This presentation is from Lewis Silkin’s The New Data Protection Regulation and Cookie Compliance breakfast briefing on the 23 February 2012. Simon Morrissey, Lewis Silkin, and Meriel Lenfestey, Foolproof, look at the new Data Protection Regulations and some of the options available when thinking about cookie compliance and the end user experience.
You can visit http://www.lewissilkin.com for more information.
The New Data Protection Regulation and Cookie Compliance
1. The New Data Protection Regulation &
Cookie Compliance
C ki C li
Simon M i
Si Morrissey
Head of Technology and Commercial Data Group
simon.morrissey@lewissilkin.com
Meriel Lenfestey
Director at Foolproof
meriel@flow-interactive.com
i l@fl i t ti
23 February 2012
2. Agenda
• Part 1
New Data Protection Regulation
> The Context
> Key Points
• Part 2
The Coo e Law – Planning for Co p a ce
e Cookie a a g o Compliance
3. The Context
• A complete overhaul of existing European data protection
legislation in place since 1995 and in the UK since 1998
• Key aim is to avoid fragmentation legacy by using a
Regulation which will have direct effect in Member States
• Provides more legal certainty but at the expense of being
more prescriptive
• Simplifies some aspects of existing compliance regime
• Provides more rights to data subjects
• Takes away cost of notification but increases burdens on
business
4. Key Points
All consent must now be explicit (Article 4(8)) – extension
of the previous rule which applied to Sensitive Personal data
• Impact
This will remove t e opt o o form-based consent
s e o e the option of o based co se t
Data must be processed in a transparent manner (Article
5(a))
• Impact
This will increase the level and quality of information data
controllers will be required to provide data subjects
5. Key Points cont
The data processed must be the minimum necessary for the
purpose – compare with the old “not excessive” rule (Article
5(c))
5( ))
• Impact
p
Greater scrutiny of the type of personal data collected, eg
date of birth
Parental consent is required to collect data of children under
13 (currently no mandated age) (
( y g ) (Article 8(1))
( ))
Wider definition of Personal Data (Article 4(1) & (2))
6. Key Points cont
Article 3 - New law applies to the processing of personal
data of data subjects residing in the EU where the
processing relates to:
the offering of goods or services to such data subjects; or
Monitoring their behaviour (
g (Article 3)
)
7. Key Points cont
The right to be forgotten (Article 17) – includes obligations
to inform third parties of a data subject’s wishes who the
controller h authorised t publish personal d t
t ll has th i d to bli h l data
The data subject’s right to object (Article 19)
The data subject’s right to object to automated profiling
subject s
(Article 20)
8. Key Points cont
Notification regime to be replaced by accountability principle
(Article 22)
• Impact
Co t o e s
Controllers will be required to de o st ate how t ey co p y
equ ed demonstrate o they comply
with data protection law rather than just pay a notification fee
Data protection by design and by default (Article 23)
• Impact
Controllers will be required to implement technical and
organisational measures to ensure compliance
9. Key Points cont
New rules relating to the engagement of data processors
(Article 26)
Processors may only enlist sub-processors with the prior
permission of the controller
Potential for data processors to become joint controllers
• Impact
Appointment of processors will be governed by more robust
rules on controllers and processors
10. Key Points cont
Data Security (Article 30)
Processors now have statutory obligations to keep personal
no ha e stat tor
data secure.
• Impact
Under the old law, processors could only be liable
contractually f data breaches. Now at risk of fi
t t ll for d t b h N t i k f fines.
Data breach notification now mandatory for controllers and
y
processors within 24 hours (Article 31)
Also includes obligations on controllers to notify data
subjects (Article 32)
11. Key Points cont
Appointment of a Data Protection Officer now mandatory for
controllers and processors who are employing over 250
people or where th processing requires regular and
l h the i i l d
systematic monitoring of data subjects (Article 35)
International Transfers of Data (Articles 40-44)
territories and processing sectors can now be designated as
“adequate” or “inadequate”
ICO can now validate terms of a data transfer agreement as
adequate
simplification of Binding Corporate Rules
12. Key Points cont
Enforcement (Article 79)
New written warning sanction for companies under 250
persons for whom processing is only an ancillary activity
0.5% fine of annual worldwide turnover for breaches of
subject access requests
1% fine of annual worldwide turnover for certain breaches
2% fine of annual worldwide turnover for certain breaches
16. Me ...
Founder of and a Director and Partner at
Interaction Designer with a strong focus on user centred methodologies
Recently worked with 6 global & national FS brands to help specify cookies solutions
18. consent by the data subject (must the more privacy intrusive your activity,
Feature led consent: Provided you be) based upon an appreciation the more priority you will need to give to
To be valid, consent must be informed. This
make it clear to the user that by and understanding of the facts and getting meaningful consent ... It might
implies that all the necessary information must
choosing to take a particular action implications of an action be useful to think of this in terms of a
be given at the moment the consent is
then certain things will happen you For consent to be unambiguous, the sliding scale, with privacy neutral
lidi l ih i l
requested, and that this should address the
may interpret this as their consent procedure to seek and to give consent cookies at one end of the scale and
substantive aspects of the processing that the
consent is intended to legitimise. must leave no doubt as to the data more intrusive uses of the technology at
The way the information is given (in subject's intention to deliver consent. the other. You can then focus your
plain text, without use of jargon, efforts on achieving compliance
The crucial understandable, conspicuous) is The indication by which the data
appropriately providing more
the ambiguity of a passive response
consideration is that crucial in assessing whether the subject signifies his agreement
will make it difficult to fulfil the information and offering more detailed
the individual must fully consent is “informed”. The way in must leave no room for ambiguity choices at the intrusive end of the scale.
requirements of the Directive
understand that by the
y which this information should be given regarding his/her intent
g g
action in question they depends on the context: a Any attempt to gain consent that relies on
will be giving consent regular/average user should be able UNAMBIGUOUS users’ ignorance about what they are
to understand it. agreeing to is unlikely to be compliant.
The minimum expression of an INFORMED CONSENT
indication could be any kind of signal, Both the quality of information (plain text
sufficiently clear to be capable of without jargon) and the
indicating a data subject's wishes, and The words “indication” and “signifying” accessibility/visibility are important.
to be understandable by the data point in the direction of an action indeed
controller.
It is essential that the data subject is
being needed (as opposed to a situation
where consent could be inferred from a
INFORMED TYPE OF INFORMATION
given the opportunity to make a lack of action)
decision and to express it, for instance ...is provided with clear Where the feature is provided by a third party
by ticking the box himself, in view of
the purpose of the data processing
CONSENT ACTION and comprehensive
you may need to make users aware of this and
point them to information on how the third party
you could ... set a cookie and could include a handwritten signature CONSENT information about the might use cookies and similar technologies so
that the user is able to make an informed
infer consent from the fact that affixed at the bottom of a paper form, but purposes of the choice
the user has seen a clear notice also oral statements to signify agreement,
agreement
and actively indicated that they or a behaviour from which consent can be The subscriber or storage of, or access
t f To be valid, consent must be specific. In
are comfortable with cookies by reasonably concluded. user... has given to, that information other words, blanket consent without
clicking through and using the specifying the exact purpose of the
his or her consent
site The Opinion distinguishes the wording
of the previous article 5(3) (“and is
While Article 5(3) does not use the word
prior, this is a clear and obvious The LAW processing is not acceptable.
conclusion from the wording of the Text should be sufficiently full and
offered the right to refuse such
provision.” intelligible to allow individuals to clearly
processing”) with the new wording
(“only ll
(“ l allowed on condition th t th
d diti that the TIMING OF CONSENT understand the potential consequences of
allowing storage and access to the
subscriber or user concerned has
given his or her consent”) Obtaining consent before the APPLICATION information collected by the device
processing of data starts is an essential
websites should be able to demonstrate condition to legitimise the processing of data The more complex or intrusive the
that they are doing as much as possible Shall not apply…where activity the more information you will
to reduce the amount of time before the PROOF OF CONSENT such storage or access have to provide.
user receives information about cookies
and is provided with options is strictly necessary for
y y
consent should b verifiable
t h ld be ifi bl
the provision of an JUST COOKIES?
information society
WITHDRAWING CONSENT Aimed at any electronic communications
service requested by the
Key Individuals who have consented should be
able to withdraw their consent, preventing
subscriber or user.
network that is used to store or access
information held on the terminal equipment of
a user (i.e. a user’s device)
Privacy and Electronic Communications further processing of their data
(EC Directive)Regulations 2003
Regulations also apply to similar
STRICTLY NECESSARY technologies to cookies e.g. Local
Article 29 data protection working party INFORMATION SOCIETY SERVICE shared objects such as Flash cookies
Definition of strictly necessary is a
ICO guidance on
Definition ‘information society service’: any service narrow one. It might apply to a
http://www.ico.gov.uk/for_organisatio
normally provided for remuneration, at a distance, by [shopping basket]
ns/privacy_and_electronic_communi
means of electronic equipment for the processing
cations/the_guide/cookies.aspx Essential ( rather than reasonably
(including digital compression) and storage of data,
necessary) to provide the service
and at the individual request of a recipient of a service
Electronic Commerce (EC Directive) requested by the user. Note this excludes
Regulations 2002 what might be essential for any other
uses the service provider might wish to
Lewis Silkin published opinion to industry Guidance make of that data
Service must have been “explicitly requested”
19. Our li t ’ Cookies
O clients’ C ki
Hardware & software Aggregator
Targeted external content
e.g. Ads (behaviour /
Provider use of Service provider
profile driven)
analytics data (e.g.
Google, Facebook)
Accessibility
Auto-save for return Targeted internal
content (behaviour / Authentication
visit
profile driven)
Analytics Settings & Remember me
Cookies cookie preferences
3rd party content e.g.
Twitter
Save progress Core service e.g.
Shopping basket Mortgage calculator
20. Cookie Categories
C ki C t i
Security
Authentication Remember me
Auto-tailor Cookies cookie Accessibility
Targeted internal content
(behaviour / profile driven)
Targeted external content e.g.
Hardware & software Ads (behaviour / profile driven)
Manual tailor Settings & preferences
3rd party content e.g.
Process Mortgage calculator
Twitter
Service provider
Aggregator
Save progress Core service e.g.
Auto-save for return Shopping basket
visit
MI
Analytics
21. Cookie Categories & L
C ki C t i Levels of I t i
l f Intrusiveness
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Security Authentication Remember me
Auto-tailor
Auto tailor Accessibility Hardware & software Targeted internal Targeted external
Cookies cookie content (behaviour / content e.g. Ads
profile driven) (behaviour / profile
driven)
Manual tailor Settings &
preferences
Process Core service e g
e.g. Save progress Auto-save
Auto save for return Aggregator
Shopping basket Mortgage calculator visit Service provider
3rd party content e.g.
Twitter
MI Site only analytics Provider use of
data (not profiling) analytics data (e.g.
Google, Facebook)
22. Cookie Categories, L
C ki C t
Categories Levels of I t i
i l f Intrusiveness & I iti ti
Initiation
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Security Authentication Remember me
Auto-tailor
Auto tailor Accessibility Hardware & software Targeted internal Targeted external
Cookies cookie content (behaviour / content e.g. Ads
profile driven) (behaviour / profile
driven)
Manual tailor Settings &
preferences
Process Core service e g
e.g. Save progress Auto-save
Auto save for return Aggregator
Shopping basket Mortgage calculator visit Service provider
3rd party content e.g.
Twitter
MI Site only analytics Provider use of
data (not profiling) analytics data (e.g.
Google, Facebook)
23. Legal requirements f C
L l i t for Consent & Informed
t I f d
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
CONSENT
Provable, prior, explicit, informed
Summary to support informed
Description of category of use
INFORMED consent with detail available
24. Guidance f C
G id for Consent & Informed
t I f d
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
CONSENT
Provable, prior, explicit,
Inferred, ASAP
informed
Summary to support informed
Description of category of use
INFORMED consent with detail available
25. Solutions
S l ti
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
INFORMED Ignore Include information in context for user initiated !!! Prior to consent for
cookies. user initiated cookies
or
and / or or
Include on cookies
page for sake of Include in single consent description at start of Contracts with your
openness and session: partners / providers /
completeness customers
“Allowing cookies lets you shape the service to
your needs, use the interactive services on our
site and stand up and be counted.”
it d t d db t d”
“We use cookies to provide a useful & relevant
service for every user and understand how
peop e
people use the service so t at we ca keep
t e se ce that e can eep
improving.”
26. Solutions
S l ti
Level 0 Level 1 Level 2 Level 3
Strictly necessary for Mostly client* only Either not user initiated 3rd party access to
the core service and and low or includes profiling. data
explicitly requested intrusiveness as no Internal use only
by the user profiling. Internal
use only
Authentication Remember me Targeted internal Targeted external content e ge.g.
Accessibility Hardware & software content (behaviour / Ads (behaviour / profile driven)
Shopping basket Cookies cookie profile driven) Aggregator
Settings & preferences Auto-save for return Service provider
Save progress visit 3rd party content e.g. Twitter
Mortgage calculator
g g Provider use of analytics data
y
Site only analytics data (e.g. Google, Facebook)
(not profiling)
CONSENT
Do nothing
RISK
Do nothing
Do nothing Single inform
Single inform
Do nothing Single inform Prior / Informed consent
Do nothing Inferred / delayed consent Prior / Informed consent
IMPACT
Do nothing Prior / Informed consent
27. Simple Rules for Design Solutions
Si l R l f D i S l ti
Consent must be informed and provable
Consent is needed for the purpose... not the data... or the object
purpose
Cookie
purpose
data
purpose
Consent must be the path of least resistance
start consent use of service
The chance of gaining consent is a product of ease, benefit and confidence
ease benefit
b fit trust
t t
x x = probability of consent
difficulty cost anxiety
28. Level 1 & 2 single consent ( li htb )
L l i l t (as lightbox)
Default to accept – but clearly label the button Allow continue without cookies consent (if possible)
Commercial decisions:
y y
• Do you allow them to say no?
• How many people will you lose? Or will not consent?
29. Notify
N tif on Action for Level 1 & 2
A ti f L l
Consent already given
Consent not given so
features which will use a
cookie show cookies icon ...
... and display a description
of how cookie is used on
rollover
30. Level 3 gateway consent
L l t t
Default to accept – but clearly label the button Allow continue without cookies consent (if possible)
Commercial decisions:
y p y y p
• Should you focus on this area to remain in the spirit of the law if you are not fully compliant
elsewhere?
31. Single inform (I f
Si l i f (Inferred consent)
d t)
Commercial Questions:
Commercial Questions:
• Do you write any cookies on arrival at
this page?
• Do you offer people the chance to opt
ff l h h
out at this stage? Perhaps via an
information page.
• Do you offer the chance to ‘close’ the
y
banner by providing active consent?
• Is this shown whenever the user
returns?
Banner visible on entry to site but not highlighted.
y g g
We would recommend that when a link is rolled over the banner highlights • Does cookies ‘status’ remain on every
page? As a message, as an icon.
• How can you ‘prove’ people see
y p p p
banner? E.g. Eye‐tracking research,
placing more prominently