Privacy and cookies crm inspiration days 2013

Privacy & cookiesThe Reference CRM inspiration day 2013

Bart Van den Brande

Advocaat – partnerSirius Legal advocaten

www.siriuslegal.be

[email protected]

@BartVdBrande

Short update on privacy


Current Situation

Current privacy directive (including Belgian privacy law of 1992 based on that directive) is no longer effective

No unified rules between member states

Lack of control over big player (a.o. Ireland has very liberal rules)

Basic principle of server location or company location is no longer relevant in cloud computing era

Potential loss of business due to ineffective legal system: 2,3 billion euro/year according to EU


Basic principles of Belgian privacy law of 8 December 1992

There is no general “right to privacy”

Definition of personal data is very broad

Prior opt-in required for all data collecting and processing

“Free and informed” opt-in

Separate opt-in for data transfer to third party

Demand of opt-in by “data controller” (as opposed to “data processor”)

Declaration at privacy commission required in most cases

(online at www.privacycommission.be, cost is 25 euro)

Limited exceptions (if processing is unavoidably needed)


Basic principles of Belgian privacy law of 8 December 1992

Individual’s rights

Right to refuse

Right to access and correct

Right to oppose to future processing

Right to be informed (through privacy policy)


Proposal of new EU regulation

Regulation ≠ directive: uniform rules througout entire EU

Work in progress since 2012

First draft text released in May 2013

Currently being amended and voted by committees

LIBE Committee voted on 21 October 2013 (civil liberties, justice and home affairs)

Next steps: Agreement of Counsel of Ministers and Commission is sought

If no agreement, Plenary vote in EU Parliament in April 2014 (?)


Main objectives

One stop shop throughout EU

Greater hamonization

Strengthening individual rights

Less administrative burden

More effective enforcement of rules


Main principles

Applicable to anyone offering services on the EU territory (LIBE: “even free services”)

Personal data = any data allowing identification, including online identifiers, “pseudonymous data”

Consent has to be given explicitely (LIBE: “purpose limited”)

Extended information obligation (LIBE: use of standard icons)


Main principles

Obligation to notify data subjects and authorities of data breach (LIBE: “without undue delay”)

“Data protection by design” and “data protection impact assessment”

“Data protection officer” if + 250 employees, with obligation to document processes (LIBE: “or +5000 data subjects processed over last 12 months”)

Cross border data transfer: current system to remain in force for 5 more years

Sanctions: LIBE: up to 5% of annual sales or 100 million


Main principles

Right of erasure

Right of data portability

Prohibition against profiling

Article 29 Working party (advisory body) replaced by European Data Protection Board (official body)


Practical tips (if nothing changes)

Stay up to date with regulation drafts

Review notice forms, consent forms, privacy policies, data controller/data processor contracts

Implement data breach notification readiness

Implement data processing documentation system

Data protection by design and data protection by default

Conduct data processing impact assessment

Pseudonimize/Anonymize/encrypt data where possible to escape stringent rules

Secure personal data adequatly

One last time: the truth about cookiesAgain with the cookies?

One last time: the truth about cookiesAgain with the cookies?

Tools like Kméléo:

Remarketing/OBA tools

Do not use cookies

Read out users browser history just before page landing

Display advertisements based on that browsr history

Claim not to use personal data

Claim to escape cookie regulations

One last time: the truth about cookiesSo yes, once last time again with the cookies

A bit of background

What are cookies?

A bit of background

What are cookies?

A cookie is a small amount of data generated by a website and saved on your computer by your web browser.

Its purpose is to remember information about you, similar to a preference file created by a software application.

Why all the fuss about cookies?

In one word: privacy…

A bit of background

What are cookies?

first party cookies vs. third-party cookies placed by website placed by Google Analytics or ad brokers

functional cookies vs. non-functional cookies: log-in, registration, language statistics, remarketing, OBA

permanent cookies vs. session cookies remain present erased after surfing session

A bit of background

The legal small print

A bit of background


EU e-privacy directive 2002/58/EC

Obligation for member states to adapt national law before end 2012

Belgium: new article 129 in Telecom law since October 2012

A bit of background

The legal small print“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker is slechts toegestaan op voorwaarde dat :

1° de betrokken abonnee of gebruiker, overeenkomstig de voorwaarden bepaald in de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens, duidelijke en precieze informatie krijgt over de doeleinden van de verwerking en zijn rechten op basis van de wet van 8 december 1992;

2° de abonnee of eindgebruiker zijn toestemming heeft gegeven na ingelicht te zijn overeenkomstig de bepalingen in 1°.

Het eerste lid is niet van toepassing voor de technische opslag van informatie of de toegang tot informatie opgeslagen in de eindapparatuur van een abonnee of een eindgebruiker met als uitsluitend doel de verzending van een communicatie via een elektronische- communicatienetwerk uit te voeren of een uitdrukkelijk door de abonnee of eindgebruiker gevraagde dienst te leveren wanneer dit hiervoor strikt noodzakelijk is. De toestemming in de zin van het eerste lid of de toepassing van het tweede lid, stelt de verantwoordelijke voor de verwerking niet vrij van de verplichtingen van de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens die niet opgelegd worden in dit artikel.

De verantwoordelijke voor de verwerking biedt de abonnees of eindgebruikers gratis de mogelijkheid om op eenvoudige wijze de gegeven toestemming in te trekken.“

A bit of background


Belgian law does not contain any further details on

How to warn and inform

How to obtain opt-in

How to enable opt-out

Who is responsible

Law is vague, unclear and leaves room for interpretation

Entire sector is waiting for clear guidelines from Privacy Commission or BIPT/IBPT

A bit of background


Meanwhile

EU standpoint is clear (directive + declarations commissioners Kroes and Reding)

“Working Party 29” standpoint is clear (Belgian Privacy Commission is part of WP29)

Neighbouring countries regulations are clear

What does this mean for you?


By deduction:

Functional first party cookies (language, shopping cart, settings, password, technical):

No need to obtain opt-in, but obligation to inform (e.g. in privacy policy)

Non-functional cookies or third party cookies (remarketing and OBA, Google Analytics, …):

Obligation to inform prior to placing cookies

Obligation to obtain explicit opt-in prior to placing cookies

Possibility to opt-out in future


By deduction:


So, by deduction:

Opt-in has to be

Free of obligation (i.e. be able to visit website even without opt-in)

Explicite (requires active intervention of visitor)

Informed (requires prior information of visitor)

Given before any cookie is installed

Revocable


So, by deduction:

From a practical point of view

Information on use of cookies, type of cookies used, aim of cookies (in privacy policy)

Clear warning upon first visit + link to information

Clear free choice for visitor to opt-in or not (possibility of layered approach)

Clear information about opt-out possibility (in privacy policy)


So, by deduction:

Pop-up?

Splash screen?

Warning in banner or footer?

“Implicite opt-in”?

All seem acceptable as long as active decision by visitor is required and free choice is guaranteed (this excludes “by visiting this website you accept…”)





Oh, and also:

If cookie is used to store and/or process personal, prior opt-in under privacy law is required on top of cookie warning and privacy law applies…

This means

Declaration at privacy commission

Right to access, correct and oppose

Obligation of information through privacy policy

No transfer of data outside EU, unless under very strict conditions

Warning: almost all data is personal data, including IP address, browser history, any data that might allow to identify someone directly or indirectly


Consequences of cookie law



Not very effective

Disturbing for visitor

Loss of traffic and/or data for websites



Trying to escape cookie law obligations

Alternative solutions sought

Browser fingerprinting (Kméléo and others)

Web beacons


Browser fingerprinting

Does not use cookies

Reads out users browser history just before page landing

Displays advertisements based on that browser history

Claims not to use personal data

Claims to escape cookie regulations



Unfortunately, article 129 Telecom law is quite clear:“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker…”



Unfortunately, article 129 Telecom law is quite clear:“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker…”

As is the Working Party 29’s advise 1/2008 (doc 00737/NL WP 148), which confirms that browser history data should be considered personal data under privacy law



Consequently, even if no cookie is placed, but data from a visitor’s computer is in any way collected, accesed or analysed, prior consent is required.

This includes browser fingerprinting, web beacons, plugins, …


And what if I do not comply?


International context



As many laws as there are member states

All differ slightly, definitions vary, opt-in requirements vary, …

Problem: as soon as you target audience in one member state, local authorities will claim te be competent (e.g. local extension, local language, local content, …)

Need to comply to most stringent legal systems seems to be the consequence



Working Party 29 advise of October 2013:

Basis for pan-European cookie requirements

Carefull: this is only an advise



Working Party 29 advise of October 2013:

Opt-in should concern only cookies (not combine privacy or direct marketing)Opt-in should occur prior to placing or activating cookieOpt-in requiers active decision (which may show through decision to continue visit to website)Opt-in should be free and may be layered Visit to website has to be possible without opt-in (although this seems to exclude “by visiting you accept…”?)

Explicite warning from WP29 for tracking cookies: if personal data is collected, prior and separate opt-in for data processing is required

Specific questions? Need quick advise?www.campaignchecker.be

Sirius Legal Campaign Checker service

Specific service for (digital) agencies, advertizers, sweepstake organizers, website owners, …

Quick legal check of campagne, campagne site, landing page, …

Pragmatical and useable advise

Online available

First contact within 1 hour

Advise within 24 hours

Fixed price: 300 euro

Specific questions? Need quick advise?www.campaignchecker.be

All questions concerning:

copyright

trademarks

Comparative advertising

Consumer protection rules

Contests, sweepstakes, lotteries

Privacy and cookies

Direct marketing actions and member-get-member actions

Actions via social media, respect for Facebook rules and guidelines, …

Viral actions

Need more elaborate help for your website?www.websitecertifier.be

Sirius Legal Website Certifier service

Extensive legal check of websites and webshops

Full analyses of website set up, legal documents and disclaimers, legals mentions, communication towards visitor/consumer

Analyses document

Changes to legal texts where needed or draft of general terms, disclaimer, privacy policy and cookie policy

2 languages NL/FR or NL/UK included

Fixed price: 650 euro

First contact withing 1 hour

Full report withing 5 business days

Need more elaborate help for your website?www.websitecertifier.be

Check includes

Obligatory mentions for all websites

Privacy law and cookies for all websites

Respect for market practices and consumer protection in e-commerce (pricing, delivery, 14 day cooling down period, sales) – comparative and misleading advertisement and information of consumers

Set up of your sales process in e-commerce

Content of your general terms of sale or use in e-commerce, auction sites, discussion forums

Privacy & cookiesThe Reference CRM inspiration day 2013

Bart Van den Brande

Advocaat – partnerSirius Legal advocaten

www.siriuslegal.be

[email protected]

@BartVdBrande

Business

Privacy and cookies crm inspiration days 2013