Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Eu Cookie Directive

Eu Cookie Directive

Ratings: (0)|Views: 17|Likes:
Published by Ric Gruber Jr
Memo on EU Cookie Directive Implementation as of May 2012.
Memo on EU Cookie Directive Implementation as of May 2012.

More info:

Categories:Types, Research, Law
Published by: Ric Gruber Jr on Sep 14, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

11/08/2012

pdf

text

original

 
EU Cookie Directive Compliance
 Richard C. Gruber Jr.The John Marshall Law School  RGruber@law.jmls.edu
The following is an update on the status of the implementation of cookie laws by EUmember states as stated in the EU Cookie Directive (the “Directive”),
1
effective May 25
th
,2011. The Directive’s purpose is for member states to implement their own laws within theDirectives general framework in order to protect the privacy of individuals in the EU.However, the Directive is not law and to analyze compliance one must look to each member state, in certain instances the guidance provided are more specific.Most importantly, the Directive has introduced new rules for online service providers thatrequire “consent” to be obtained from website visitors before serving cookies and other tracking devices to users’ computers.A status chart has been attached in order to address which member states have specificallyimplemented Article 5(3), the status of the implementation, whether ‘opt-in’ consent isrequired, as well as any other legal requirements provided by member state law(s).
Step 1- Cookies Audit
Whether attempting compliance with a single member state or multiple member states, athorough audit
2
of cookie use (website operator and third parties) needs to be undertaken todetermine what cookies and similar technologies the website is using
3
and how they are being used. Doing so will give you the information you will need to provide users for compliance with even the most demanding member state laws implementing the Directive.Then analyze which cookies are “strictly necessary,” because several member states asindicated on the Status Chart vary the consent required based upon this factor.Where consent is needed, decide what solution to obtain consent will be best under thecircumstances and member state requirements.Lastly, the audit process serves as a useful opportunity to clean up your web page andeliminate the use of any unnecessary cookies.
4
For example, asking any of the followingadditional questions may be helpful:
o
Whether the cookie is linked to other information held about users- such asusernames,
1
 
Originally implemented in 2003 as a European Directive- 2002/58/EC and amended in 2009 byDirective 2009/136/EC.
2
 
For a helpful example of information that should be included in a audit of cookie use:http://www.foolproof.co.uk/eu-cookie-directive-and-your-users/
 
3
Helpful definitions for various types of cookies located at:http://eucookiedirective.com/ 
4
 
Information Commissioner’s Office (ICO)(UK), “Guidance on the rules on use of cookies andsimilar Technologies,” version 2, December 13
th
, 2011, pg. 9, 12-13.
1
 
o
What data each cookie holds
o
The type of cook- session or persistent
o
If it is persistent, how long is its lifespan
o
Is it a third party cookie, and if so, who is setting it
5
What does the Directive state?
The language of the Directive is critical because as the Status Chart indicates, manymember states have either adopted the language of the Directive verbatim or close to it.Article 5(3) of the Directive states “[a] person shall not store or gain access to informationstored, in the terminal equipment or a subscriber or user unless the requirements of  paragraph (2) are met...” those requirements being that the user is provided with “clear andcomprehensive information” about the information and the purposes of the storage of or access to, that information, and has given his or her “consent.”
 There are common exemptions member states have adopted from the requirement to provide information and obtain consent such as non-applicability to cookies whose purposeis “for the sole purpose of carrying out the transmission or a communication over anelectronic communications network; or where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.”
 Examples of the types of exempted cookies in certain member states (without exclusion of other possibly exempted cookies):
Secure login session, designed to identify the user once he/she has logged-in to aninformation society service and is necessary to recognize him/her, maintaining theconsistency of the communication with the server over the communicationnetwork.
User session, (SessionID) that allows tying together the actions of a user when thisis necessary to provide the service he/she requested.
Shopping basket, used to store the reference of items the user has selected byclicking on a button (e.g. “add to my shopping cart”). This cookie is necessary to provide an information society service explicitly requested by the user.
5
 
Information Commissioner’s Office (ICO)(UK), “Guidance on the rules on use of cookies andsimilar Technologies,” version 2, December 13
th
, 2011, pg. 13.
6
Article 29 Data Protection Working Party, “Opinion 16/2011 on EASA/IAB Best PracticeRecommendation on Online Behavioral Advertising,” 02005/11/EN/ WP 188, adopted on 08December 2011, pg. 8: http://ec/europa.eu/justice/data-protection/article-29documentation/opinion-recommendation/files/2011/wp188_en.pdf 
7
Privacy and Electronic Communications (EC Directive) Regulations 2003, no. 2426, Reg. 6.
8
§5(3) of the revised e-Privacy Directive, 2002/58/EC.
9
 
 Id.
at Article 29 Data Protection Working Party, “Opinion 16/2011,” pg. 8.
10
 
 Id.
at pg. 9.
11
 
Guidance from the French DPA CNIL (Translated into English), “are all cookies concerned,”December 20
th
12
 
 Id.
at Article 29 Data Protection Working Party, “Opinion 16/2011,” pg. 9.
2
 
Security, provide security that are essential to comply with the security requirementsof Directive 95/46/EC
or other legislation for an information society serviceexplicitly requested by the user. For example, a cookie may be used to store aunique identifier to allow the information society service to provide additionalassurance in the recognition of returning users. Attempted logins from previouslyunseen devices could prompt for additional security questions.
User’s spoken language (for websites that are translated in several languages) or other necessary preferences to provide the requested service.
Flash cookies containing elements that are strictly necessary to make a media player work (audio or video) for a content that has been requested by the user .
Accordingly, cookies used for the primary purpose of analytics, advertisement related, and per-user customization in several instances are not exempt from member states’implemented laws to comply with the Directive because they pose a higher risk to user  privacy.
One requirement that several member states have included in their laws is for clear andcomprehensive information to obtain informed consent.The law in the UK for example is not clear on what constitutes “clear and comprehensive,” because the amount of information needed is subjective based upon the knowledge level of the user. The current situation is unfortunate for website operators because among “broader consumers” are those who use the internet less regularly, have a generally lower level of technical awareness, and are less likely to understand the way cookies work and how tomanage them.
 However, the ICO (UK) has provided significantly more guidance than the other member states that at a minimum will demonstrate a reasonable effort to comply with UK law:
Alert users that the cookies are there,
Explain what the cookies are doing, and
 
13
 
Directive 95/46/EC of the European Parliament, “protection of individuals with regard to the processing of personal data,” Official Journal L 281, 31995L0046, pg. 31-50, October 24
th
14
 
 Id.
at Article 29 Data Protection Working Party, “Opinion 16/2011,” pg. 9.
15
 
 Id.
at ICO “Guidance on the rules on use of cookies and similar Technologies,” pg. 12-13.
16
 
 Id.
17
 
 Id.
at pg. 10.
18
 
 Id.
at ICO “Guidance on the rules on use of cookies and similar Technologies,” pg. 3 (Where41% of those surveyed were unaware of any of the different types of cookies, only 13% indicatedthat they fully understood how cookies work, and 37% said they did not know to manage cookieson their computer).
19
 
 Id.
at ICO “Guidance on the rules on use of cookies and similar Technologies,” pg. 8.
20
 
 Id.
at pg. 8.
21
 
 Id.
at
French DPA CNIL (Translated into English), “are all cookies concerned.”
3

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->