ePrivacy & Consenting Cookies Rakuten LinkShare Symposium 2012 Liz Robertson Jones Day 17 April 2012

UK Information Commissioner given industry 12 month grace period to become compliant with new Cookie Regulations (until 26 May 2012) December 2011 ICO Guidance indicates concerns on lack of progress. While commitment made to no “knee jerk” crackdown, ICO may need to show enforcement teeth Getting user consents is not optional Industry/participant collaboration encouraged Methods and practices will continue to evolve Views expressed are those of the individual presenter and not those of Jones Day or its clients. This presentation is not intended as and may not be relied upon as legal advice Discussion Background

ICO’s Statement in December 2011 Report: “But if you have decided that this is all too difficult, that you don’t want to give your users choices about how your web pages might collect information about them or that you will get around the law by wilfully misleading people about what you do and how you do it then be assured that if we get complaints or have concerns then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance.” [Emphasis added] Doing Nothing is Not an Option

Beware this Approach

2002 Directive/2003 UK Regulations2009 Directive/2011 UK Regulations Websites to provide clear and comprehensive information about purposes of processing by cookies Same Websites to provide right of refusal – and easy information about how to dissolve cookies Same Exemption to requirements if strictly necessary in order to provide an “information service” explicitly requested by user. Same – but made clear that third party cookies are never strictly necessary. Conclusion: Exemption will not apply to advertising networks PLUS – user has to give consent for cookies to be used. This is what the fuss is about Cookies – The Old and the New

About Consent... Consent only needs to be obtained once – but record-keeping issues indicate easier to seek consent on multiple occasions No prescribed form of consent. Most common approaches seem to be: Consent “Pop-up” (bt.com) Consent Entry (tanqueray.com) Consent Registration Cookie Notice Browser settings Type of consent anticipated to be tied to “intrusiveness” of cookies Consents required on a web-site by web-site basis In the Rakuten LinkShare network, Publishers and Advertisers each have relationships with users, and therefore Publishers and Advertisers need cookie consents

Complementary Steps The Cookie Audit – Knowing how your website works What types of cookies? Does the disabling work? Updating Privacy Policies and Terms of Use Focus on clear language Recognise “Cut and Paste” pitfalls Tackle inconsistencies Diligence on linked web-sites

User friendly …

Rakuten LinkShare UK Agreement Requirements No personal data other than IP address to be passed to Rakuten LinkShare Easy-to-understand Privacy Policy (again, avoid the cut and paste temptation), with Link at Home Page Privacy Policy to identify: –the collection, disclosure and use of any information provided to Rakuten LinkShare and to network participants –information on use of all tracking devices, including LinkShare enabled tracking devices –information regarding the removal of cookies and other tracking devices –method for ascertaining and monitoring consents Must obtain consents for cookies and tracking devices

Concluding Thoughts Take May 2012 deadline seriously Continue to work together as consent methods bed down Be straightforward on use of cookies Reflect a positive approach Watch the rest of the EU

QUESTIONS? ePrivacy & Consenting Cookies