european privacy legislation - a primer
TRANSCRIPT
CNIL
European Privacy
Legislation:
A PrimerVincent Toubiana
18 February 2015
Agenda
2
Cookies, tracking functionality and the law
The role of CNIL, the French data protection
authority
Compliance issues
Context and Scope of Legislation
3
Individual privacy protection.
An EU directive implemented at the national level
In France: Article 32-II of the Act of 6 January 1978 :
Clear, informed consent required
Broadly framed to cover all technical methods
Interpretation guidelines are provided at the national level (In
France – CNIL is the competent authority)
A business trust issue
A consultative approach to find pragmatic solutions to protect
individual privacy while promoting the digital economy
What technologies are covered?
4
All tracking technologies: Reading and setting HTTP cookies
“Flash” cookies
Invisible pixels (web bugs / beacons)
Application, OS and hardware identifiers
“Fingerprinting”
All media: Browsing a web site
Reading an email
Installing or using software and mobile apps
All devices: computers, tablets, smartphones, smart TVs, connected game consoles, etc.
What cookies are affected?
Certain cookie types are exempted: When they are strictly necessary for the service to workExamples:
Basket cookies
Language option cookies
Authentication cookies
Analytics cookies under certain conditions (ability to opt out, for anonymous statistics
gathering only, etc.)
Informed consent for other cookies:Examples:
Targeted advertising
Analytics (with some exceptions)
Social networks
Who is concerned by consent collection?
Publishers of Internet sites and mobile apps
Third-party service providersExamples
Web Analytics vendors
Advertising networks
Social networks
How to obtain consent on the Internet?
7
“Consent must be a positive, informed choice”
No consent, no cookie
Two-step mechanism (for each site):
1. An information banner: example:
By continuing to use this site you accept the use of cookies to offer targeted
advertising and measure usage statistics.
To learn more and to configure my cookie settings
2. Clicking on on the link offers choices for consent.
Don’t set cookies (or use fingerprinting) until the user has continued to
using the site
Continuing to use the site can take the form of a click on an item in the
page (not necessarily the “OK” button)
In general, the browser options are not sufficient.
Do not link setting cookies to accessing the site
Maximum cookie lifespan of 13 months, not renewed at each visit
Web sites and functionality concerned
Consent functionality is integrated
Require consent
YOUR OBLIGATIONS
YOUR OBLIGATIONS
DECLARE A DATABASE / LIST
CNIL TEMPLATESWEB SITES, COOKIES AND TRACKING TECHNOLOGIES What does the law say? Tools and source code
• Web Analytics• Social buttons• Advertising
Test your site with Cookieviz
Web analytics exempted
In order to be exempted, a Web analytics tool must meet 5 conditions:
Information contained in the user conditions (not necessarily a banner);
The user must be able to opt out easily;
Web analytics must be the only use. No crossing with other data or
processes. The cookie must be limited to a single publisher and not used
across different sites;
No geo-location more granular than the town level; IP must be suppressed or
anonymised;
Cookies must have a lifespan of 13 months and any data collected must be
held for 13 months maximum.
Compliant Web analytics tools
AT-Internet: Under discussion
Exempted -> no consent required,
Certain points remain to be validated.
Piwik: OK
Exempted -> no consent required
No data crossed.
Google Analytics: Consent required (Google crosses data)
CNIL offers a tag on its site with the following functionality:
– Blocks cookies at the first visit,
– Requests consent,
– Provides the means to opt out.
Compliant sharing buttons
“Like”, “Tweet”, and “+1” buttons are used by social networks to track
which pages users are visiting
Recommended tool: “Social Share Privacy”
– Before activation doesn’t send information to third parties,
– Only requires a small modification to the page,
– Look and feel of buttons can be tailored,
– Available as a plug-in for the major CMSes (WordPress, Drupal, Typo3),
– Otherwise as a jQuery module.
Learn more: http://panzi.github.io/SocialSharePrivacy/
Tag managers
A global solution for the site:
• Consent is requested once for all cookies
• Ability to opt-out by “family” of cookies
• Blocks tags from firing and asks for consent (Like, Analytics, Consent)
Paid solutions:
• Note: Some solutions are not yet compliant (install opt-out cookies with identifiers)
Free solutions: “Cookie-Cuttr”, “Tarte-Au-Citron”
Note: Be careful with terms and conditions of third-party solutions
(what is compliant today may not be tomorrow)
Refuse Social Refuse Ads This site uses cookies for analytics, ad serving, and social networks Learn More Refuse Analytics
From compliance to enforcement
Since 2014, CNIL is responsible for enforcement nationally,
First actions year end 2014,
We’ve seen up to 350 cookies per site!
Some examples of what is not compliant
No free consent,
Many cookies set before consent (when landing on the page),
Compliance is often very simple to achieve (using recommended tools)