4. What Privacy?
“[a]n examination of 101 popular smartphone "apps" … showed that 56
transmitted the phone's unique device ID to other companies without
users' awareness or consent. Forty-seven apps transmitted the phone's
location in some way. Five sent age, gender and other personal details to
outsiders… Many apps don't offer even a basic form of consumer
protection: written privacy policies. Forty-five of the 101 apps didn't
provide privacy policies on their websites or inside the apps at the time of
testing.”
Source: Wall Street Journal
http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
7. Data Protection and the New EU Cookie Regime
ICO fines Midlothian Council £140K for
data breaches
Monday 30 January 2012 09:58
8. Data Protection and the New EU Cookie Regime
• Comprehensive European and individual Member
State privacy regimes
• Applies to all personal data, not just certain types
of data
• Applies to all businesses, not just consumer-
facing businesses
9. Data Protection and the New EU Cookie Regime
Meaning of ‘personal’ data
• Data protection protects ‘personal’ data
• Is an individual identifiable or ‘singled out’?
• ‘Anonymised’ data types can be personal:
• IP addresses
• UDID data
• Hashed data
10. Data Protection and the New EU Cookie Regime
Meaning of ‘personal’ data
• An example - QR codes
• User scans code and is directly transferred to URL
• Website collects IP address / system / date + time data
• User scans code and is routed through QR reader servers
• App publisher collects mobile UDID
• Publisher may commercialise with third parties
• Allows for mobile tracking
• Takeaway:
• Even ‘anonymised’ data can be ‘personal’…
• If it’s personal, it’s protected
11. Data Protection and the New EU Cookie Regime
Key Principles:
• Fair and lawful processing
• Limited purposes
• Adequate, relevant and not excessive
• Accurate
• Kept no longer than necessary
• Processing in accordance with the data subject's rights
• Secure
• No transfer to countries without adequate protection
12. Data Protection and the New EU Cookie Regime
Consequences of compliance failures:
• Certain breaches are criminal offences
• Regulators may impose fines – now up to £500,000 in the UK and
may be more in other EU jurisdictions
• Unlimited civil liability a possibility
• Disruption to business-critical data processing
• Complaints from customers, employees, suppliers etc.
• “Naming and shaming” – brand damage
• Loss of business
13. Data Protection and the New EU Cookie Regime
4. Cookies
Cookies – Revised E-Privacy Directive
• Implementation deadline was 25th May 2011
• Some states have implemented (including UK), some
have not
• UK:
• ICO has allowed “sunrise” period of 1 year before
it takes any enforcement action
• IAB self-regulatory approach praised by UK
Government
14. Data Protection and the New EU Cookie Regime
How ‘cookie’ requirements have changed
Member States shall ensure that the [use of electronic communications
networks to store] storing of information or [to gain] the gaining of access to
information stored in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned [is] has given his or
her consent, having been provided with clear and comprehensive information
in accordance with Directive 95/46/EC, inter alia about the purposes of the
processing. [and is offered the right to refuse such processing by the data
controller.] This shall not prevent any technical storage or access for the sole
purpose of carrying out [or facilitating] the transmission of a communication
over an electronic communications network, or as strictly necessary in order [to
provide] for the provider of an information society service explicitly requested
by the subscriber or user to provide the service.
15. Data Protection and the New EU Cookie Regime
The new cookie consent requirement
• Exemptions
• ‘Strictly necessary’ to provide user-requested service
• Carrying out transmission across a network
• Practical consequences
• Shopping basket, security and page load cookies are OK…
• …but everything else needs some form of consent…
• …and impacts more than just cookies (any ‘pulled’ data)
• Browser and other application settings
• Permitted “where technically possible and effective”
• Regulatory view is that current browser settings are not enough
17. Data Protection and the New EU Cookie Regime
Some common misunderstandings
• “This only affects website cookie data”
• No, the requirement applies whenever storing or accessing “information”
(e.g. device fingerprinting and mobile data collection)
• “We need pop-ups to get consent”
• No, the requirement is only to get consent. How to do this is up to you
• “Individuals must expressly consent”
• No, with sufficient notice and control, consent for some cookies can be
implied from a user’s action or inaction.
18. Data Protection and the New EU Cookie Regime Complying
with cookie legislation
• Step 1: Assess use of cookies
• Step 2: Identify necessity / intrusiveness
• Step 3: Enhance disclosures
• Step 4: Implement a consent strategy
20. Data Protection and the New EU Cookie Regime
Step 2. Assess intrusiveness
Points to consider:
2. Cookie purpose
Session
3. Cookie expiry
4. Website itself
1st party session cookie 3rd party session cookie 5. Flash cookies
(e.g. language preference) (e.g. secure payment)
1st party 3rd party
1st party persistent cookie
(e.g. website analytics)
3rd party persistent cookie
(e.g. targeted advertising)
Persistent
21. Data Protection and the New EU Cookie Regime
Step 3. Enhance disclosures
…the benefits of
data minimisation!
22. Data Protection and the New EU Cookie Regime
Step 4: Implement a consent strategy
ICO Guidance on the rules on use of cookies and similar technologies
December 2011
The Regulations require that users or subscribers consent. Directive 95/46/EC (the
Data Protection Directive on which the UK Data Protection Act 1998 (the DPA) is
based) defines ‘the data subject’s consent’ as:
‘any freely given specific and informed indication of his wishes by which the
data subject signifies his agreement to personal data relating to him being
processed’.
Consent must involve some form of communication where the individual knowingly
indicates their acceptance. This may involve clicking an icon, sending an email or
subscribing to a service. The crucial consideration is that the individual must fully
understand that by the action in question they will be giving consent.
23. Data Protection and the New EU Cookie Regime
Step 4: Implement a consent strategy
• No certainty as to what will be required
• Pop-up windows? Consent Banners?
• Implied consent?
• Limited intrusiveness
• Enhanced notice
• Real control
24. Data Protection and the New EU Cookie Regime Complying
with cookie legislation
• Step 5: Other practical measures
• Always provide an opt out
• Cookies
• Anonymise and encrypt
• Use session cookies vs. persistent cookies
• Reduce cookie expiry periods
• Remove redundant cookies
• Identify quick wins
• Website registration / other customer interaction points
• Mobile app download / opening
25. Data Protection and the New EU Cookie Regime Complying
with cookie legislation
• Step 5: Other practical measures (cont):
• Internal processes / procedures
• Implement internal standards for authorising new cookie use
• Identify who should authorise – legal, IT, marketing?
• Consider a ‘one in, one out’ approach
• Maintain a cookie log + require periodic review
• Third party providers (ad networks / analytics etc.)
• Due diligence – do your providers observe good data hygiene standards?
• Apportion compliance responsibility
• Ensure contract reflects agreed roles
• Don’t accept bad behaviour
• Role of self-regulatory compliance / market practice
26. Data Protection and the New EU Cookie Regime
Cookie transparency
1. Highlight new information to visitors
2. Be more descriptive