Top Banner
The New Data Protection Regulation & C ki C li Cookie Compliance Si M i Simon Morrissey Head of Technology and Commercial Data Group [email protected] Meriel Lenfestey Director at Foolproof i l@fl it ti meriel@flow-interactive.com 23 February 2012
32

The New Data Protection Regulation and Cookie Compliance

Oct 30, 2014

Download

Business

This presentation is from Lewis Silkin’s The New Data Protection Regulation and Cookie Compliance breakfast briefing on the 23 February 2012. Simon Morrissey, Lewis Silkin, and Meriel Lenfestey, Foolproof, look at the new Data Protection Regulations and some of the options available when thinking about cookie compliance and the end user experience.

You can visit http://www.lewissilkin.com for more information.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: The New Data Protection Regulation and Cookie Compliance

The New Data Protection Regulation & C ki C liCookie Compliance

Si M iSimon MorrisseyHead of Technology and Commercial Data Group

[email protected]

Meriel LenfesteyDirector at Foolproofi l@fl i t [email protected]

23 February 2012

Page 2: The New Data Protection Regulation and Cookie Compliance

AgendaAgenda

• Part 1New Data Protection Regulation

> The Context> Key Points

• Part 2The Cookie Law – Planning for Compliancee Coo e a a g o Co p a ce

Page 3: The New Data Protection Regulation and Cookie Compliance

The ContextThe Context• A complete overhaul of existing European data protection• A complete overhaul of existing European data protection

legislation in place since 1995 and in the UK since 1998

• Key aim is to avoid fragmentation legacy by using a Regulation which will have direct effect in Member States

• Provides more legal certainty but at the expense of being more prescriptive

• Simplifies some aspects of existing compliance regime

• Provides more rights to data subjects

• Takes away cost of notification but increases burdens onTakes away cost of notification but increases burdens on business

Page 4: The New Data Protection Regulation and Cookie Compliance

Key PointsKey Points

All consent must now be explicit (Article 4(8)) – extension of the previous rule which applied to Sensitive Personal data

• ImpactThis will remove the option of form-based consents e o e t e opt o o o based co se t

Data must be processed in a transparent manner (Article 5(a))5(a))

• ImpactThis will increase the level and quality of information data controllers will be required to provide data subjects

Page 5: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

The data processed must be the minimum necessary for the purpose – compare with the old “not excessive” rule (Article 5( ))5(c))

• ImpactpGreater scrutiny of the type of personal data collected, eg date of birth

Parental consent is required to collect data of children under 13 (currently no mandated age) (Article 8(1))( y g ) ( ( ))

Wider definition of Personal Data (Article 4(1) & (2))

Page 6: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

Article 3 New law applies to the processing of personalArticle 3 - New law applies to the processing of personal data of data subjects residing in the EU where the processing relates to:processing relates to:

the offering of goods or services to such data subjects; orMonitoring their behaviour (Article 3)g ( )

Page 7: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

The right to be forgotten (Article 17) – includes obligations to inform third parties of a data subject’s wishes who the

t ll h th i d t bli h l d tcontroller has authorised to publish personal data

The data subject’s right to object (Article 19)

The data subject’s right to object to automated profilingThe data subject s right to object to automated profiling (Article 20)

Page 8: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

Notification regime to be replaced by accountability principle (Article 22)

• ImpactControllers will be required to demonstrate how they comply Co t o e s be equ ed to de o st ate o t ey co p ywith data protection law rather than just pay a notification fee

Data protection by design and by default (Article 23)Data protection by design and by default (Article 23)

• ImpactControllers will be required to implement technical and organisational measures to ensure compliance

Page 9: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

New rules relating to the engagement of data processors (Article 26)

Processors may only enlist sub-processors with the prior permission of the controllerPotential for data processors to become joint controllersPotential for data processors to become joint controllers

• ImpactAppointment of processors will be governed by more robust rules on controllers and processors

Page 10: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

Data Security (Article 30)

Processors no ha e stat tor obligations to keep personalProcessors now have statutory obligations to keep personal data secure.

• ImpactUnder the old law, processors could only be liable

t t ll f d t b h N t i k f ficontractually for data breaches. Now at risk of fines.

Data breach notification now mandatory for controllers and yprocessors within 24 hours (Article 31)

Also includes obligations on controllers to notify dataAlso includes obligations on controllers to notify data subjects (Article 32)

Page 11: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

Appointment of a Data Protection Officer now mandatory for controllers and processors who are employing over 250

l h th i i l dpeople or where the processing requires regular and systematic monitoring of data subjects (Article 35)

International Transfers of Data (Articles 40-44)territories and processing sectors can now be designated as “adequate” or “inadequate”ICO can now validate terms of a data transfer agreement as adequateadequatesimplification of Binding Corporate Rules

Page 12: The New Data Protection Regulation and Cookie Compliance

Key Points contKey Points cont

Enforcement (Article 79)New written warning sanction for companies under 250 persons for whom processing is only an ancillary activity0.5% fine of annual worldwide turnover for breaches of subject access requestssubject access requests1% fine of annual worldwide turnover for certain breaches2% fine of annual worldwide turnover for certain breaches2% fine of annual worldwide turnover for certain breaches

Page 13: The New Data Protection Regulation and Cookie Compliance

Questions?Questions?

Page 14: The New Data Protection Regulation and Cookie Compliance

Thank youThank you

Page 15: The New Data Protection Regulation and Cookie Compliance

EU Cookies for Lewis Silkin Breakfast BriefingMeriel Lenfestey, Partner

© Flow Interactive. All rights reserved.

Page 16: The New Data Protection Regulation and Cookie Compliance

MMe ...

Founder of and a Director and Partner at

Interaction Designer with a strong focus on user centred methodologies

Recently worked with 6 global & national FS brands to help specify cookies solutions

Page 17: The New Data Protection Regulation and Cookie Compliance

Cookies Landscape

Page 18: The New Data Protection Regulation and Cookie Compliance

Feature led consent: Provided you make it clear to the user that by choosing to take a particular action then certain things will happen you

consent by the data subject (must be) based upon an appreciation and understanding of the facts and implications of an action

the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent ... It might be useful to think of this in terms of a lidi l i h i l

To be valid, consent must be informed. This implies that all the necessary information must be given at the moment the consent is

then certain things will happen you may interpret this as their consent

For consent to be unambiguous, the procedure to seek and to give consent must leave no doubt as to the data subject's intention to deliver consent.

the ambiguity of a passive response will make it difficult to fulfil the requirements of the Directive

The indication by which the data subject signifies his agreement must leave no room for ambiguity regarding his/her intent

The way the information is given (in plain text, without use of jargon, understandable, conspicuous) is crucial in assessing whether the consent is “informed”. The way in which this information should be given

sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale.

requested, and that this should address the substantive aspects of the processing that the consent is intended to legitimise.

The crucial consideration is that the individual must fully understand that by the

INFORMED CONSENT

TYPE OF INFORMATION

UNAMBIGUOUS

INFORMED

g g

The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject's wishes, and to be understandable by the data controller.

The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation

which this information should be given depends on the context: a regular/average user should be able to understand it.

Any attempt to gain consent that relies on users’ ignorance about what they are agreeing to is unlikely to be compliant.

Both the quality of information (plain text without jargon) and the accessibility/visibility are important.

yaction in question they will be giving consent

CONSENT ACTION

TYPE OF INFORMATION

CONSENT

INFORMED...is provided with clear

and comprehensive information about the

purposes of the t f

It is essential that the data subject is given the opportunity to make a decision and to express it, for instance by ticking the box himself, in view of the purpose of the data processing

controller.

could include a handwritten signature affixed at the bottom of a paper form, but also oral statements to signify agreement

being needed (as opposed to a situation where consent could be inferred from a lack of action)

Where the feature is provided by a third party you may need to make users aware of this and point them to information on how the third party might use cookies and similar technologies so that the user is able to make an informed choice

you could ... set a cookie and infer consent from the fact that the user has seen a clear notice

TIMING OF CONSENT

The subscriber or user... has given

his or her consent

storage of, or access to, that information

The LAW

also oral statements to signify agreement, or a behaviour from which consent can be reasonably concluded.

While Article 5(3) does not use the word prior, this is a clear and obvious conclusion from the wording of the provision.”

The Opinion distinguishes the wording of the previous article 5(3) (“and is offered the right to refuse such processing”) with the new wording (“ l ll d diti th t th

To be valid, consent must be specific. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.

Text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of

the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site

TIMING OF CONSENT

PROOF OF CONSENT

APPLICATIONShall not apply…where such storage or access is strictly necessary for

t h ld b ifi bl

(“only allowed on condition that the subscriber or user concerned has given his or her consent”) Obtaining consent before the

processing of data starts is an essential condition to legitimise the processing of data The more complex or intrusive the

activity the more information you will have to provide.

understand the potential consequences of allowing storage and access to the information collected by the device

websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options

WITHDRAWING CONSENTJUST COOKIES?

y ythe provision of an information society

service requested by the subscriber or user.

consent should be verifiable

Individuals who have consented should be able to withdraw their consent, preventing further processing of their dataPrivacy and Electronic Communications

(EC Directive)Regulations 2003

KeyAimed at any electronic communications network that is used to store or access information held on the terminal equipment of a user (i.e. a user’s device)

and is provided with options

STRICTLY NECESSARYINFORMATION SOCIETY SERVICEDefinition ‘information society service’: any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service

Definition of strictly necessary is a narrow one. It might apply to a [shopping basket]

Essential ( rather than reasonably necessary) to provide the service

Regulations also apply to similar technologies to cookies e.g. Local shared objects such as Flash cookiesArticle 29 data protection working party

(EC Directive)Regulations 2003

ICO guidance on http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

and at the individual request of a recipient of a service requested by the user. Note this excludes what might be essential for any other uses the service provider might wish to make of that data

Service must have been “explicitly requested”

Electronic Commerce (EC Directive) Regulations 2002

Lewis Silkin published opinion to industry Guidance

Page 19: The New Data Protection Regulation and Cookie Compliance

O li t ’ C kiOur clients’ Cookies

AggregatorHardware & software

Targeted external content e.g. Ads (behaviour / profile driven) Service providerProvider use of

analytics data (e.g. Google, Facebook)

Authentication

Accessibility

Targeted internal content (behaviour / profile driven)

Auto-save for return visit

Remember meCookies cookie

Settings & preferences

Analytics

profile driven)

Core service e.g. Shopping basket Mortgage calculator

3rd party content e.g. Twitter

Save progress

Page 20: The New Data Protection Regulation and Cookie Compliance

C ki C t iCookie Categories

Authentication Remember me

Security

AccessibilityTargeted internal content (behaviour / profile driven)

Targeted external content e.g.

Auto-tailor Cookies cookie

Hardware & software

Settings & preferences

Ads (behaviour / profile driven)

Manual tailor

3rd party content e.g. Twitter

Process Mortgage calculatorAggregator

Service provider

Core service e.g. Shopping basket

Save progressAuto-save for return visit

MIAnalytics

MI

Page 21: The New Data Protection Regulation and Cookie Compliance

C ki C t i & L l f I t i

Level 0 Level 1 Level 2 Level 3

Cookie Categories & Levels of Intrusiveness

Strictly necessary for the core service and explicitly requested by the user

Mostly client* only and low intrusiveness as no profiling. Internal use only

Either not user initiated or includes profiling. Internal use only

3rd party access to data

Authentication Remember me

Accessibility Hardware & software Targeted internal Targeted external

Security

Auto tailor Accessibility Hardware & softwareCookies cookie

Targeted internal content (behaviour / profile driven)

Targeted external content e.g. Ads (behaviour / profile driven)

Auto-tailor

Core service e g

Settings & preferences

Save progress Auto save for return Aggregator

Manual tailor

Process Core service e.g. Shopping basket

Save progressMortgage calculator

Auto-save for return visit

AggregatorService provider3rd party content e.g. Twitter

Process

Site only analytics data (not profiling)

Provider use of analytics data (e.g. Google, Facebook)

MI

Page 22: The New Data Protection Regulation and Cookie Compliance

C ki C t i L l f I t i & I iti tiC ki C t iC ki C t i L l f I t iCookie Categories, Levels of Intrusiveness & InitiationCookie Categories

Level 0 Level 1 Level 2 Level 3

Cookie Categories, Levels of Intrusiveness

Strictly necessary for the core service and explicitly requested by the user

Mostly client* only and low intrusiveness as no profiling. Internal use only

Either not user initiated or includes profiling. Internal use only

3rd party access to data

Authentication Remember me

Accessibility Hardware & software Targeted internal Targeted external

Security

Auto tailor Accessibility Hardware & softwareCookies cookie

Targeted internal content (behaviour / profile driven)

Targeted external content e.g. Ads (behaviour / profile driven)

Auto-tailor

Core service e g

Settings & preferences

Save progress Auto save for return Aggregator

Manual tailor

Process Core service e.g. Shopping basket

Save progressMortgage calculator

Auto-save for return visit

AggregatorService provider3rd party content e.g. Twitter

Process

MI Site only analytics data (not profiling)

Provider use of analytics data (e.g. Google, Facebook)

Page 23: The New Data Protection Regulation and Cookie Compliance

L l i t f C t & I f dLegal requirements for Consent & Informed

Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user

Mostly client only and low intrusiveness as no profiling. Internal use only

Either not user initiated or includes profiling. Internal use only

3rd party access to data

Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket

Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator

Targeted internal content (behaviour / profile driven)Auto-save for return visit

Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data

CONSENT

g gSite only analytics data (not profiling)

y(e.g. Google, Facebook)

Provable, prior, explicit, informed

INFORMEDSummary to support informed consent with detail availableDescription of category of use

Page 24: The New Data Protection Regulation and Cookie Compliance

G id f C t & I f dGuidance for Consent & Informed

Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user

Mostly client* only and low intrusiveness as no profiling. Internal use only

Either not user initiated or includes profiling. Internal use only

3rd party access to data

Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket

Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator

Targeted internal content (behaviour / profile driven)Auto-save for return visit

Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data

CONSENT

g gSite only analytics data (not profiling)

y(e.g. Google, Facebook)

Provable, prior, explicit, informedInferred, ASAP

INFORMED Description of category of useSummary to support informed consent with detail available

Page 25: The New Data Protection Regulation and Cookie Compliance

S l tiSolutions

Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user

Mostly client* only and low intrusiveness as no profiling. Internal use only

Either not user initiated or includes profiling. Internal use only

3rd party access to data

Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket

Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator

Targeted internal content (behaviour / profile driven)Auto-save for return visit

Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data g g

Site only analytics data (not profiling)

y(e.g. Google, Facebook)

Include information in context for user initiated Ignore !!! Prior to consent for INFORMEDcookies.

and / or

Include in single consent description at start of

or

Include on cookies page for sake of

user initiated cookies

or

Contracts with yourInclude in single consent description at start of session:

“Allowing cookies lets you shape the service to your needs, use the interactive services on our it d t d d b t d ”

page for sake of openness and completeness

Contracts with your partners / providers / customers

site and stand up and be counted.”

“We use cookies to provide a useful & relevant service for every user and understand how people use the service so that we can keep peop e use t e se ce so t at e ca eepimproving.”

Page 26: The New Data Protection Regulation and Cookie Compliance

S l tiSolutions

Level 0 Level 1 Level 2 Level 3Strictly necessary for the core service and explicitly requested by the user

Mostly client* only and low intrusiveness as no profiling. Internal use only

Either not user initiated or includes profiling. Internal use only

3rd party access to data

Authentication Remember me Targeted internal Targeted external content e gAuthenticationAccessibilityShopping basket

Remember meHardware & softwareCookies cookieSettings & preferencesSave progressMortgage calculator

Targeted internal content (behaviour / profile driven)Auto-save for return visit

Targeted external content e.g. Ads (behaviour / profile driven)AggregatorService provider3rd party content e.g. TwitterProvider use of analytics data g g

Site only analytics data (not profiling)

y(e.g. Google, Facebook)

CONSENT

Do nothing

Single inform

RISK

Do nothing Single inform

Single inform

Do nothing

Do nothing Prior  / Informed consent

Inferred / delayed consentIMPA

CT

Do nothing

Do nothing

Prior  / Informed consent

Prior  / Informed consent

Page 27: The New Data Protection Regulation and Cookie Compliance

Si l R l f D i S l tiSimple Rules for Design Solutions

Consent must be informed and provable

Consent is needed for the purpose... not the data... or the object

purposeCookie

data purpose

purpose

Consent must be the path of least resistance

start consent use of service

The chance of gaining consent is a product of ease, benefit and confidence

b fit t tease

difficulty

benefit

costprobability of consent=x

trust

anxietyx

Page 28: The New Data Protection Regulation and Cookie Compliance

L l 1 & 2 i l t ( li htb )Level 1 & 2 single consent (as lightbox)

Default to accept – but clearly label the button Allow continue without cookies consent (if possible)

Commercial decisions:

• Do you allow them to say no?y y

• How many people will you lose? Or will not consent?

Page 29: The New Data Protection Regulation and Cookie Compliance

N tif A ti f L l 1 & 2Notify on Action for Level 1 & 2

Consent already given

Consent not given so features which will use a cookie show cookies icon ...

... and display a description of how cookie is used on rollover

Page 30: The New Data Protection Regulation and Cookie Compliance

L l 3 t tLevel 3 gateway consent

Default to accept – but clearly label the button Allow continue without cookies consent (if possible)

Commercial decisions:

• Should you focus on this area to remain in the spirit of the law if you are not fully compliant y p y y pelsewhere?

Page 31: The New Data Protection Regulation and Cookie Compliance

Si l i f (I f d t)Single inform (Inferred consent)

Commercial Questions:Commercial Questions:

• Do you write any cookies on arrival at this page?

ff l h h• Do you offer people the chance to opt out at this stage? Perhaps via an information page.

• Do you offer the chance to ‘close’ the 

Banner visible on entry to site but not highlighted.

ybanner by providing active consent?

• Is this shown whenever the user returns?

We would recommend that when a link is rolled over the banner highlights 

y g g

• Does cookies ‘status’ remain on every page? As a message, as an icon.

• How can you ‘prove’ people see y p p pbanner? E.g. Eye‐tracking research, placing more prominently

Page 32: The New Data Protection Regulation and Cookie Compliance

This isn’t going away It’s the lawThis isn t going away. It s the law