Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cookie compliance: your 5 day emergency action plan Claire Walker.

Published byLucas Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Cookie compliance: your 5 day emergency action plan Claire Walker."— Presentation transcript:

1 Cookie compliance: your 5 day emergency action plan Claire Walker

2 www.olswang.com1 What you need to know… If your company is one of the 95% UK organisations not yet obtaining consent to website cookies 5 working days until end of UK enforcement amnesty (26 May) 4 main types of cookie 3 practical steps to comply 2 key sources of guidance 1 example of creative good practice

3 www.olswang.com2 Consent rule adopted at EU level UK transposes rule - on time! ICO guidance V1 ICO guidance V2 ICC practical guidance May 2009 25 May 2011 May 2011 April 2012 UK “amnesty” ends “95% of UK companies not ready” (KPMG) March 2012 Cookie consent countdown Dec 2011 26 May 2012 “Collusion” project UK “amnesty”

4 www.olswang.com3 What is a cookie? “information stored in the terminal equipment of a subscriber or user ” Regulation 6 Privacy and Electronic Communications Regulations 2003

5 www.olswang.com4 4 main types of cookie – Icons courtesy of BT

6 www.olswang.com5 Cookie consent: the new rule Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment: a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and b)has given his or her consent. Regulation 6 PECR 2003, as amended (NB: pre 2011 requirement was information + opportunity to opt out)

7 www.olswang.com6 3 compliance steps: Step 1

8 www.olswang.com7 Audit

9 www.olswang.com8 Audit (continued)

10 www.olswang.com9 …or be audited!

11 www.olswang.com10 Step 2: provide information ICO guidance “sufficiently full and intelligible to allow individuals to understand the practical consequences” Greater effort required now, as user understanding is likely to be low Make sure users can see the information: Position – eg top of the page not the bottom (e.g. IAB) Formatting – eg font size or icon – make it stand out Description – eg “cookie policy” or “ how our site works” rather than “privacy” Blog post or new headline to draw attention [e.g. “updated” in red] NB: notice does not = consent – but it helps!

12 www.olswang.com11 Step 2: information

13 www.olswang.com12 Step 3: obtain consent But what’s valid “consent” to a cookie? Key points from the current ICO guidance (Dec 2011 version) Must involve some form of communication… …where user knowingly indicates their acceptance User must fully understand that by the action they are giving consent Ideally consent needs to be “prior”… …websites must “do as much as possible” to minimise time lag between setting cookie and giving users the choice …so cookie info must be “readily available” Avoid setting persistent cookies if visitors may be one -offs

14 www.olswang.com13 What could “consent” look like? (BT)

15 www.olswang.com14 What could “consent” look like? (BT again)

16 www.olswang.com15 Step 3: methods of consent The ICO guidance suggests the following potential consent mechanisms – depending on the intrusiveness or otherwise of the cookies used: Pop ups (not all pop ups are bad!) Splash pages Footer bar with accept button Via online ts & cs which user accepts (but not by slipping in new terms post acceptance) Settings led (e.g. language of site, location for weather report, etc) Feature led What about browser settings? ICO view is that at present browser settings alone do not satisfy consent requirement

17 www.olswang.com16 Can “implied consent” work? Implied consent normally invalid in a DP context – see criteria listed earlier Level of consent required in given scenario depends on user’s understanding and awareness “reliance on implied consent…must be based on a definite shared understanding of what is going to happen”, i.e. that cookies will be set what the cookies do signifies agreement So, shared understanding/ implied consent may be viable as consumer awareness grows over time Also depends on prominence of cookie information on the site

18 www.olswang.com17 Less creative solutions…

19 www.olswang.com18 What to do about Analytics Analytics cookies ARE covered by the consent rules Low enforcement risk - ICO has a pragmatic stance If analytics are the only cookies you use - what should you do? Provide information Seek “consent” via a notice route? Suggested wording: This site uses Google Analytics cookies to collect information about how visitors use this site. Click here [link to relevant section of privacy policy] for more details. By using this site you agree that we can place these cookies on your device."

20 www.olswang.com19 ICO guidance – December 2011 – to be updated shortly International Chambers of Commerce UK Cookie Guide – April 2012 Categorisation of cookies How to describe them to users; use of icons (e.g. BT) Consent mechanisms to use Endorsed as good practice by the ICO Will other websites follow suit? 2 essential sources for lawyers

21 www.olswang.com20 Third party cookies: who’s responsible? ICO’s view: website owner and third parties are both responsible In practice, website owner likely to receive any complaints about 3rd party cookies on site Website owner has direct interface with end user – therefore easier for it to provide information and obtain consent Tip: ensure your cookie audit covers 3 rd party cookies

22 www.olswang.com21 Bottom line: UK enforcement risks? What does the ICO expect of website owners by 26 May 2012? Audit cookies used Take “sensible measured action to move to compliance” Have a realistic action plan for compliance: timescales + specific actions Will/ when will the ICO take enforcement action over cookies? ICO’s approach “practical and proportionate” Organisation refuses to comply… Use of particularly intrusive cookies with no information and no consent Who will be made an example of?

23 www.olswang.com22 Will the ICO issue fines? ICO's own guidance will be updated again before 26 May - watch this space ICO "does not anticipate a wave of enforcement action after the lead in period ends"... but does expect organisations "to have used this time productively and ensured that they are working towards becoming fully compliant." In what circumstances will the ICO impose monetary penalties? Serious contravention + Deliberate or reckless + Likely to cause substantial damage or substantial distress Reckless = knowledge of risk; failure to take “reasonable steps”

24 Cookie compliance: your 5 day emergency action plan For more information please contact: Claire Walker +44 (0) 207 067 3174 claire.walker@olswang.com

Download ppt "Cookie compliance: your 5 day emergency action plan Claire Walker."

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
EU Cookie law PECR... UK 26 05 2011. MIS Ecosse Ltd Charles Litster Making the Web easy for you Hosting and domains Websites you can update Management.

EU Cookie law PECR... UK MIS Ecosse Ltd Charles Litster Making the Web easy for you Hosting and domains Websites you can update Management.
Research and Development Department A Quick Guide to Using EDGE v2 for Researchers Version 1.2 – 23 February 2015 www.edge.nhs.uk.

Research and Development Department A Quick Guide to Using EDGE v2 for Researchers Version 1.2 – 23 February
CASL Computer Programs Provisions and Challenges in Specific Vertical Sectors Michael Fekete (Osler) Howard Fohr (BlackBerry Limited) April 30, 2014.

CASL Computer Programs Provisions and Challenges in Specific Vertical Sectors Michael Fekete (Osler) Howard Fohr (BlackBerry Limited) April 30, 2014.
New European Regulations covering Investable Indices Two new sets of European Regulations covering Benchmarks (Indices) where there are investment products.

New European Regulations covering Investable Indices Two new sets of European Regulations covering Benchmarks (Indices) where there are investment products.
Www.nb2bc.co.uk Email Marketing: Comply with the Law 28 th February 2007 Liz Rowe.

Marketing: Comply with the Law 28 th February 2007 Liz Rowe.
Big Data and data protection

Big Data and data protection
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
LEGAL ISSUES IN LEAD GENERATION November 1, 2012 Sonoma, California Jeremy T. Rosenblum, Practice Leader Consumer Financial Services Group

LEGAL ISSUES IN LEAD GENERATION November 1, 2012 Sonoma, California Jeremy T. Rosenblum, Practice Leader Consumer Financial Services Group
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Per Anders Eriksson

Per Anders Eriksson
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Recruitment Process

Data Protection Recruitment Process
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
NCA guide for businesses Selling via a website An overview of the key rules if you sell online to consumers.

NCA guide for businesses Selling via a website An overview of the key rules if you sell online to consumers.
ONLINE CLAIMS TRACKING

ONLINE CLAIMS TRACKING
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.

Similar presentations

Ads by Google