May 30, 2012 – Consortium of Global Companies Announce Consumer Research in Effort to Strengthen Mobile Privacy by Design, Market Watch

As mobile technology evolves, solid privacy design is critical to ensure user understanding and build consumer trust. Today, Create with Context, an independent research and design firm, is releasing results of a wide-ranging study on users’ comprehension and expectations of mobile privacy.

Cookies, Consent, and Compliance in the UK

The EU’s 2009 e-Privacy (“Cookie”) Directive is spreading across member states. To date, twenty out of twenty-seven member states have implemented some form of the cookie law. One of the countries currently grappling with cookie law is the UK with its Privacy and Electronic Communication Regulations (PECR), which were amended in 2011 and came into force on May 26 2012. The new cookie law, which combines the ‘consent principle’ from the Data Protection Directive (DPD) with the technical purview of the e-Privacy Directive, forces website operators to obtain “consent in order to store a cookie on a user or subscriber’s device.”

Previously, online actors in the UK were merely required to provide users and subscribers with the ability to opt-out of cookies, without having to provide much information about those cookies. Now, companies will have to provide clear and separate (from the existing privacy policy) information about cookies as well as solicit consent for their use. The new amendments have, however, led to debates about what constitutes “consent” and how to solicit it from online users.

Under PERC, online companies can rely on implied consent. This means that online companies are merely required to provide users with information about the cookies being used on the site, without requiring explicit action. Consent under PERC may diverge from the DPD, which seems to require that consent is communicated by the user, such as ticking a box. To be clear, continued use of a website after a user or subscriber is given information about the cookies used on that site can constitute implied consent. This is closer to an opt-out consent strategy.

Online companies in the UK have been working to implement their new cookie-consent strategies ahead of enforcement by the Information Commissioner’s office (ICO), which officially began this past weekend. While the responsibilities for online companies as set out in PERC have been criticized as being vague, the ICO and other actors have provided significant guidance on the matter. The ICO for example, has released its “Guidance on the Rules on the Use of Cookies and Similar Technologies,” which helps define “consent,” responsibilities that online companies now face, and “practical advice for those trying to comply.”

Despite the push to assist companies in implementing a cookie-consent strategy, many UK companies have found it difficult to contend with the new regulations. Difficulty stems from the legal subjectivity of PERC and technical obstacles, which include the large number of cookies used on most websites and the varying applications of each cookie (some of which are essential for website functionality).

The ICO, which has the ability to impose penalties as high as £500,000, has taken an openly lenient approach to enforcement because of the difficulties that UK companies are facing to ensure compliance. According to Dave Evans, group manager at the ICO, if a company can show that it has “taken some steps already” or that “they’ve got a realistic plan at the end of which they’ll be able to say they’ve achieved compliance” the ICO will not pursue monetary penalties.

It will be interesting to follow how UK companies work to comply with the new cookie law and develop their consent policies and cookie notices over the next few months.

 

Julian Flamant

May 26, 2012 – Bill would bar employers from accessing workers' online accounts, Chillicothe Gazette

A bill was introduced at the Ohio State house this week that would prevent an employer from asking for access to see private interactions on Facebook and elsewhere online.

May 25, 2012 – US Not Unique In Government's Level of Access To Cloud Data, World News

Since the advent of the Patriot Act, there has been the long-held assumption that the United States government is afforded much more access to cloud data than other governments.

EU Data Protection Reform: Draft Calendar

Green MEP  Jan Philipp Albrecht has released a draft calendar of action points for the EU Data Protection Reform. Mr. Albrecht, the  European Parliament Rapporteur assigned to the Data Protection Reform,  released the draft calendar ahead of next week’s Workshop on the Proposed Data Protection Regulation to be held by the Civil Liberties, Justice and Home Affairs Committee (LIBE).

The calendar, which will need to be approved by the other committees involved,  indicates that the Parliament may not enter into  a “trilogue” (an informal discussion aimed at finding agreement on package amendments) with the Council and Commission until the summer of 2013.

The Parliament’s first public consideration of the draft  regulation, a workshop hosted by the LIBE committee, will take place on Tuesday May 29th from 15h-18:30h in Brussels.

Below is a copy of Mr. Albrecht’s draft calendar:

May 23, 2012 – Study: Patriot Act Gives US Government No Special Access to Cloud Data, PC World

An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday.

Swire Blog Post on TAP

Check out FPF Senior Fellow Peter Swire’s latest blog post on Technology, Politics, Academics (TAP) available here.

Swire recaps the recent Congressional Internet Caucus event “New Internet Privacy Legislation: What the White House, Federal Trade Commission and the European Commission are Recommending.” The event began with a presentation by Maneesha Mithal (FTC) and then transitioned to a panel discussion; Swire was a panelist in the event, and the panel was moderated by FPF co-chair Christopher Wolf.

The audio from the event is available here.

May 17, 2012 – Congressional Internet Caucus Talks Privacy, TAP

On May 14, the Advisory Committee to the Congressional Internet Caucus hosted a lunch discussion to a standing-room crowd, entitled “New Internet Privacy Legislation: What the White House, Federal Trade Commission and the European Commission are Recommending.”

May 11, 2012 – Analyst: App Developers Need to Lead the Way in Mobile Privacy, WebProNews

The debate surrounding mobile privacy is really heating up as smartphones become more ubiquitous. Consumers are growing dependent on their mobile devices, and are taking advantage of the hundreds of thousands of apps that are available to them

Consent and Cookies: How Will the ePrivacy Directive Change Online Business Practices?

The Online Trust Alliance hosted a webinar this week to consider how companies are preparing for the European Union’s new “ePrivacy Directive”. The 2009 amendment is set to be implemented in the United Kingdom on May 26th and will influence on-line companies’ ability to access and collect user information. In particular, the Directive will change information practices for companies who provide services to users within the EU by requiring that “the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information”.

The new formulation of “consent” has led some companies to wonder whether they can rely on implied user consent or must obtain explicit user consent before collecting or accessing data on a user’s terminal equipment. Implied consent suggests that tools like browser settings, which can be set to allow for behavioral tracking, suffice in establishing a user’s willingness to provide information. Explicit consent, by contrast, refers to a situation in which users must allow their data to be collected through express action before their information can be collected.

Colin O’Malley, Chief Strategy Officer at Evidon, indicates that a company’s consent-procurement responsibilities depend on which EU Member State it is based in.  This is because the ePrivacy directive has been, and will continue to be implemented differently across member states. For example, France and Greece already require opt-in (explicit) consent to be obtained by companies while the UK and Germany consider that consent can be established using browser settings (implied). These laws vary further when a cookie is used (a tool used to store information on a user’s computer) depending on the purpose of that cookie.

Differences in member state implementation have led to some operational confusion among companies.

Mr. O’Malley corrects some broad misunderstandings regarding consent requirements in the EU to clarify potential compliance issues. First, despite being nicknamed “the cookie directive”, the ePrivacy Directive does not only affect the use of website cookies. Instead, the Directive’s provision on consent applies to all collection practices that store or access data on a user’s terminal equipment.

Second, the use of a separate ‘pop-up’ window is not necessary to gain explicit consent from users, in most cases consent buttons can be placed directly on a webpage. Finally, the amended Directive does not explicitly state that companies must obtain consent before setting a browser cookie; this is an interpretation that has emerged because cookies are commonly used for data collection purposes.

Mr. O’Malley suggests four steps to ensuring that your company is compliant or can become compliant with the EU legal regime.

First, “audit your website”. This means that you know what is on your site: who is using your site to collect information, what information they are collecting, and with what frequency they are collecting the information. Second, “assess intrusiveness” of the technology used (cookies, flash, etc.), whether it can be easily identified by users, and whether data collection is actually necessary.

Third, “determine your consent strategy” by identifying the implications of data collection. This will, for example, require you to consider the usefulness of data versus the intrusiveness of collection. Some sectors or business models consider data collection as an operational imperative (e.g. ad supported businesses) while others can suffer from overly intrusive collection practices. Finally, the amount of overhead that you are willing to dedicate to maintaining your consent policy will influence your strategy. Some businesses will be willing to carry a higher risk of non-compliance to limit internal technology costs.

Fourth, “deploy your consent model”. Your model should accommodate your company’s compliance needs and available resources. While this can be developed internally, you can consider using a technology provider who will be more familiar with the data-collection landscape. Finally, consider restricting your data collection practices (in addition to those of third parties) because they are also subject to the Directive’s provisions.

Mr. O’Malley asserts that there are currently no examples of consent that follow “the letter of the law” as laid out in the ePrivacy Directive. This means that companies will need to rework their consent strategies as member states continue to implement the ePrivacy Directive. Website operators will find it increasingly difficult to use ‘cookies’  and other forms of terminal-based data collection, leading to industry concerns about how the ePrivacy Directive will affect online business in the EU and globally.

Interested readers might also examine the UK Information Commissioner’s office guidance on the new “cookie regulation” and the International Chamber of Commerce UK cookie implementation guide. Also visit the DataDial blog for cookie law implementation ideas.

 

-Julian Flamant