PRIVACY E COOKIES: LA
PROTEZIONE DEI DATI
NELL’E-COMMERCE
COOKIES AND PRIVACY: DATA
PROTECTION LAW FOR
E-COMMERCE BUSINESS
Anna Frankum
Partner: IP, IT and Commercial
Agenda
Overview of EU/UK Data Protection Law
Cookies
Data Protection Checklist for on-line businesses
Future: new EU Data Protection Regulation
European Data Protection Directive
Data Protection Act
1998
Codice In Materia di
Protezione dei Dati
Personali
Fair and lawful processing of personal data
Rights for individuals
Obligations for organisations
What is personal data?
Personal data is:
Data
Relating to a living individual
Who is identified or identifiable
× Not just name and contact details
× Not just confidential information
Quiz: spot the personal data!
Personal data?
– [email protected]
– Elderly lady with a white cat who lives on Bond Street and
drives a Ferrari
– Penningtons Manches LLP
– CCTV footage of hotel guests taken from cameras in the
hotel’s lift and bar
– Luciano Pavarotti was born on 12 October 1935
– Patient X is pregnant and lives in a flat on Baker Street
– Cookies used by a website to recognise an on-line
shopper so that when shopper returns to the website they
can be greeted by name
Cookies
Cookie is a small text file that websites leave on
computers, tablets and smartphones when used to visit a
website
Cookies can be used to:
–
–
–
–
remember customers’ preferences
record items placed in an online shopping basket
track number of users of a website
target adverts to users
February 2015 international study: UK websites place
more cookies, but give more information, than websites
in any other country surveyed
Cookies
Privacy and Electronic Communications Directive
Privacy and Electronic Communications
(EC Directive) Regulations 2003
Plus special guidance on cookies from UK Regulator
Information to users about cookies
Consent from user
Different approaches in different EU countries
Codice In Materia di
Protezione dei Dati
Personali
Cookies in the UK
–
–
–
–
–
Those setting cookies must:
tell users that the cookies are there
explain what the cookies are doing
obtain the user’s consent to store a cookie on their device
consent not needed for essential cookies
allow users to refuse cookies
Implied Consent
– consent that is “specific and informed” and “an indication of
wishes”
– can be inferred from a user’s actions if:
user is given clear and comprehensive information about
the cookies that are used AND
on that basis decides to continue using the website (clicks
or moves to another webpage)
Market practice (endorsed by ICO)
Cookie pop-up/banner appears on
website’s landing page notifying that
cookies are used, with a link to a more
detailed policy
Generally the user is not required to tick
an acceptance box
Normally the cookie pop-up/banner will
obscure some of the page until closed
by the user
Cookie notices: good examples:
www.itv.com
www.drinkyslim.com: any issues?
DRINKYSLIM: THE TASTY WAY TO
SKINNY
We hope you enjoy your visit to the Drinkyslim
website. Please complete:
Name:
s
’
onth Current weight:
m
e
n
o
IN:
Ideal weight:
BARGA ly £100
n
o
Gender:
supply
Date of birth:
E-mail address:
I agree to the DrinkySlim privacy policy:
SUBMIT
weight-loss guaranteed, free delivery
tasty and nutritious
Notification (registration) in the UK
Every data controller (eg organisation) who is
processing personal data must register with the
Information Commissioner’s Office, unless exempt
Fee £35 (about €50)
Renewable annually
www.ico.gov.uk
Must be kept updated
State types of data processed and purposes
Data Protection: on-line business
checklist
Do you need to collect the personal data?
– only collect what you need, when you need it
– ok to ask users to log-in, register or provide their personal data once they
make an enquiry or decide to buy on-line
Is there a clear prominent explanation of who you are and what
you are going to do with the personal data you collect?
– privacy policy
– cookies information
Is customer information secure?
– encryption
– staff trained to look after information properly and securely
– if sub-contractors used (e.g. to manage database) ensure contract obliges
them to look after information properly and securely
Data Protection: on-line business
checklist (cont.)
Do you use customer information to send out promotional
emails or other marketing materials?
– if so, need to give customers a clear choice
– specific consent for e-mail, text and automated calls
Do you only collect information you use?
– stop collecting any information you no longer need
– dispose securely of any unnecessary information collected
Right of access
– train staff to recognise and deal with a request for access
– encourage customers to check and update information you hold about
them
Future: EU Data Protection Regulation
New EU Data Protection Regulation (Regolamento Generale Sulla
Protezione Dei Dati) that aims to harmonise and strengthen data
protection laws across EU
Once adopted EU Data Protection Regulation will replace existing
Data Protection Directive (including the DPA and Codice In Materia
di Protezione dei Dati Personali) and have direct effect in all EU
member states
Currently being negotiated between Council, European Parliament
and the Commission to agree on its final text and is likely to be
agreed end of 2015/early 2016
Two year ‘run in’ period likely to start between June and December
2016
Likely to be in force between June and December 2018
Grazie
Anna Frankum
Email: [email protected]
Tel: +44(0)20 7457 3205