Cookie Regulations and the New EU Cookie Law

piegazeInternet and Web Development

Dec 7, 2013 (4 years and 24 days ago)

257 views



Cookie Regulations and
the New EU Cookie Law
Drupal Camp Alpe-Adria, April 2013
Igor Kolar, Janez Urevc


// todo

We will explain new EU cookie directive and
show what it brings to us in practice. We will
present informations commissioner opinion
about the topic and help you to spot and
overcome problems before they arise.

We will also show Drupal modules that can
make your life with cookies easier.


What happened

Directive on Privacy and Electronic
Communications (2002/58/EC)

Amended by the Data Retention Directive
(2006/24/EC)

And then by Directive
2009/136/EC
, added Article
5(3) requiring
cookie opt-in

To be implemented by 25th of May 2011, most
everyone but the UK was late. The UK regulation
went into force in May 2012, problems arose


What does this 'opt-in' mean?

Depends on what your privacy commisioner thinks

UK: “not going beyond implied consent” (opt-out)

SI: prior informed consent (opt-in) for non-existential cookies

But existential cookies means pretty much everything save Ads,
GA and share everywhere widgets

U.S. DNT insufficient


Existential cookies in SI

Load balancing

Shopping cart

User authentication

Security

Audio/Video, including flash and DRM cookies

Page customization (language, features, ..)

Social media embeds (!)


Non-existential

Analytics

Ads, particularly with 3rd party Ad Networks
then might (will) use behavioral tracking

Disqus, Issuu, Scribd

Other stupid widgets


Getting consent

DNT does not suffice because it's opt-in by default (see IE drama)

Provide a clear
privacy policy
listing all the cookies you use, and
update it

In SI, you should ask
explicitly
for
every
non-existential cookie,
and make sure to provide
information
on what that cookie will be
used for

Best during registration, or in User preferences for existing users

Use
splash screens
(!) or header/footer bars otherwise


Caveat

You may not set cookies in SI before you get
consent (you can in the UK)

If the user refuses, the site has to work without
cookies, or redirect to
javascript:history(-1
) or to
http://yahoo.com

You may NOT save a cookie indicating that
consent was refused, unless you get consent for
that cookie first

User flushed that cookie? Do it again.


Enforcement

You could get reported, or the Commissioner
may pursue on their own

Trivial to prove

Penalties:

Up to €20k for medium and large enterprises


200-1000 for small enterprises or s.p.


100-500 for person responsible


Long-term solutions

General Data Protection
Regulation
, replacing
the current (old) EU Data Protection Directive
95/46/EC

To add support for Social media, Cloud

Adoption in 2014, enforcement in 2015/16

One-stop shop / single jurisdiction
. Move
your company to Ireland and all EU privacy
affairs are handled by their “business-friendly”
commisioner

Lobbying money doing work


Recommendations

Remove all bullshit extensions by
June the 15th

Switch to your own analytics service

Get permission for Ad cookies for now, and
hold out until the new Regulation kicks in

Be double sure you do this if your work for the
Government, a Government contractor or
otherwise accept public money


?