Cookie Law – How to meet the deadline for compliance

The Legal ContextJames MilliganDMA Solicitor

CIVIC 18 January 2011

Outline

1) New cookie law

2) European Issues

New Cookie Law – Privacy and Electronic Communications

(Amendment) Regulations 2011

New Cookie Law

1) What’s changed?

2) Strictly necessary exemption

3) When will new rules be enforced?

4) Is browser software the magic fix

5) Some outstanding issues

6) What should you be doing now?

7) How to obtain consent

8) Some examples of how to comply

9) Key compliance issues

10) ICO Half Term Report

11) Future developments

1) What’s changed?

• Consent on an opt-in basis to store, retrieve and use information on a users pc through cookies or gifs.

• Consent – freely given specific and informed

• Old rules - inform users and opt-out offered

2) Strictly necessary exemption

1. Strictly necessary

2. Provision of a service

3. Provided at the request of the user

• Users do not have to opt – in to use of cookies

• Best practice - given information about use of cookies

• Narrow interpretation

3) When will new rules be enforced

• ICO soft enforcement until May 2012• Websites deliberately misleading• ICO new enforcement powers• Post May 2012 ICO hard

enforcement• Complaint driven action• Working towards compliance

4) Is browser software the magic fix

• Unlikely to issue new versions by May 2012

• Problem of old versions still being used

• Allow consumers to make decisions because of default settings before they reach your page

• Can default settings be overridden on a case by case basis?

5) Some outstanding issues

• Third party cookies/online behavioural advertising

• Self regulatory pan- European initiative

• DMA involved in UK implementation

• European data protection commissioners lukewarm

• Mobile

6) What should you be doing now?

1) Identify existing use of cookies2) Identify different types of cookies used on

your website and grade according to level of intrusiveness

3) Identify whether any might be strictly necessary

4) Work out a compliance plan – deal with intrusive ones first

5) Think about your options for gaining consent – effort / risk

6) Summary - audit, prioritise, review

7) How to obtain consent

1) Amend your privacy policy/terms and conditions

2) Visually map customer journey through your website – look at touch points where you gain consent

3) Consider landing page where you get consent

4) Statement on email footers5) Separate cookie policy6) Make it easy for users to understand –

DMA involved in ICC Common Language

8) Some examples

1) ICO approach

8) Some examples

2) DCMS approach

• http://www.culture.gov.uk/4902.aspx

• Simple approach for Google analytics cookies

9) Key Compliance Issues

1) Legislation is technologically neutral2) Transparency and consumer

education3) Comply with the spirit of the

legislation4) Responsibility for compliance lies

with organisation deploying cookies

10) ICO Half Term Report Dec 2011

1) Could do better/Must try harder2) Use existing methods for getting

consent online3) Quick wins4) Cookie/Privacy policy - clear and

visible

10) ICO Half Term Report Dec 2011

1) Ideas – cookie management tools/banners/buttons

2) ICO can’t endorse specific products/services

3) Might not take you all the way to full compliance

4) Collaboration at industry and sector level

10) ICO Half Term Report Dec 2011

Possible enforcement action1) Is my website doing anything that my

users don’t know about?2) Am I confident that I am giving them

appropriate options?- Not using cookies- Registered Users – what about

others?- Consumer education

11) Future developments

1) Remember compliance is on ongoing issue – cookies will be added and removed from your organisation’s website

2) May 2012 is fast approaching,

European Issues

European Issues

• European Data Protection Directive Review

• Cloud computing

• Council of Europe Data Protection Convention Review

Thank you and QuestionsJames MilliganDMA SolicitorThe Direct Marketing Association (UK) Ltd

Tel: 020 7291 3347Email: james.milligan@dma.org.uk

DMA Legal AdviceTel: 020 7291 3360Email: legaladvice@dma.org.uk