CNIL

European Privacy

Legislation:

A PrimerVincent Toubiana

18 February 2015

Agenda

2

Cookies, tracking functionality and the law

The role of CNIL, the French data protection

authority

Compliance issues

Context and Scope of Legislation

3

Individual privacy protection.

An EU directive implemented at the national level

In France: Article 32-II of the Act of 6 January 1978 :

Clear, informed consent required

Broadly framed to cover all technical methods

Interpretation guidelines are provided at the national level (In

France – CNIL is the competent authority)

A business trust issue

A consultative approach to find pragmatic solutions to protect

individual privacy while promoting the digital economy

What technologies are covered?

4

All tracking technologies: Reading and setting HTTP cookies

“Flash” cookies

Invisible pixels (web bugs / beacons)

Application, OS and hardware identifiers

“Fingerprinting”

All media: Browsing a web site

Reading an email

Installing or using software and mobile apps

All devices: computers, tablets, smartphones, smart TVs, connected game consoles, etc.

What cookies are affected?

Certain cookie types are exempted: When they are strictly necessary for the service to workExamples:

Basket cookies

Language option cookies

Authentication cookies

Analytics cookies under certain conditions (ability to opt out, for anonymous statistics

gathering only, etc.)

Informed consent for other cookies:Examples:

Targeted advertising

Analytics (with some exceptions)

Social networks

Who is concerned by consent collection?

Publishers of Internet sites and mobile apps

Third-party service providersExamples

Web Analytics vendors

Advertising networks

Social networks

How to obtain consent on the Internet?

7

“Consent must be a positive, informed choice”

No consent, no cookie

Two-step mechanism (for each site):

1. An information banner: example:

By continuing to use this site you accept the use of cookies to offer targeted

advertising and measure usage statistics.

To learn more and to configure my cookie settings

2. Clicking on on the link offers choices for consent.

Don’t set cookies (or use fingerprinting) until the user has continued to

using the site

Continuing to use the site can take the form of a click on an item in the

page (not necessarily the “OK” button)

In general, the browser options are not sufficient.

Do not link setting cookies to accessing the site

Maximum cookie lifespan of 13 months, not renewed at each visit

Web sites and functionality concerned

Consent functionality is integrated

Require consent

YOUR OBLIGATIONS

YOUR OBLIGATIONS

DECLARE A DATABASE / LIST

CNIL TEMPLATESWEB SITES, COOKIES AND TRACKING TECHNOLOGIES What does the law say? Tools and source code

• Web Analytics• Social buttons• Advertising

Test your site with Cookieviz

Web analytics exempted

In order to be exempted, a Web analytics tool must meet 5 conditions:

Information contained in the user conditions (not necessarily a banner);

The user must be able to opt out easily;

Web analytics must be the only use. No crossing with other data or

processes. The cookie must be limited to a single publisher and not used

across different sites;

No geo-location more granular than the town level; IP must be suppressed or

anonymised;

Cookies must have a lifespan of 13 months and any data collected must be

held for 13 months maximum.

Compliant Web analytics tools

AT-Internet: Under discussion

Exempted -> no consent required,

Certain points remain to be validated.

Piwik: OK

Exempted -> no consent required

No data crossed.

Google Analytics: Consent required (Google crosses data)

CNIL offers a tag on its site with the following functionality:

– Blocks cookies at the first visit,

– Requests consent,

– Provides the means to opt out.

Compliant sharing buttons

“Like”, “Tweet”, and “+1” buttons are used by social networks to track

which pages users are visiting

Recommended tool: “Social Share Privacy”

– Before activation doesn’t send information to third parties,

– Only requires a small modification to the page,

– Look and feel of buttons can be tailored,

– Available as a plug-in for the major CMSes (WordPress, Drupal, Typo3),

– Otherwise as a jQuery module.

Learn more: http://panzi.github.io/SocialSharePrivacy/

Tag managers

A global solution for the site:

• Consent is requested once for all cookies

• Ability to opt-out by “family” of cookies

• Blocks tags from firing and asks for consent (Like, Analytics, Consent)

Paid solutions:

• Note: Some solutions are not yet compliant (install opt-out cookies with identifiers)

Free solutions: “Cookie-Cuttr”, “Tarte-Au-Citron”

Note: Be careful with terms and conditions of third-party solutions

(what is compliant today may not be tomorrow)

Refuse Social Refuse Ads This site uses cookies for analytics, ad serving, and social networks Learn More Refuse Analytics

From compliance to enforcement

Since 2014, CNIL is responsible for enforcement nationally,

First actions year end 2014,

We’ve seen up to 350 cookies per site!

Some examples of what is not compliant

No free consent,

Many cookies set before consent (when landing on the page),

Compliance is often very simple to achieve (using recommended tools)