Act Now - The new rules relating to the placement and storage of tracking information on online devices (AKA – the new “Cookie Law”) for businesses with European consumers The new Cookie Law imposes fresh challenges for businesses increasingly using Cookies and similar online tracking technologies to improve their e-commerce offerings. The new Cookie law will be of great interest to e-commerce players (including financial services companies, electronic marketers, social and games application makers and providers and online gaming companies) that offer intensive data or transaction driven services heavily reliant on Cookies to support a wide range of online services, functions and advertising requirements. It should also be of particular note to online companies established outside of the European Union (e.g., American companies because so much of the online commerce, social and gaming innovation that is developed there is used by European users). 1.
ELECTRONIC COMMUNICATIONS NETWORKS
The new law covers the use of electronic communications networks (web based pages, online applications and application stores, email etc.) to store information, or gain access to information stored, on a subscriber’s terminal. This therefore can include, among other things, any “connected” device (e.g. mobile phones, tablets) and also internet-reliant applications that do not involve web-based interfaces (e.g. iphone/android/x-box/PS3 apps and games). The salient part of the e-Privacy Directive is Article 5(3) which sets out that consent must be provided to access or store Cookies:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.” Of concern is the fact that, in the most part, the transfer of Cookies between a user and an application happens without the explicit knowledge of the user. Personal information contained in the Cookies can also be stored in machine code making it hard to fully appreciate what information is being collected from a site. 3.
INFORMATION & CONSENT
UNDERTAKE A COOKIE AUDIT
In order to meet the compliance requirements ecommerce and online operators should undertake the following audit: •
Assess whether the e-Privacy Directive applies to their use of online applications
Internally audit online applications to analyse the type of personal data collected both implicitly through Cookies and explicitly through the application (consider complex or dynamic applications with multiple levels of system architecture and functionality as well as third party code content)
All Cookies should be reviewed to ensure there is still a business case for their application and use within the business strategy. Of those that are still valid, group them into relevant user based situations (such as ‘front-page load’ ‘user login’ ‘shopping cart checkout’ etc…) and ensure all aspects of the personal data collected are listed and,
where necessary, rewritten into layman’s terms
If particular Cookies record very sensitive user data (e.g. medical history), consider the use of an explicit opt-in feature
Ensure that third parties who may provide hosting services, content, Cookies, or ancillary applications or services to your customer are aware of the relevant restrictions (and if possible seek indemnities for data protection breach by the same) regarding the collection of personal data and compliance with the e-Privacy Directive
ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE
EU member states will adopt varying options in order to enforce the new law. In the UK for example, there is a limited appetite for any monetary penalty (although this penalty exists), yet a number of options for enforcement have been outlined which include the use of information notices, undertakings and enforcement notices. Initially, the focus will likely be on the most intrusive cookies and situations where there is a clear privacy impact on individuals. The UK Information Commissioner’s Office (“ICO”) has published guidance discussing implementation and enforcement of the new law. This may provide a useful analysis for other EU member states (http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacydirective-eu-cookie-law.aspx).
Generally, for the data protection laws of a particular country to apply to the collection of personal data by means of an electronic application, the collecting entity or data controller (usually the application provider) is required either to be incorporated or physically present in that country or to use equipment within that country. At EU level, the view has been expressed that the placing of a Cookie on the online enabled device of a European user can amount to the use of "equipment" within the relevant EU member state.
It is noteworthy that the changes brought about by the new Cookie law are largely an outgrowth of the Data Protection Directive adopted across the EU in 1995. The major issue with this legislation however concerns the fact that member states implemented their own specific laws following the directive leading to a lack of harmony in this area across Europe. In January of this year, the EC published a first draft of a new legislative package intended to harmonise the data protection laws across the EU member states (to avoid an unnecessary patchwork law and guidance and update them to address the new technological realities). In the long term, the hope of the EU Justice Commissioner Viviane Reding is that: “A strong, clear and uniform legal framework at EU level [that] will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation”. Many people hope so - the hope is also that the EU legislators will spend significant time listening to a wider range of commercial and civil organisations, industry advisors and other stakeholders to ensure the legal framework is also practical, a consideration that often appears to be left out of the product of the European legislative process. Please contact firstname.lastname@example.org if you would like advice on your European Data Protection strategy, experienced multi-country support and documentation for a compliance refresh (or compliant roll-out) of your online games, applications or sites.
Published on Jul 25, 2012
The new rules relating to the placement and storage of tracking information on online devices (AKA – the new “Cookie Law”) for businesses wi...