PRIVACY E COOKIES: LA PROTEZIONE DEI DATI NELL’E-COMMERCE COOKIES AND PRIVACY: DATA PROTECTION LAW FOR E-COMMERCE BUSINESS Anna Frankum Partner: IP, IT and Commercial Agenda Overview of EU/UK Data Protection Law Cookies Data Protection Checklist for on-line businesses Future: new EU Data Protection Regulation European Data Protection Directive Data Protection Act 1998 Codice In Materia di Protezione dei Dati Personali Fair and lawful processing of personal data Rights for individuals Obligations for organisations What is personal data? Personal data is: Data Relating to a living individual Who is identified or identifiable × Not just name and contact details × Not just confidential information Quiz: spot the personal data! Personal data? – [email protected] – Elderly lady with a white cat who lives on Bond Street and drives a Ferrari – Penningtons Manches LLP – CCTV footage of hotel guests taken from cameras in the hotel’s lift and bar – Luciano Pavarotti was born on 12 October 1935 – Patient X is pregnant and lives in a flat on Baker Street – Cookies used by a website to recognise an on-line shopper so that when shopper returns to the website they can be greeted by name Cookies Cookie is a small text file that websites leave on computers, tablets and smartphones when used to visit a website Cookies can be used to: – – – – remember customers’ preferences record items placed in an online shopping basket track number of users of a website target adverts to users February 2015 international study: UK websites place more cookies, but give more information, than websites in any other country surveyed Cookies Privacy and Electronic Communications Directive Privacy and Electronic Communications (EC Directive) Regulations 2003 Plus special guidance on cookies from UK Regulator Information to users about cookies Consent from user Different approaches in different EU countries Codice In Materia di Protezione dei Dati Personali Cookies in the UK – – – – – Those setting cookies must: tell users that the cookies are there explain what the cookies are doing obtain the user’s consent to store a cookie on their device consent not needed for essential cookies allow users to refuse cookies Implied Consent – consent that is “specific and informed” and “an indication of wishes” – can be inferred from a user’s actions if: user is given clear and comprehensive information about the cookies that are used AND on that basis decides to continue using the website (clicks or moves to another webpage) Market practice (endorsed by ICO) Cookie pop-up/banner appears on website’s landing page notifying that cookies are used, with a link to a more detailed policy Generally the user is not required to tick an acceptance box Normally the cookie pop-up/banner will obscure some of the page until closed by the user Cookie notices: good examples: www.itv.com www.drinkyslim.com: any issues? DRINKYSLIM: THE TASTY WAY TO SKINNY We hope you enjoy your visit to the Drinkyslim website. Please complete: Name: s ’ onth Current weight: m e n o IN: Ideal weight: BARGA ly £100 n o Gender: supply Date of birth: E-mail address: I agree to the DrinkySlim privacy policy: SUBMIT weight-loss guaranteed, free delivery tasty and nutritious Notification (registration) in the UK Every data controller (eg organisation) who is processing personal data must register with the Information Commissioner’s Office, unless exempt Fee £35 (about €50) Renewable annually www.ico.gov.uk Must be kept updated State types of data processed and purposes Data Protection: on-line business checklist Do you need to collect the personal data? – only collect what you need, when you need it – ok to ask users to log-in, register or provide their personal data once they make an enquiry or decide to buy on-line Is there a clear prominent explanation of who you are and what you are going to do with the personal data you collect? – privacy policy – cookies information Is customer information secure? – encryption – staff trained to look after information properly and securely – if sub-contractors used (e.g. to manage database) ensure contract obliges them to look after information properly and securely Data Protection: on-line business checklist (cont.) Do you use customer information to send out promotional emails or other marketing materials? – if so, need to give customers a clear choice – specific consent for e-mail, text and automated calls Do you only collect information you use? – stop collecting any information you no longer need – dispose securely of any unnecessary information collected Right of access – train staff to recognise and deal with a request for access – encourage customers to check and update information you hold about them Future: EU Data Protection Regulation New EU Data Protection Regulation (Regolamento Generale Sulla Protezione Dei Dati) that aims to harmonise and strengthen data protection laws across EU Once adopted EU Data Protection Regulation will replace existing Data Protection Directive (including the DPA and Codice In Materia di Protezione dei Dati Personali) and have direct effect in all EU member states Currently being negotiated between Council, European Parliament and the Commission to agree on its final text and is likely to be agreed end of 2015/early 2016 Two year ‘run in’ period likely to start between June and December 2016 Likely to be in force between June and December 2018 Grazie Anna Frankum Email: [email protected] Tel: +44(0)20 7457 3205