The New Data Protection Regulation and Cookie Compliance
-
Upload
lewis-silkin-llp -
Category
Business
-
view
1.762 -
download
0
description
Transcript of The New Data Protection Regulation and Cookie Compliance
The New Data Protection Regulation & C ki C liCookie Compliance
Si M iSimon MorrisseyHead of Technology and Commercial Data Group
Meriel LenfesteyDirector at Foolproofi l@fl i t [email protected]
23 February 2012
AgendaAgenda
• Part 1New Data Protection Regulation
> The Context> Key Points
• Part 2The Cookie Law – Planning for Compliancee Coo e a a g o Co p a ce
The ContextThe Context• A complete overhaul of existing European data protection• A complete overhaul of existing European data protection
legislation in place since 1995 and in the UK since 1998
• Key aim is to avoid fragmentation legacy by using a Regulation which will have direct effect in Member States
• Provides more legal certainty but at the expense of being more prescriptive
• Simplifies some aspects of existing compliance regime
• Provides more rights to data subjects
• Takes away cost of notification but increases burdens onTakes away cost of notification but increases burdens on business
Key PointsKey Points
All consent must now be explicit (Article 4(8)) – extension of the previous rule which applied to Sensitive Personal data
• ImpactThis will remove the option of form-based consents e o e t e opt o o o based co se t
Data must be processed in a transparent manner (Article 5(a))5(a))
• ImpactThis will increase the level and quality of information data controllers will be required to provide data subjects
Key Points contKey Points cont
The data processed must be the minimum necessary for the purpose – compare with the old “not excessive” rule (Article 5( ))5(c))
• ImpactpGreater scrutiny of the type of personal data collected, eg date of birth
Parental consent is required to collect data of children under 13 (currently no mandated age) (Article 8(1))( y g ) ( ( ))
Wider definition of Personal Data (Article 4(1) & (2))
Key Points contKey Points cont
Article 3 New law applies to the processing of personalArticle 3 - New law applies to the processing of personal data of data subjects residing in the EU where the processing relates to:processing relates to:
the offering of goods or services to such data subjects; orMonitoring their behaviour (Article 3)g ( )
Key Points contKey Points cont
The right to be forgotten (Article 17) – includes obligations to inform third parties of a data subject’s wishes who the
t ll h th i d t bli h l d tcontroller has authorised to publish personal data
The data subject’s right to object (Article 19)
The data subject’s right to object to automated profilingThe data subject s right to object to automated profiling (Article 20)
Key Points contKey Points cont
Notification regime to be replaced by accountability principle (Article 22)
• ImpactControllers will be required to demonstrate how they comply Co t o e s be equ ed to de o st ate o t ey co p ywith data protection law rather than just pay a notification fee
Data protection by design and by default (Article 23)Data protection by design and by default (Article 23)
• ImpactControllers will be required to implement technical and organisational measures to ensure compliance
Key Points contKey Points cont
New rules relating to the engagement of data processors (Article 26)
Processors may only enlist sub-processors with the prior permission of the controllerPotential for data processors to become joint controllersPotential for data processors to become joint controllers
• ImpactAppointment of processors will be governed by more robust rules on controllers and processors
Key Points contKey Points cont
Data Security (Article 30)
Processors no ha e stat tor obligations to keep personalProcessors now have statutory obligations to keep personal data secure.
• ImpactUnder the old law, processors could only be liable
t t ll f d t b h N t i k f ficontractually for data breaches. Now at risk of fines.
Data breach notification now mandatory for controllers and yprocessors within 24 hours (Article 31)
Also includes obligations on controllers to notify dataAlso includes obligations on controllers to notify data subjects (Article 32)
Key Points contKey Points cont
Appointment of a Data Protection Officer now mandatory for controllers and processors who are employing over 250
l h th i i l dpeople or where the processing requires regular and systematic monitoring of data subjects (Article 35)
International Transfers of Data (Articles 40-44)territories and processing sectors can now be designated as “adequate” or “inadequate”ICO can now validate terms of a data transfer agreement as adequateadequatesimplification of Binding Corporate Rules
Key Points contKey Points cont
Enforcement (Article 79)New written warning sanction for companies under 250 persons for whom processing is only an ancillary activity0.5% fine of annual worldwide turnover for breaches of subject access requestssubject access requests1% fine of annual worldwide turnover for certain breaches2% fine of annual worldwide turnover for certain breaches2% fine of annual worldwide turnover for certain breaches
Questions?Questions?
Thank youThank you
EU Cookies for Lewis Silkin Breakfast BriefingMeriel Lenfestey, Partner
© Flow Interactive. All rights reserved.
MMe ...
Founder of and a Director and Partner at
Interaction Designer with a strong focus on user centred methodologies
Recently worked with 6 global & national FS brands to help specify cookies solutions
Cookies Landscape
Feature led consent: Provided you make it clear to the user that by choosing to take a particular action then certain things will happen you
consent by the data subject (must be) based upon an appreciation and understanding of the facts and implications of an action
the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent ... It might be useful to think of this in terms of a lidi l i h i l
To be valid, consent must be informed. This implies that all the necessary information must be given at the moment the consent is
then certain things will happen you may interpret this as their consent
For consent to be unambiguous, the procedure to seek and to give consent must leave no doubt as to the data subject's intention to deliver consent.
the ambiguity of a passive response will make it difficult to fulfil the requirements of the Directive
The indication by which the data subject signifies his agreement must leave no room for ambiguity regarding his/her intent
The way the information is given (in plain text, without use of jargon, understandable, conspicuous) is crucial in assessing whether the consent is “informed”. The way in which this information should be given
sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.
requested, and that this should address the substantive aspects of the processing that the consent is intended to legitimise.
The crucial consideration is that the individual must fully understand that by the
INFORMED CONSENT
TYPE OF INFORMATION
UNAMBIGUOUS
INFORMED
g g
The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject's wishes, and to be understandable by the data controller.
The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation
which this information should be given depends on the context: a regular/average user should be able to understand it.
Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.
Both the quality of information (plain text without jargon) and the accessibility/visibility are important.
yaction in question they will be giving consent
CONSENT ACTION
TYPE OF INFORMATION
CONSENT
INFORMED...is provided with clear
and comprehensive information about the
purposes of the t f
It is essential that the data subject is given the opportunity to make a decision and to express it, for instance by ticking the box himself, in view of the purpose of the data processing
controller.
could include a handwritten signature affixed at the bottom of a paper form, but also oral statements to signify agreement
being needed (as opposed to a situation where consent could be inferred from a lack of action)
Where the feature is provided by a third party you may need to make users aware of this and point them to information on how the third party might use cookies and similar technologies so that the user is able to make an informed choice
you could ... set a cookie and infer consent from the fact that the user has seen a clear notice
TIMING OF CONSENT
The subscriber or user... has given
his or her consent
storage of, or access to, that information
The LAW
also oral statements to signify agreement, or a behaviour from which consent can be reasonably concluded.
While Article 5(3) does not use the word prior, this is a clear and obvious conclusion from the wording of the provision.”
The Opinion distinguishes the wording of the previous article 5(3) (“and is offered the right to refuse such processing”) with the new wording (“ l ll d diti th t th
To be valid, consent must be specific. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.
Text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of
the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site
TIMING OF CONSENT
PROOF OF CONSENT
APPLICATIONShall not apply…where such storage or access is strictly necessary for
t h ld b ifi bl
(“only allowed on condition that the subscriber or user concerned has given his or her consent”) Obtaining consent before the
processing of data starts is an essential condition to legitimise the processing of data The more complex or intrusive the
activity the more information you will have to provide.
understand the potential consequences of allowing storage and access to the information collected by the device
websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options
WITHDRAWING CONSENTJUST COOKIES?
y ythe provision of an information society
service requested by the subscriber or user.
consent should be verifiable
Individuals who have consented should be able to withdraw their consent, preventing further processing of their dataPrivacy and Electronic Communications
(EC Directive)Regulations 2003
KeyAimed at any electronic communications network that is used to store or access information held on the terminal equipment of a user (i.e. a user’s device)
and is provided with options
STRICTLY NECESSARYINFORMATION SOCIETY SERVICEDefinition ‘information society service’: any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service
Definition of strictly necessary is a narrow one. It might apply to a [shopping basket]
Essential ( rather than reasonably necessary) to provide the service
Regulations also apply to similar technologies to cookies e.g. Local shared objects such as Flash cookiesArticle 29 data protection working party
(EC Directive)Regulations 2003
ICO guidance on http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
and at the individual request of a recipient of a service requested by the user. Note this excludes what might be essential for any other uses the service provider might wish to make of that data
Service must have been “explicitly requested”
Electronic Commerce (EC Directive) Regulations 2002
Lewis Silkin published opinion to industry Guidance
O li t ’ C kiOur clients’ Cookies
AggregatorHardware & software
Targeted external content e.g. Ads (behaviour / profile driven) Service providerProvider use of
analytics data (e.g. Google, Facebook)
Authentication
Accessibility
Targeted internal content (behaviour / profile driven)
Auto-save for return visit
Remember meCookies cookie
Settings & preferences
Analytics
profile driven)
Core service e.g. Shopping basket Mortgage calculator
3rd party content e.g. Twitter
Save progress
C ki C t iCookie Categories
Authentication Remember me
Security
AccessibilityTargeted internal content (behaviour / profile driven)
Targeted external content e.g.
Auto-tailor Cookies cookie
Hardware & software
Settings & preferences
Ads (behaviour / profile driven)
Manual tailor
3rd party content e.g. Twitter
Process Mortgage calculatorAggregator
Service provider
Core service e.g. Shopping basket
Save progressAuto-save for return visit
MIAnalytics
MI
C ki C t i & L l f I t i
Level 0 Level 1 Level 2 Level 3
Cookie Categories & Levels of Intrusiveness
Strictly necessary for the core service and explicitly requested by the user
Mostly client* only and low intrusiveness as no profiling. Internal use only
Either not user initiated or includes profiling. Internal use only
3rd party access to data
Authentication Remember me
Accessibility Hardware & software Targeted internal Targeted external
Security
Auto tailor Accessibility Hardware & softwareCookies cookie
Targeted internal content (behaviour / profile driven)
Targeted external content e.g. Ads (behaviour / profile driven)
Auto-tailor
Core service e g
Settings & preferences
Save progress Auto save for return Aggregator
Manual tailor
Process Core service e.g. Shopping basket
Save progressMortgage calculator
Auto-save for return visit
AggregatorService provider3rd party content e.g. Twitter
Process
Site only analytics data (not profiling)
Provider use of analytics data (e.g. Google, Facebook)
MI
C ki C t i L l f I t i & I iti tiC ki C t iC ki C t i L l f I t iCookie Categories, Levels of Intrusiveness & InitiationCookie Categories
Level 0 Level 1 Level 2 Level 3
Cookie Categories, Levels of Intrusiveness
Strictly necessary for the core service and explicitly requested by the user
Mostly client* only and low intrusiveness as no profiling. Internal use only
Either not user initiated or includes profiling. Internal use only
3rd party access to data
Authentication Remember me
Accessibility Hardware & software Targeted internal Targeted external
Security
Auto tailor Accessibility Hardware & softwareCookies cookie
Targeted internal content (behaviour / profile driven)
Targeted external content e.g. Ads (behaviour / profile driven)
Auto-tailor
Core service e g
Settings & preferences
Save progress Auto save for return Aggregator
Manual tailor
Process Core service e.g. Shopping basket
Save progressMortgage calculator
Auto-save for return visit
AggregatorService provider3rd party content e.g. Twitter
Process
MI Site only analytics data (not profiling)
Provider use of analytics data (e.g. Google, Facebook)
L l i t f C t & I f dLegal requirements for Consent & Informed
Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user
Mostly client only and low intrusiveness as no profiling. Internal use only
Either not user initiated or includes profiling. Internal use only
3rd party access to data
Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket
Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator
Targeted internal content (behaviour / profile driven)Auto-save for return visit
Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data
CONSENT
g gSite only analytics data (not profiling)
y(e.g. Google, Facebook)
Provable, prior, explicit, informed
INFORMEDSummary to support informed consent with detail availableDescription of category of use
G id f C t & I f dGuidance for Consent & Informed
Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user
Mostly client* only and low intrusiveness as no profiling. Internal use only
Either not user initiated or includes profiling. Internal use only
3rd party access to data
Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket
Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator
Targeted internal content (behaviour / profile driven)Auto-save for return visit
Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data
CONSENT
g gSite only analytics data (not profiling)
y(e.g. Google, Facebook)
Provable, prior, explicit, informedInferred, ASAP
INFORMED Description of category of useSummary to support informed consent with detail available
S l tiSolutions
Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user
Mostly client* only and low intrusiveness as no profiling. Internal use only
Either not user initiated or includes profiling. Internal use only
3rd party access to data
Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket
Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator
Targeted internal content (behaviour / profile driven)Auto-save for return visit
Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data g g
Site only analytics data (not profiling)
y(e.g. Google, Facebook)
Include information in context for user initiated Ignore !!! Prior to consent for INFORMEDcookies.
and / or
Include in single consent description at start of
or
Include on cookies page for sake of
user initiated cookies
or
Contracts with yourInclude in single consent description at start of session:
“Allowing cookies lets you shape the service to your needs, use the interactive services on our it d t d d b t d ”
page for sake of openness and completeness
Contracts with your partners / providers / customers
site and stand up and be counted.”
“We use cookies to provide a useful & relevant service for every user and understand how people use the service so that we can keep peop e use t e se ce so t at e ca eepimproving.”
S l tiSolutions
Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user
Mostly client* only and low intrusiveness as no profiling. Internal use only
Either not user initiated or includes profiling. Internal use only
3rd party access to data
Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket
Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator
Targeted internal content (behaviour / profile driven)Auto-save for return visit
Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data g g
Site only analytics data (not profiling)
y(e.g. Google, Facebook)
CONSENT
Do nothing
Single inform
RISK
Do nothing Single inform
Single inform
Do nothing
Do nothing Prior / Informed consent
Inferred / delayed consentIMPA
CT
Do nothing
Do nothing
Prior / Informed consent
Prior / Informed consent
Si l R l f D i S l tiSimple Rules for Design Solutions
Consent must be informed and provable
Consent is needed for the purpose... not the data... or the object
purposeCookie
data purpose
purpose
Consent must be the path of least resistance
start consent use of service
The chance of gaining consent is a product of ease, benefit and confidence
b fit t tease
difficulty
benefit
costprobability of consent=x
trust
anxietyx
L l 1 & 2 i l t ( li htb )Level 1 & 2 single consent (as lightbox)
Default to accept – but clearly label the button Allow continue without cookies consent (if possible)
Commercial decisions:
• Do you allow them to say no?y y
• How many people will you lose? Or will not consent?
N tif A ti f L l 1 & 2Notify on Action for Level 1 & 2
Consent already given
Consent not given so features which will use a cookie show cookies icon ...
... and display a description of how cookie is used on rollover
L l 3 t tLevel 3 gateway consent
Default to accept – but clearly label the button Allow continue without cookies consent (if possible)
Commercial decisions:
• Should you focus on this area to remain in the spirit of the law if you are not fully compliant y p y y pelsewhere?
Si l i f (I f d t)Single inform (Inferred consent)
Commercial Questions:Commercial Questions:
• Do you write any cookies on arrival at this page?
ff l h h• Do you offer people the chance to opt out at this stage? Perhaps via an information page.
• Do you offer the chance to ‘close’ the
Banner visible on entry to site but not highlighted.
ybanner by providing active consent?
• Is this shown whenever the user returns?
We would recommend that when a link is rolled over the banner highlights
y g g
• Does cookies ‘status’ remain on every page? As a message, as an icon.
• How can you ‘prove’ people see y p p pbanner? E.g. Eye‐tracking research, placing more prominently
This isn’t going away It’s the lawThis isn t going away. It s the law