Embed Size (px)
DESCRIPTION
A 2-part TRUSTe Webinar Series with Promontory from Simon McDougall & Saira Nayak, Director of Policy, TRUSTe . Part 1 focuses on EU Cookie Directive: Key Steps to Compliance – August 12.
Citation preview
The EU Cookie Sweeps: Are You Compliant?
TRUSTe Webinar SeriesAugust 12 & September 4 2014
1
EU Cookie Directive: Key Steps to Compliance – Augus t 12
• Simon McDougall, Managing Director, Promontory
• Saira Nayak, Director of Policy, TRUSTe
Speakers
2
EU Cookie Inspections: Are you Ready? – September 4
• Oliver Proust, Of Counsel Privacy & Information, FieldFisher
• Vincent Toubiana, CNIL
• Introduction
• Recap: EU Cookie Directive Requirements
• Latest EU Cookie/Tracking Enforcement & CNIL Inspection plans
Today’s Agenda
3
• Examples of Best Practice across Europe
• Technical Solutions
• What do you need to do to comply?
Introduction
Saira Nayak, Director of Policy, TRUSTe
4
• Cookie Sweeps – by EU Regulators in September 2014
• New CNIL online enforcement audit powers in March 2014; CNIL cookie sweeps to start October 2014.
• Netherlands enforcement
– May 2014 decision against ad network YD Benelux
– July 2014 decision against Dutch broadcaster NPO.
What’s Happening with the EU Cookie Directive?
5
– July 2014 decision against Dutch broadcaster NPO.
• Spain enforcement – Jan 2014 actions around “notice”
• Italy enforcement – July 2014 Google must get explicit consent to profile and track users on any of its services (including OBA)
• Updated regulatory guidance from Italy and Spain
• EU Court of Justice v. Google , (confirming a “right to be forgotten,” under EU law), reminds us that US companies are subject to EU requirements when processing data in the EU.
• Cookie Laws to date :
• 26 EU countries have a cookie law; 2 (Croatia and Malta) do not. Iceland, Liechtenstein and Norway (EEA members) have proposed legislation addressing cookie obligations.
• Requirements : All cookie laws include requirements for informed consent (notice plus consent) and user control.
• Still no settled standard for “informed consent.”
• Some countries that were formerly express have exceptions where implied
EU Cookie Laws – Emerging Trends
6
• Some countries that were formerly express have exceptions where implied consent is OK e.g. France, Spain (when user continues to use the site or service)
• In certain countries, user access to a website may be conditioned on their consent e.g. Germany, Netherlands
• Prescriptive regulatory guidance
• France – how notice should be provided, consent, DNT
• Italy – categorizing notice, consent.
• Spain – layered notice, how consent should be provided
Recap: EU Cookie Directive
Requirements
7
1. Informed Consent (Notice + Consent)
• Before information about a user is accessed or stored, the user must:
– Be provided with clear and comprehensive information (notice)
– Provide “consent,” in accordance with 1995 Directive.
• Obligation to obtain informed consent falls on the entity dropping the
EU Cookie Directive: Requirements
8
• Obligation to obtain informed consent falls on the entity dropping the cookie or tracker (no data controller/processor distinction).
• EU Member States have interpreted “informed consent” differently
2. User Control
• Must provide a mechanism for the user to revoke consent and opt out of tracking.
• Using any technology to store or access personal data from computers or other devices will trigger cookie directive compliance obligations:
– HTML (especially v.5)
– Social Plugins
EU: Scope of Cookie Directive
9
– Targeted advertising
– Flash cookies
• Browser consent? OK, but only if the browser rejects third party cookies by default.
• Exceptions – cookies that are “strictly necessary” to deliver a user-requested service – certain first party analytics, user preferences, security cookies.
Informed Consent Interpretations Across Europe
10
Informed Consent – Express & Implied
11
EU Tracking/Cookie Enforcement & Inspection Plans
12
• The Spanish data protection authority is the AEPD (Agencia Española de Protección de Datos).
• Under current Spanish law, AEPD can only pursue enforcement actions based on notice – not consent. The Spanish legislature is contemplating whether to expand the AEPD’s enforcement power to include consent violations as well.
• In January 2014, the AEPD brought the first penalty cookie enforcement actions against two companies: Navas Joyeros S.L and Luxury Experience S.L for lack of “clear and comprehensive notice” about promotional cookies on websites. The
Spain (AEPD)Enforcement Actions
13
“clear and comprehensive notice” about promotional cookies on websites. The AEPD fined each company 5000 euros each.
• Both companies provided disclosures about their the use of these promotional cookies in their terms of service.
• AEPD said that notice must be provided in a separate privacy policy and the description of tracking procedures in notice must correspond to actual practice.
• Also referenced a preference for layered notices to facilitate user comprehension of cookie collection activity.
OPTA (Onafhankelijke Post en Telecommunicatie Autorit eit)
• May 2014 action was taken against YD Benelux (third party ad network) which violated Netherlands law when it:
– Placed its own tracking cookies (when users visited websites within its advertising network) without a user’s informed consent (no consent)
– Didn’t provide an opt-out for users to change consent (no control)
– Didn’t provide adequate information about YD’s tracking policies (no notice).
Netherlands Enforcement Actions
14
– Didn’t provide adequate information about YD’s tracking policies (no notice).
ACM (Association for Consumers and Markets)
• July 2014 action was against Netherlands Public Broadcasting (NPO).
• NPO violated the Dutch law when:
- Placed tracking cookies without prior and sufficient information notice
- Failed to obtain consent in the correct manner (opt-in).
• NPO has 4 weeks to comply with ACM/s recommendations after which it will be fined 25,000 euros per week (up to a maximum of 125,000 euros).
• Following an investigation into Google’s privacy practices, the Garante(Italian data protection regulator) issued a consent order on 10 July 2014.
• Administrative proceedings were originally triggered in 2013 after Google adopted its new unified privacy policy.
• Per the Garante, Google must get explicit consent from users for use of any Google service that profiles and tracks users. This includes any monitoring of a user’s web site navigation and.
Italy (Garante) Enforcement
15
monitoring of a user’s web site navigation and.
• User control - users must also be able to reject or withdraw consent.
• The Garante noted the “improvements” to Google’s privacy policy to date, but stated that it is not fully compliant with Italian law.
• The Garante further urged Google to review the recommendations of WP29 in Opinion No 10/2004.
• EU "Cookie Sweep ”
– From 15 – 19 September 2014.
– EU data protection regulators to participate
– Mimics work previously undertaken by the Global Privacy Enforcement Network (GPEN) in 2013 (20 data protection authorities reviewed the privacy notices from over2,000 websites.
• CNIL Cookie Inspections
2014 EU Cookie Inspection Plans
16
• CNIL Cookie Inspections
– The CNIL will assess compliance with their December 2013 guidelines in October 2014.
– This will be the first time the CNIL will be exercising its new powers to conduct “remote” investigations, including online investigations (after the French law was revised to give the CNIL this new enforcement power in March 2014
– Objective: carry out around 550 inspections (up +33% from 2013).
– Of these inspections, around 350 are to be carried out on-site and around 200 will be online inspections.
Historically the CNIL could initiate investigations by:
• Demanding access to documents or files (upon written request)
• Summoning representatives to appear at its offices for questioning
• On-site inspections between 6am and 9pm of all premises and facilities used to process personal data and which are for professional purposes
The French Data Protection Act was revised in March 2014 (the “Hamon Law”) giving the CNIL the right to perform online checks
CNIL’s new powers for online inspection
17
• Online inspections will only involve publically accessible web services and online databases and the CNIL cannot ‘hack’ into a company’s information systems
• The CNIL will assess: how individuals are notified of data processing (including how consent is collected), and how cookie and tracking technology are deployed
• The scope of the French Data Protection Act means that the powers could extend to a web site which is targeted at, but not established in France
• The types of cookies or similar technologies used by a website (e.g. HTTP cookie, local share object, browser fingerprinting).
• The purpose of the cookies:
– Does the website editor know the purposes of all the cookies placed or read from his website, whether they are first or third party cookies?
– Are there cookies with no end purpose (e.g. cookies no longer used)?
• The methods of collecting consent:
What will the inspections cover?
18
• The methods of collecting consent:
o Are cookies requiring consent read or placed before the internet user can express his consent?
o How does the internet user express his consent (e.g. click, implied consent)?
o Is the method of collecting the consent user-friendly?
o The visibility, quality and simplicity of the information relative to cookies.
o The consequences of refusing a cookie requiring consent.
o The possibility of withdrawing consent at any time.
o The duration of the cookies (i.e. 13 months max).
What Is Current Practice in Europe?
19
What Is Current Practice in Europe?
Simon McDougallManaging Director, Promontory
• Information which should be provided to users:
– Visible notice of the various types of cookies being used including use of layered notices or links to more information
– Notice that the user agrees to cookies being set by the website
– How users can signify and later withdraw consent
– Details of retention periods of the cookies (i.e. expiry dates)
Recap of WP29 Guidance (Opinion 02/2013)
20
• Splash screens, banners, dialog boxes and browser settings are suitable tools to obtain consent
– Located on the entry page where a user begins a browsing session
– Users must have access to all necessary notice information at this point
– Functionality should allow users to accept all or some or decline cookies
– Users should be given the option to change prior preferences regarding cookies
• Consent should be sought through an active behavior (i.e. user activated button, link or box) before cookies are set or read on a user’s computer or device
• Article 5.3 of Directive 2002/58/EC as amended by 2009/136/EC provides for an exemption to consent where the cookie is
– Used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
– Strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the services
• Cookies likely to fall under the exemption:
Recap of WP29 Guidance (Opinion 04/2012)
21
• Cookies likely to fall under the exemption:
– ‘user-input’ session cookies
– Authentication cookies
– Multimedia player session cookies
• Cookies likely NOT to fall under the exemption:
– Social plug-in tracking cookies
– Third party advertising cookies
– Load balancing session cookies
– UI customization cookies
– Social plug-in content sharing cookies
– Third party analytics cookies
– First party analytics cookies (except where they are only used to collect statistical data insofar as other safeguards are in place)
ICO Approach
• Consent may be given by an active behaviour or by continued browsing, insofar as users clearly understand that they are consenting
• Use of pop ups, banners, header barsand splash pages are ways to obtain consent
• Reliance on browser settings is
UK ICO Approach to Cookie Compliance
Cookie Name Purpose
Cookie banner ICOCookiesBanner
This cookie is used to control the appearance of the cookies information banner. This cookie is set on arrival to the site by default. It expires after a set time and is not set again unless a user changes their cookie settings.
Cookie preference
ICOCookies This cookie is used to remember a user’s choice about cookies on the ICO website. This cookie is, by default, set on arrival to the site with a value of ‘True’. If users choose to delete non-essential cookies, the cookie value is updated to a value of ‘False’.
Google Analytics _utma_utmb_utmc_utmz
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Click here for an overview of privacy at Google
Security breach notification form
ASP.NET_SessionId
This cookie is essential for the breach notification form – the form that public electronic communications service providers use to notify the ICO
http://ico.org.uk/Global/cookies
22
• Reliance on browser settings is possible but only where the user has modified the default settings (i.e. cookies blocked unless activated by the user)
• Merely changing terms and conditions is not a suitable way to obtain consent unless the user has acknowledged and agreed to the changes
notification form cookie
nId public electronic communications service providers use to notify the ICO of a security breach – to operate. It is set only for those people using the form. This cookie is deleted when you close your browser. Visit the Microsoft website
Content Management System cookie
ico62#sc_wedeyouth#sc_wede
One or both of these cookies may be set by our content management system on a small number of browsers, upon arrival to the ICO site or young people's pages. Neither is used by the ICO for any purpose. These cookies are deleted when a user closes their browser. The supplier of our content management system (the software we use to update our website) is working to remove this cookie from their product.
YouTube cookies
We embed videos from our official YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. Read more at YouTube’s embedding videos information page.
UK ICO Approach to Cookie Compliance
• The ICO maintains that the consumer threat level raised by cookies is ‘low’
• Between April and June 2014 the ICO received 38 concerns about the use of web site cookies (of which many were not complaints relating to non-compliance or specific to an individual web site)
• During the same period, the ICO received 47,465 concerns about unwanted marketing communications
• Between November 2012 to June 2014 the ICO has undertaken an assessment of the 200 most visited web sites for which it had received concerns
• Since October 2012 the ICO has written to 275 organizations regarding their cookie compliance
• The ICO will continue to write to those sites to which it receives concerns and focus specifically on those sites most visitedby consumers
23
http://ico.org.uk/enforcement/action/cookies
Overview of Cookie Practices in the UK
• In general, UK web sites utilise a range of first and third party cookies, beacons, web tags and analytics
• Range of banners, splash pages, dialogue boxes and header links are used to
– Inform users that cookies are used
– Confirm users agree to the cookie either by notice that continuing to use the site will constitute consent or by actively requiring user to accept/agree
– Links to a cookie policy (or relevant section of a privacy policy) with additional information about the types of cookies being used
• For the majority of sites, cookies are downloaded upon access to the web site irrespective of the consent banners and pop ups
24
banners and pop ups
• A number of sites used cookies or beacons which were not mentioned in their policy or the third parties named had changed
CNIL Approach
• The CNIL homepage incudes a link to cookie information in a banner towards the bottom of the page. It is necessary to scroll down to locate it. This link is not provided in the English language version of the site
• The CNIL website uses a cookie called PIWIK for analytics• CNIL guidance recommends the use of a banner specifying the purpose and types of cookies, as well
as how to object to the use of cookies or to modify their use• Consent can be obtained by the fact that the user continues to use the web site with sufficient notice• Browser settings could be relied upon but not for pixel/flash cookies and fingerprinting
FR CNIL Approach to Cookie Compliance
25
• Browser settings could be relied upon but not for pixel/flash cookies and fingerprinting• Consent expires after 13 months
Overview of Cookie Practices in France
• French web sites utilise a range of first and third party cookies and analytics
• Predominantly banners are used to notify users, however examples of splash pages and dialogue boxes were also identified
• A number of well known French companies, which used first and third party cookies, did not appear to have any specific notices on their home page, though many did include information on the use of cookies in their privacy notices
• In general, the cookie and privacy policies underlying any banner or homepage cookie notice do not contain the detailed information on each individual named cookie or beacon, that was regularly found on UK sites. However the French policies include more details on updating browser settings
26
UK sites. However the French policies include more details on updating browser settings
German Federal DPA (BFDI) Approach
• The privacy statement of the German Federal Data Protection Commissioner states that certain pages use temporary session cookies to facilitate navigation which do not contain personal data and expire after the session
• According to the privacy statement the only data is recorded – anonymized IP address; date and time; the requested page or file; volume of data transferred; and notification whether access/retrieval was successful
• Java applets or Active-X controls related analytics are not used by web site
DE Federal DPA Approach to Cookie Compliance
27
Overview of Cookie Practices in Germany
• The majority of sites visited incorporated banner notices informing users of cookie usage and providing a link to additional information
• In general, the cookie and privacy policies contain details of the types of cookies, as well as social media plugins and other technologies. The website policies also included reference to mobile device related cookies and trackers
• Certain sites incorporated additional functionality to allow cookie settings to be based on the type of cookies and processing activities
• A number of well known consumer sites using first and third party cookies only contained information relating to their cookie usage in their privacy policy accessing from a link on the home page
28
relating to their cookie usage in their privacy policy accessing from a link on the home page
College Bescherming Persoonsgegevens Approach
• Information relating to cookies is contained in the “about this website” page accessible from the homepage
• The Dutch version of the website states that session cookies are used where using the online notification register and signing up for a newsletter
• These are considered as necessary for the functioning of the service and that these cookies are deleted once the browser is closed
• According to the English version of the website, the CBP only collects IP addresses for annual statistical purposes and does not use cookies
NL CBP Approach to Cookie Compliance
29
statistical purposes and does not use cookies• Unfortunately this site does not provide a useful example of the Dutch ‘consent’ requirements in
practice, as the only cookies used appear to fall within the cookie consent exemptions
After the ACM decision, the NPO made the following changes to its site:
• A banner in the entry page specifies the types of cookies used and their function
• The user may give his/her consent either clicking the green button or continuing to use the website
NL CBP Approach to Cookie Compliance
30
use the website
• Visiting the website without the use of cookie is not possible
• Further information is provided by the orange link
Overview of Cookie Practices in The Netherlands
• From the Dutch web sites visited, it appears that there is less use of third party cookies and advertising related beacons and web tags compared with the UK and France
• Predominantly banners are used to notify users, however some examples of dialogue boxes were also identified
• For the sites visited, the cookies are downloaded at the point at which the web page is opened. Many of the cookie policies and privacy statements provide information on changing browser settings to remove or prevent cookies
• Certain sites provided the functionality to remove cookies from a button on the web page to remove cookies
31
cookies
Trends and Observations
• Widespread adoption of banners and dialogue boxes for notifying cookie usage and tacit consent
• Fewer have yet to incorporate technologies to support choice or permissions around types or purposes of cookies
• Still examples of web sites using a range of cookies and trackers without basic notice to users
• Increasing use of third party cookies, tags and beacons, most of which are related to US based marketing and analytics services, but few trackers of domestic online advertisers
– Google (Analytics, AdSense, AdWords, DoubleClick)
– Adobe TagManager, AppNexus, Webtrends
32
– Social Plugins for Facebook and Twitter
• Cookie policies had not been updated to reflect the changes in usage or third party relationships
Technical Solutions
Saira Nayak, Director of Policy, TRUSTe
33
Cookie Audit
34
Consent Manager – Express Consent (German)
TRUSTe Consent Manager
Displays Notice
Users Consent
Site continues to operate normally,
cookies are dropped
Consent to all cookies
Consent to some cookies
35
A) TRUSTe saves user’s preferences in TRUSTe cookie to maintain stance
B) TRUSTe invokes code to nullify cookies by dropping 1st and 3rd
party opt-out cookies
Consent Manager loads as site loads, but user cannot access the page until s/he has made an an informed consent.
TRUSTe Consent Manager
Displays Notice
Users Consent
Site continues to operate normally,
cookies are dropped
Consent to all cookies
Consent to some cookies
Site not loaded so no trackers
dropped
Consent Manager – Express Consent (French)
36
A) TRUSTe saves user’s preferences in TRUSTe cookie to maintain stance
B) TRUSTe invokes code to nullify cookies by dropping 1st and 3rd
party opt-out cookies
Site loads after user makes an informed consent in “zero cookie” environment.
Consent Manager – Opt Back In
TRUSTe Consent Manager Displays
Notice
User Changes Consent
User decides to opt-back in
37
A) TRUSTe updates user’s preferences in TRUSTe cookie to maintain stance
B) TRUSTe provides instructions to clear browser cookies to opt back in
TRUSTe Consent Manager displays notice as a pop-in upon page load but tag manager blocks trackers until s/he has made an informed consent.
Tag Management Solution: Overview
38
Tag Management Solution – Initial interaction
TRUSTe Consent Manager Displays
Notice
Users Consent
Site continues to operate normally,
cookies are dropped
Consent to all cookies
Consent to some cookies
Site loads but Trackers are
blocked by tag manager
39
A) TRUSTe saves user’s preferences in TRUSTe cookie to maintain stance
B) TRUSTe sends preferences to tag manager to block cookies
manager
Cookies load after user makes an informed consent in “zero cookie environment”
Tag Management Solution: Initial Notice
40
Tag Management Solution – Opt Back In
TRUSTe Consent Manager
Displays NoticeConsent
User Changes Consent
User decides to opt-back in
41
A) TRUSTe updates user’s preferences in TRUSTe cookie to maintain stance
B) Tag Manager stops blocking cookies
Tag Management Solution – Opt Back In
42
Key Steps to Compliance
43
1. Conduct an audit of all the cookie and tracking activity across your online properties
2. Check the exact compliance requirements of all the European countries in which you operate
3. Categorize the cookies and trackers on your site & put in place ongoing monitoring solution so this can be presented in real-time
4. Provide users with notice of the tracking on your site and a way to opt
Key Steps to Compliance
44
4. Provide users with notice of the tracking on your site and a way to opt out of the different types of trackers
5. Use a consent management solution which meets the requirements of the relevant European countries
6. Ensure the information in your privacy policies is accurate
7. Also a good idea to make sure you are also current on satisfying “adequacy” for commercial data transfers from the EU to the US (US-EU Safe Harbor, BCR, Model contractual clauses).
Questions
45
EU Cookie Inspections: Are you Ready? – September 4
• Oliver Proust, Of Counsel Privacy & Information, FieldFisher
• Vincent Toubiana, CNIL
Next Webinar
46
Hear directly from the CNIL as they make more details available of their inspection plans.
• Understand consumer expectations around the Cookie Directive in the Whitepaper: “Winning the Trust of EU Consumers” http://download.truste.com/dload.php/?f=SBXB54PM-352
• Hear directly from Judicael Phan and Vincent Toubiana at the CNIL in TRUSTe’s recent webinar with DataGuidance (in French)http://download.truste.com/?f=OUBT58UR-480
Further Information
47
French)http://download.truste.com/?f=OUBT58UR-480
• Find out more about TRUSTe’s Website Monitoring & Cookie Consent Manager Solutions http://www.truste.com/products-and-services/enterprise-privacy/eu-consent-manager
• Article 29WP Opinion 2/2013 providing guidance on obtaining consent for cookies: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf
• Article 29WP Opinion 4/2012 on cookie consent exemption: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf
• CNIL, Recommandation sur les cookies: quelles obligations pour les responsables de sites,
Useful links
48
• CNIL, Recommandation sur les cookies: quelles obligations pour les responsables de sites, quels conseils pour le internautes? http://www.cnil.fr/linstitution/actualite/article/article/recommandation-sur-les-cookies-quelles-obligations-pour-les-responsables-de-sites-quels-conseils/
• CNIL, Cookies : des contrôles à partir d'octobre http://www.cnil.fr/linstitution/actualite/article/article/cookies-des-controles-a-partir-doctobre/
• ICO, Guidance on the rules on use of cookies and similar technologies: http://ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx
• ICO, Cookies enforcement: http://ico.org.uk/enforcement/action/cookies
• ACM, Frequently asked questions about the Dutch cookie act:
Useful links - II
49
• ACM, Frequently asked questions about the Dutch cookie act: https://www.acm.nl/en/publications/publication/11917/Frequently-asked-questions-about-the-Dutch-cookie-act/
• ACM, Netherlands Public Broadcasting violates cookie rules: https://www.acm.nl/en/publications/publication/13171/Netherlands-Public-Broadcasting-violates-cookie-rules/
