1. Data Protection andthe New EU Cookie RegimeDavid NaylorPartner, Field Fisher Waterhousedavid.naylor@ffw.com18 April 2012

2. What Privacy? 3. What Privacy? 4. What Privacy?[a]n examination of 101 popular smartphone "apps" showed that 56transmitted the phones unique device ID to other companies withoutusers awareness or consent. Forty-seven apps transmitted the phoneslocation in some way. Five sent age, gender and other personal details tooutsiders Many apps dont offer even a basic form of consumerprotection: written privacy policies. Forty-five of the 101 apps didntprovide privacy policies on their websites or inside the apps at the time oftesting. Source: Wall Street Journal http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html 5. What Privacy? 6. What Privacy? 7. Data Protection and the New EU Cookie RegimeICO fines Midlothian Council 140K fordata breachesMonday 30 January 2012 09:58 8. Data Protection and the New EU Cookie Regime Comprehensive European and individual MemberState privacy regimes Applies to all personal data, not just certain typesof data Applies to all businesses, not just consumer-facing businesses 9. Data Protection and the New EU Cookie RegimeMeaning of personal data Data protection protects personal data Is an individual identifiable or singled out? Anonymised data types can be personal: IP addresses UDID data Hashed data 10. Data Protection and the New EU Cookie RegimeMeaning of personal data An example - QR codes User scans code and is directly transferred to URL Website collects IP address / system / date + time data User scans code and is routed through QR reader servers App publisher collects mobile UDID Publisher may commercialise with third parties Allows for mobile tracking Takeaway: Even anonymised data can be personal If its personal, its protected 11. Data Protection and the New EU Cookie RegimeKey Principles: Fair and lawful processing Limited purposes Adequate, relevant and not excessive Accurate Kept no longer than necessary Processing in accordance with the data subjects rights Secure No transfer to countries without adequate protection 12. Data Protection and the New EU Cookie RegimeConsequences of compliance failures: Certain breaches are criminal offences Regulators may impose fines now up to 500,000 in the UK and may be more in other EU jurisdictions Unlimited civil liability a possibility Disruption to business-critical data processing Complaints from customers, employees, suppliers etc. Naming and shaming brand damage Loss of business 13. Data Protection and the New EU Cookie Regime4. CookiesCookies Revised E-Privacy Directive Implementation deadline was 25th May 2011 Some states have implemented (including UK), somehave not UK: ICO has allowed sunrise period of 1 year before it takes any enforcement action IAB self-regulatory approach praised by UK Government 14. Data Protection and the New EU Cookie RegimeHow cookie requirements have changedMember States shall ensure that the [use of electronic communicationsnetworks to store] storing of information or [to gain] the gaining of access toinformation stored in the terminal equipment of a subscriber or user is onlyallowed on condition that the subscriber or user concerned [is] has given his orher consent, having been provided with clear and comprehensive informationin accordance with Directive 95/46/EC, inter alia about the purposes of theprocessing. [and is offered the right to refuse such processing by the datacontroller.] This shall not prevent any technical storage or access for the solepurpose of carrying out [or facilitating] the transmission of a communicationover an electronic communications network, or as strictly necessary in order [toprovide] for the provider of an information society service explicitly requestedby the subscriber or user to provide the service. 15. Data Protection and the New EU Cookie RegimeThe new cookie consent requirement Exemptions Strictly necessary to provide user-requested service Carrying out transmission across a network Practical consequences Shopping basket, security and page load cookies are OK but everything else needs some form of consent and impacts more than just cookies (any pulled data) Browser and other application settings Permitted where technically possible and effective Regulatory view is that current browser settings are not enough 16. Questions? 17. Data Protection and the New EU Cookie RegimeSome common misunderstandings This only affects website cookie data No, the requirement applies whenever storing or accessing information (e.g. device fingerprinting and mobile data collection) We need pop-ups to get consent No, the requirement is only to get consent. How to do this is up to you Individuals must expressly consent No, with sufficient notice and control, consent for some cookies can be implied from a users action or inaction. 18. Data Protection and the New EU Cookie Regime Complyingwith cookie legislation Step 1: Assess use of cookies Step 2: Identify necessity / intrusiveness Step 3: Enhance disclosures Step 4: Implement a consent strategy 19. Data Protection and the New EU Cookie RegimeStep 1. Assess use of cookies 20. Data Protection and the New EU Cookie RegimeStep 2. Assess intrusiveness Points to consider: 2. Cookie purposeSession 3. Cookie expiry 4. Website itself1st party session cookie3rd party session cookie 5. Flash cookies(e.g. language preference)(e.g. secure payment) 1st party 3rd party1st party persistent cookie(e.g. website analytics)3rd party persistent cookie(e.g. targeted advertising) Persistent 21. Data Protection and the New EU Cookie RegimeStep 3. Enhance disclosures the benefits of data minimisation! 22. Data Protection and the New EU Cookie RegimeStep 4: Implement a consent strategyICO Guidance on the rules on use of cookies and similar technologiesDecember 2011The Regulations require that users or subscribers consent. Directive 95/46/EC (theData Protection Directive on which the UK Data Protection Act 1998 (the DPA) isbased) defines the data subjects consent as:any freely given specific and informed indication of his wishes by which thedata subject signifies his agreement to personal data relating to him beingprocessed.Consent must involve some form of communication where the individual knowinglyindicates their acceptance. This may involve clicking an icon, sending an email orsubscribing to a service. The crucial consideration is that the individual must fullyunderstand that by the action in question they will be giving consent. 23. Data Protection and the New EU Cookie RegimeStep 4: Implement a consent strategy No certainty as to what will be required Pop-up windows? Consent Banners? Implied consent? Limited intrusiveness Enhanced notice Real control 24. Data Protection and the New EU Cookie Regime Complyingwith cookie legislation Step 5: Other practical measures Always provide an opt out Cookies Anonymise and encrypt Use session cookies vs. persistent cookies Reduce cookie expiry periods Remove redundant cookies Identify quick wins Website registration / other customer interaction points Mobile app download / opening 25. Data Protection and the New EU Cookie Regime Complyingwith cookie legislation Step 5: Other practical measures (cont): Internal processes / procedures Implement internal standards for authorising new cookie use Identify who should authorise legal, IT, marketing? Consider a one in, one out approach Maintain a cookie log + require periodic review Third party providers (ad networks / analytics etc.) Due diligence do your providers observe good data hygiene standards? Apportion compliance responsibility Ensure contract reflects agreed roles Dont accept bad behaviour Role of self-regulatory compliance / market practice 26. Data Protection and the New EU Cookie RegimeCookie transparency1. Highlight new information to visitors2. Be more descriptive 27. Data Protection and the New EU Cookie Regime CookiesExpress consent models 28. Data Protection and the New EU Cookie Regime CookiesExpress consent models 29. Data Protection and the New EU Cookie Regime CookiesImplied consent models 30. Data Protection and the New EU Cookie Regime CookiesPractical example 31. Data Protection and the New EU Cookie Regime CookiesPractical example 32. Data Protection and the New EU Cookie Regime CookiesPractical example 33. Data Protection and the New EU Cookie Regime CookiesPractical example