points cont
New rules relating to the engagement of data processors
(Article 26)
Processors may only enlist sub-processors with the prior
permission of the controller
Potential for data processors to become joint controllers
• Impact
Appointment of processors will be governed by more robust
rules on controllers and processors
10. Key Points cont
Data Security (Article 30)
Processors now have statutory obligations to keep personal
no ha e stat tor
data secure.
• Impact
Under the old law, processors could only be liable
contractually f data breaches. Now at risk of fi
t t ll for d t b h N t i k f fines.
Data breach notification now mandatory for controllers and
y
processors within 24 hours (Article 31)
Also includes obligations on controllers to notify data
subjects (Article 32)
11. Key Points cont
Appointment of a Data Protection Officer now mandatory for
controllers and processors who are employing over 250
people or where th processing requires regular and
l h the i i l d
systematic monitoring of data subjects (Article 35)
International Transfers of Data (Articles 40-44)
territories and processing sectors can now be designated as
“adequate” or “inadequate”
ICO can now validate terms of a data transfer agreement as
adequate
simplification of Binding Corporate Rules
12. Key Points cont
Enforcement (Article 79)
New written warning sanction for companies under 250
persons for whom processing is only an ancillary activity
0.5% fine of annual worldwide turnover for breaches of
subject access requests
1% fine of annual worldwide turnover for certain breaches
2% fine of annual worldwide turnover for certain breaches
16. Me ...
Founder of and a Director and Partner at
Interaction Designer with a strong focus on user centred methodologies
Recently worked with 6 global & national FS brands to help specify cookies solutions
18. consent by the data subject (must the more privacy intrusive your activity,
Feature led consent: Provided you be) based upon an appreciation the more priority you will need to give to
To be valid, consent must be informed. This
make it clear to the user that by and understanding of the facts and getting meaningful consent ... It might
implies that all the necessary information must
choosing to take a particular action implications of an action be useful to think of this in terms of a
be given at the moment the consent is
then certain things will happen you For consent to be unambiguous, the sliding scale, with privacy neutral
lidi l ih i l
requested, and that this should address the
may interpret this as their consent procedure to seek and to give consent cookies at one end of the scale and
substantive aspects of the processing that the
consent is intended to legitimise. must leave no doubt as to the data more intrusive uses of the technology at
The way the information is given (in subject's intention to deliver consent. the other. You can then focus your
plain text, without use of jargon, efforts on achieving compliance
The crucial understandable, conspicuous) is The indication by which the data
appropriately providing more
the ambiguity of a passive response
consideration is that crucial in assessing whether the subject signifies his agreement
will make it difficult to fulfil the information and offering more detailed
the individual must fully consent is “informed”. The way in must leave no room for ambiguity choices at the intrusive end of the scale.
requirements of the Directive
understand that by the
y which this information should be given regarding his/her intent
g g
action in question they depends on the context: a Any attempt to gain consent that relies on
will be giving consent regular/average user should be able UNAMBIGUOUS users’ ignorance about what they are
to understand it. agreeing to is unlikely to be compliant.
The minimum expression of an INFORMED CONSENT
indication could be any kind of signal, Both the quality of information (plain text
sufficiently clear to be capable of without jargon) and the
indicating a data subject's wishes, and The words “indication” and “signifying” accessibility/visibility are important.
to be understandable by the data point in the direction of an action indeed
controller.
It is essential that the data subject is
being needed (as opposed to a situation
where consent could be inferred from a
INFORMED TYPE OF INFORMATION
given the opportunity to make a lack of action)
decision and to express it, for instance ...is provided with clear Where the feature is provided by a third party
by ticking the box himself, in view of
the purpose of the data processing
CONSENT ACTION and comprehensive
you may need to make users aware of this and
point them to information on how the third party
you could ... set a cookie and could include a handwritten signature CONSENT information about the might use cookies and similar technologies so
that the user is able to make an informed
infer consent from the fact that affixed at the bottom of a paper form, but purposes of the choice
the user has seen a clear notice also oral statements to signify agreement,
agreement
and actively indicated that they or a behaviour from which consent can be The subscriber or storage of, or access
t f To be valid, consent must be specific. In
are comfortable with cookies by reasonably concluded. user... has given to, that information other words, blanket consent without
clicking through and using the specifying the exact purpose of the
his or her consent
site The Opinion distinguishes the wording
of the previous article 5(3) (“and is
While Article 5(3) does not use the word
prior, this is a clear and obvious The LAW processing is not acceptable.
conclusion from the wording of the Text should be sufficiently full and
offered the right to refuse such
provision.” intelligible to allow individuals to clearly
processing”) with the new wording
(“only ll
(“ l allowed on condition th t th
d diti that the TIMING OF CONSENT understand the potential consequences of
allowing storage and access to the
subscriber or user concerned has
given his or her consent”) Obtaining consent before the APPLICATION information collected by the device
processing of data starts is an essential
websites should be able to demonstrate condition to legitimise the processing of data The more complex or intrusive the
that they are doing as much as possible Shall not apply…where activity the more information you will
to reduce the amount of time before the PROOF OF CONSENT such storage or access have to provide.
user receives information about cookies
and is provided with options is strictly necessary for
y y
consent should b verifiable
t h ld be ifi bl
the provision of an JUST COOKIES?
information society
WITHDRAWING CONSENT Aimed at any electronic communications
service requested by the
Key Individuals who have consented should be
able to withdraw their consent, preventing
subscriber or user.
network that is used to store or access
information held on the terminal equipment of
a user (i.e. a user’s device)
Privacy and Electronic Communications further processing of their data
(EC Directive)Regulations 2003
Regulations also apply to similar
STRICTLY NECESSARY technologies to cookies e.g. Local
Article 29 data protection working party INFORMATION SOCIETY SERVICE shared objects such as Flash cookies
Definition of strictly necessary is a
ICO guidance on
Definition ‘information society service’: any service narrow one. It might apply to a
http://www.ico.gov.uk/for_organisatio
normally provided for remuneration, at a distance, by [shopping basket]
ns/privacy_and_electronic_communi
means of electronic equipment for the processing
cations/the_guide/cookies.aspx Essential ( rather than reasonably
(including digital compression) and storage of data,
necessary) to provide the service
and at the individual request of a recipient of a service
Electronic Commerce (EC Directive) requested by the user. Note this excludes
Regulations 2002 what might be essential for any other
uses the service provider might wish to
Lewis Silkin published opinion to industry Guidance make of that data
Service must have been “explicitly requested”
19. Our li t ’ Cookies
O clients’ C ki
Hardware & software Aggregator
Targeted external content
e.g. Ads (behaviour /
Provider use of Service provider
profile driven)
analytics data (e.g.
Google, Facebook)
Accessibility
Auto-save for return Targeted internal
content (behaviour / Authentication
visit
profile driven)
Analytics Settings & Remember me
Cookies cookie preferences
3rd party content e.g.
Twitter
Save progress Core service e.g.
Shopping basket Mortgage calculator
20. Cookie Categories
C ki C t i
Security
Authentication Remember me
Auto-tailor Cookies cookie Accessibility
Targeted internal content
(behaviour / profile driven)
Targeted external content e.g.
Hardware & software Ads (behaviour / profile driven)
Manual tailor Settings & preferences
3rd party content e.g.
Process Mortgage calculator
Twitter
Service provider
Aggregator
Save progress Core service e.g.
Auto-save for return Shopping basket
visit
MI
Analytics
21. Cookie Categories & L
C ki C t i Levels of I t i
l f Intrusiveness
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Security Authentication Remember me
Auto-tailor
Auto tailor Accessibility Hardware & software Targeted internal Targeted external
Cookies cookie content (behaviour / content e.g. Ads
profile driven) (behaviour / profile
driven)
Manual tailor Settings &
preferences
Process Core service e g
e.g. Save progress Auto-save
Auto save for return Aggregator
Shopping basket Mortgage calculator visit Service provider
3rd party content e.g.
Twitter
MI Site only analytics Provider use of
data (not profiling) analytics data (e.g.
Google, Facebook)
22. Cookie Categories, L
C ki C t
Categories Levels of I t i
i l f Intrusiveness & I iti ti
Initiation
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Security Authentication Remember me
Auto-tailor
Auto tailor Accessibility Hardware & software Targeted internal Targeted external
Cookies cookie content (behaviour / content e.g. Ads
profile driven) (behaviour / profile
driven)
Manual tailor Settings &
preferences
Process Core service e g
e.g. Save progress Auto-save
Auto save for return Aggregator
Shopping basket Mortgage calculator visit Service provider
3rd party content e.g.
Twitter
MI Site only analytics Provider use of
data (not profiling) analytics data (e.g.
Google, Facebook)
23. Legal requirements f C
L l i t for Consent & Informed
t I f d
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
CONSENT
Provable, prior, explicit, informed
Summary to support informed
Description of category of use
INFORMED consent with detail available
24. Guidance f C
G id for Consent & Informed
t I f d
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
CONSENT
Provable, prior, explicit,
Inferred, ASAP
informed
Summary to support informed
Description of category of use
INFORMED consent with detail available
25. Solutions
S l ti
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
INFORMED Ignore Include information in context for user initiated !!! Prior to consent for
cookies. user initiated cookies
or
and / or or
Include on cookies
page for sake of Include in single consent description at start of Contracts with your
openness and session: partners / providers /
completeness customers
“Allowing cookies lets you shape the service to
your needs, use the interactive services on our
site and stand up and be counted.”
it d t d db t d”
“We use cookies to provide a useful & relevant
service for every user and understand how
peop e
people use the service so t at we ca keep
t e se ce that e can eep
improving.”
26. Solutions
S l ti
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
CONSENT
Do nothing
RISK
Do nothing
Do nothing Single inform
Single inform
Do nothing Single inform Prior / Informed consent
Do nothing Inferred / delayed consent Prior / Informed consent
IMPACT
Do nothing Prior / Informed consent
27. Simple Rules for Design Solutions
Si l R l f D i S l ti
Consent must be informed and provable
Consent is needed for the purpose... not the data... or the object
purpose
Cookie
purpose
data
purpose
Consent must be the path of least resistance
start consent use of service
The chance of gaining consent is a product of ease, benefit and confidence
ease benefit
b fit trust
t t
x x = probability of consent
difficulty cost anxiety
28. Level 1 & 2 single consent ( li htb )
L l i l t (as lightbox)
Default to accept – but clearly label the button Allow continue without cookies consent (if possible)
Commercial decisions:
y y
• Do you allow them to say no?
• How many people will you lose? Or will not consent?
29. Notify
N tif on Action for Level 1 & 2
A ti f L l
Consent already given
Consent not given so
features which will use a
cookie show cookies icon ...
... and display a description
of how cookie is used on
rollover
30. Level 3 gateway consent
L l t t
Default to accept – but clearly label the button Allow continue without cookies consent (if possible)
Commercial decisions:
y p y y p
• Should you focus on this area to remain in the spirit of the law if you are not fully compliant
elsewhere?
31. Single inform (I f
Si l i f (Inferred consent)
d t)
Commercial Questions:
Commercial Questions:
• Do you write any cookies on arrival at
this page?
• Do you offer people the chance to opt
ff l h h
out at this stage? Perhaps via an
information page.
• Do you offer the chance to ‘close’ the
y
banner by providing active consent?
• Is this shown whenever the user
returns?
Banner visible on entry to site but not highlighted.
y g g
We would recommend that when a link is rolled over the banner highlights • Does cookies ‘status’ remain on every
page? As a message, as an icon.
• How can you ‘prove’ people see
y p p p
banner? E.g. Eye‐tracking research,
placing more prominently