iab cookie compliance guide

27
Cookie Compliance A Practical Guide

Upload: iab-netherlands

Post on 12-May-2015

544 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Iab cookie compliance guide

CookieComplianceA Practical Guide

Page 2: Iab cookie compliance guide

Table of contents

1. Introduction

2. Cookie Compliance Guide

A. Cookie inventory 1. Identifying cookies 2. Cookie impact assessment 3. Cookie categorisation

B. Compliance path 1. Risk assessment 2. Information obligation in practice 3. Methods for obtaining consent 4. Demonstrating that you are not processing personal data

APPENDICES:

A. The new ‘cookie regulations’B. Enforcement and fines in case of non-complianceC. For whom are the cookie regulations important?D. Legal definitionsE. The Dutch Data Protection ActF. Fact sheet SOLV

Page 3: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 3

SummaryOn 5 June 2012, the new Dutch Telecommunication Legislation became effective with which Article 11.7a (hereafter called “Cookie Provision”) was implemented. What does this Cookie Provision concretely mean? With the implementation of the Cookie Provision, stricter rules will apply for the use of cookies. In short, this means that in certain cases an information and consent obligation has to be complied with.

ScopeThe new Cookie Provision applies in case of the placing of or obtaining access to data on auxiliary equipment of the user. Thereby, no difference is made between the nature of the data. For reasons of readability we will refer to “cookies” in this document, but this encompasses all technology that is used in order to store data on the auxiliary equipment of a user. Besides various types of cookies, this therefore also concerns installed apps and/or plug-ins, information stored in the Web Storage, screen size, OS, browser type, device fingerprinting, etc.

ResponsibilityThe obligations based on the Cookie Provision rest on the one who is responsible for placing cookies and for obtaining access to the data stored. In short: if you supply an online service and place cookies at this, in principle you will have to comply with the obligations included in the Cookie Provision.

For that matter, the obligations do not always rest on the person who is responsible for the service requested or site visited by user. It can also happen that a third party places cookies via your website, since via a site for example another site is displayed, as a result of which the third party must comply with the obligations as well. In view of the shared responsibility to comply with the obligations, it is advisable to reach collaboration at this.

1. Introduction

The new Act applies in case of the placing

of or obtaining access to data

on auxiliary equipment of the

user. Thereby no difference is made between

the nature of the data. For reasons

of readability we will in this

document refer to cookies.

Page 4: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 4

What is the objective of this guide?This Cookie Compliance Guide provides you with a tool with regard to the new Cookie Provision. The objective of this Guide is to map the process you must follow in order to comply with the obligations from the Cookie Provision. This Guide however does not provide specific advice on how you must implement the various steps (this will vary per company). Since at the time of writing of this Guide still many uncertainties remain on the exact interpretation of the Cookie Provision, this document has the status of a “live” document. By the time more will become clear on the interpretation of the Cookie Provision, this document will be modified.

For whom is this guide intended?This Guide is intended for everyone who has a website and wants to become compliant with the new legislation. It is not intended as technical manual for web developers.

On the authorsThis document was formulated by assignment of the IAB by:

AUKE VAN DEN HOUTAuke van den Hout is responsible for the privacy portfolio with the Management of IAB. He is co-founder of Adatus, the European market place for ‘audience targeting’ and has over 15 years’ experience in data-driven advertising in Europe.

EMAIL: [email protected] / TEL: +31 854010802

ROEL VAN RIJSEWIJKRoel van Rijsewijk is Director at Deloitte with over 10 years’ experience in consulting media and technology companies in the field of risk management and compliance. Roel is co-founder of Deloitte Online Business Innovation and leads the innovation programme in the field of confidence in the digital world.

EMAIL: [email protected] / TEL: +31 652615087

This Cookie Compliance Guide was developed with the utmostcare, whereby the legal regulations as set out by or by virtue of the Dutch Telecommunication Act and the Dutch Data Protection Act have been taken into account as good as possible. Despite that, this document can contain inaccuracies or deficiencies and no rights can be derived from the Guide. Neither the IAB nor the makers of the Guide are liable for possible inaccuracies and/or deficiencies. Since apart from this the exact meaning of these regulations always depends on the circumstances of the case which during the development of this Cookie Compliance Guide could not be taken into account, the use of this Cookie Compliance Guide is always fully at the risk of the user.

This Cookie Compliance

Guide provides you with a tool with regard to

the new Cookie Provision. The

objective of this Guide is to map the process you

must follow in order to

comply with the obligations

from the Cookie Provision. This

Guide however does not provide

specific advice on how you must

implement the various steps (this will vary

per company).

Page 5: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 5

A. Cookie inventory

1. IDENTIFYING COOKIES

IntroductionIn order to be able to comply with the obligations included in the Cookie Provision it is important to start by making an inventory on which type of cookies – and comparable techniques – your website places and/or which type of cookies are possibly placed by third parties. This phase therefore consists of identifying the type of cookies.

Why?• It clarifies which obligations from the Cookie Provision you will have to comply with.• It provides insight on the way in which your management will be affected by the new Cookie Provision.• It sees to it that you can comply more easily with the information and consent obligations.• You make it known to the supervising authorities that you are aware of the problems related to the Cookie Provision and that you are willing to work on this. For the benefit of a thorough inventory, we advise you to answer the following questions.

1. Which type of cookies is used on my website and who places them?2. Why are the cookies being used?3. Is it a persistent or a session cookie?4. Is the cookie used over several connected websites or is the website only used on one single domain?5. To which data does the cookie refer / which data does the cookie contain?6. How long is the data that the cookie refers to being stored?

The questions are discussed step-by-step below.

Step 1. Which cookies are placed by whom?• Identify which cookies are used on you website.• Pay attention thereby to cookies that you yourself have placed on your website (First Party Cookies).• Identify which cookies have been placed on your website by third parties. Pay attention thereby to cookies that are placed by for example social networks and advertising networks (Third Party Cookies).• Please do not forget to identify the flash cookies used!

2. Cookie Compliance Guide

Tips• There are tools available that can be helpful at analysing the use of cookies

on your website – mostly in the form of plug-ins for your browser.

• Review all parts of your website that could potentiallly place cookies, both

by yourself and by third parties. Please pay special attention at that at the

integration of external scripts, such as Like buttons of Facebook, +1

of Google, etc.

Page 6: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 6

Step 2. ObjectiveIn this step it is important to indicate per cookie with which objective the cookie is placed.

In order to help you with your investigation, among other things you may ask the following questions:

• Was the cookie placed in order to see to it that the products in the shopping cart are remembered?• Do the cookies see to it that the contents of the page are loaded faster?• Are the cookies used because of certain security requirements?• Is the data used/read by third parties, and why?• Are the cookies used in order to recognise a user in order to be welcomed upon returning to a website?• Is data collected by means of the cookie data on the use of the website, such as the number of unique visitors?

Step 3. Life-span• Indicate per cookie whether it concerns a session cookie or a persistent cookie.• Identify how long the cookie is stored.

Step 4. Number of websites• Indicate per cookie whether it is used in order to collect information from several websites, and if so: what information that is.• Establish whether cookies that are used on several websites have the same functionality everywhere, or that the functionality/functionalities differ(s).

Step 5. Which data the cookie refers to?In this step you will investigate which type of data the cookie contains and/or to which data the cookies refers.• Does the cookie itself contain personal data?• Which other data is stored in the cookie itself?• Establish to which data the cookie refers in your own environment and databases.• Record which data is all collected from the users in the databases.• Establish which other data from other databases can be linked to this.

Step 6. Storage termBesides the life-span of the cookie itself, you must establish how long the data to which the cookie refers will be stored.• Establish which procedures apply for the destruction of user data within the various databases.• Establish whether in practice these procedures are complied with.

Tips for

Indenifyingcookies

• See to it that you analyse the use of cookies on all pages, in each phase

during which your user is on your website.

• Ascertain that you have a complete overview of all websites and webpages

for which you are responsible.

Page 7: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 7

2. Cookie impact assessment

We advise you – after you have made an inventory of the types of cookies that are being used on your website – to also carry out a cookie impact assessment for reasons of completeness.

The objective of the Cookie Provision is namely to provide the internet user with more control on his/her privacy. Thereto it is important that you gain insight in the impact on the privacy of website visitors by the use of cookies.

By means of this assessment you evaluate the impact of each type of cookie on the privacy of your website user. Subsequently you can become aware of the consequences a visit to your website has for a user, and you can take a critical look at the cookies that you are placing.

Assess this impact by completing the following steps.

Step 1. First party cookies Use the questions and answers from the cookie inventory phase to carry out this cookie impact assessment.

It is important that you regard this impact as a moving matrix (see Figure below).

Step 2. Third party cookiesIf via your website cookies from third parties are placed, it is also important to assess to which extent these cookies might violate the privacy of your website users and how this party deals with the information and consent requirements.

FOR THIS YOU CAN:1. Contact the party concerned in order to inform on what we advise; and/or2. Assess the privacy policy of that party.

Place these cookies on the moving matrix of cookie impact as indicated above as well.

Cookie Cookie Cookie

Little impact Lot of impact

Page 8: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 8

With the results from the inventory phase, you can subdivide the cookies into two categories: these to categories originate from the Cookie Provision.

Category 1Based on the inventory phase, you can assess whether the type of cookies that you place is categorised under one of the following exceptions:• The technical storage or access to data is only intended to carry out the communication via an electronic communication network. The communication on the website can in some cases only take place by using a cookie. This is for example the case if a language setting is remembered.• Storage of or access to this data is strictly necessary. The legislator has determined that strictly necessary use of cookies is exempted from the cookie obligations (on the condition that you do not process personal data). An example of this is a shopping cart cookie. It is important that you reason from the perspective of the website user whether certain cookie use is strictly necessary. If this is the case, then this concerns cookies that in line with the Cookie Provision are deemed as strictly necessary.

In these cases you do not have to comply with the consent requirement as included in the Cookie Provision, on the condition that you do not process personal data herewith.

For the benefit of transparency you might consider to inform the user on placing such cookies. This does not have to be done via a pop-up or the like, but can also be included in the privacy policy.

Category 2Should the cookies not resort under the first category, then in principle it concerns cookies that are not strictly necessary.

For these cookies prior consent is required. Besides, the user should be informed on - among other things - the placing of cookies and the consequences thereof.

Do you make use of client profiling or re-targeting? Then without any doubt you must obtain prior consent from your website users.

Are you in doubt in which category a specific cookies should be placed? This will certainly be the case, since many issues are still unclear. In order to determine the correct approach, a risk assessment would have to be carried out as described in the next Chapter.

3. Cookie categorisation guide

Page 9: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 9

B. Compliance path1. Risk assessmentThere will be cookies of which is not completely clear whether the use thereof is deemed strictly necessary and whether consent is therefore needed. In that case we advise you to carry out a risk assessment to be able to choose the correct compliance approach. A compliance approach for these cookies should take into account:

• The importance of the use of a cookie and the data related to it for the organisational objectives.• The impact of the use of cookies on the privacy of the user.

Thereby we provide you with the following considerations:

- If the importance of the use of the cookie and the data related to it is low for the organisational objectives, you could consider stopping using this cookie, especially when the impact of the use of cookies on the privacy of the user is high.

- If the importance of the use of the cookie is high for organisational objectives and the impact on the privacy of the user is high, the explicitly requesting consent is the obvious choice. In your provision of information towards the consumer, in that case you also have to indicate very clearly how the data is used, stored, and protected, apart from a very sound explanation on the importance of the cookie for your organisation as well as the advantages and disadvantages for the consumer when he/she does/does not accept the cookie.

- If the impact on the privacy of the user is negligible and the importance of the use of the cookie for the organisational objectives is high, extra steps can be taken in order to obtain certainty on the approach, such as consulting experts, testing the approach on standards, as well as the approach of others that make use of these cookies and building up a well-founded case.

Now that you know which category of cookies is placed via your website, you can start determining in which way you will comply with the information obligation and the consent requirement. Thereby we refer to the following Chapters.n.

Page 10: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 10

2. Information obligation in practiceThis Chapter provides you with tools on in which way you can comply with the information obligation.

Providing informationThe Cookie Provision does not stipulate in which way the website user must be informed. Still, it is clear that the information provided must be unequivocally clear and complete in advance. This means that each website visitor must be informed prior to the placing of the cookie on:

1. The fact that a cookie is being placed;2. By whom a cookie is being placed;3. What the objective of this cookie is;4. How long the cookie is stored;5. Who will obtain access to the data;6. Whether the cookie will be reused and if so by whom.

Making information on the use of cookies transparentIt is by all means insufficient to only describe the use of cookies in your privacy policy. It is namely important that you can establish that the users have picked up the information.

Tips• See to it that your users cannot

evade the information• Describe the privacy and cookie policy in simple terms that can be

understood by everyone

Page 11: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 11

Grouping cookiesYou do not have to inform your website visitors on each separate use of a cookie; you may also group the use of cookies into type and objective of the cookie.

Advantages of information obligationBy being completely transparent on the use of cookies on your website, the confidence of your visitor will increase. For the complete provision of information it is wise to add the following to the information:

• Why your websites needs these cookies• What the advantage is for your website user• Make it clear for the user that he/she can revoke the consent given at all times, as well as in which way he/she can do this.

3. Obtaining consent in practiceFrom the categorisation phase it has become clear for which cookies you should specifically obtain consent. This Chapter clarifies in which way you can comply with the consent requirement.

It goes without saying the obtaining consent is closely related to the information obligation. After all, it should be clear for which the user gives his/her consent. Which method is most suited in practice to obtain consent from your website users depends on the objective of the cookies, how privacy-sensitive the data is, and what the relation with your website visitors is.

There are various methods to point out visitors on the presence of the cookies and to inform them in a transparent way. Below a number of examples are summed up:

FEATURE LEDAt the feature-led method, the visitor is requested to give consent when he or she wants to make use of a certain feature. Prior to the use of a certain part of the website (for which cookies should be placed), the visitor can be informed and requested for consent, instead of requesting for consent directly upon arrival on the website for all cookies on the complete website.

LOGGING INPrior to logging in to a certain part of the website, you can indicate that you intend to place cookies. You can inform the visitor prior to logging in on the use of certain cookies, so that he/she can take an informed decision on giving consent or not.

Attention:• By no means are you permitted to fix

tick boxes at ‘on’. This is namely not regarded as opt-in by the legislator but

as opt-out. Herewith you would therefore not comply with the

requirements of the Cookie Provision.

• See to it that your users can see the information and that you communicate

in a transparent way why you are making use of cookies.

Page 12: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 12

DIALOGUE WINDOWBy means of a dialogue window you force the visitor to first make a selection before being able to visit the website that is behind the window. In this window you inform the visitor and you refer to the privacy policy.

STATUS BARYou can make use of the status bar to inform the visitor. This can be done both on top and at the bottom of the page. This status bar informs the users on the cookies that you intend to place, provides access to the privacy policy, and allows visitors to accept the use of the cookies based on the information provided. Since with this type of information a selection is not necessarily enforced before the consumer can continue, you must pay attention that you place the status bar at a location where the bar is clearly visible for the user. See to it that no cookies are being used until the user actually explicitly gives his/her consent thereto.

WARNING BARA similar method as the status bar method, but this one is more insistently present on your website. Each time the website wants to place a cookie, the warning bar appears. Inform the visitor in this way, link to the privacy policy, and see to it that visitors can accept or refuse the cookies.

SETTING-LEDIf the website contains options for the user to select settings, you can also use those settings to switch on or off certain functionalities that require cookies. Visitors can then take an informed decision at the settings to make use of the functionalities and to give consent to place the cookies. Since at this way of informing no prior selection is enforced, you must clearly explain to the user how he/she can give consent via his/her settings.

Page 13: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 13

Proving that you obtained consentYou need consent in order to be able to place a cookie. Realise that you also must be able to demonstrate that you have obtained this consent. See to it that you have a procedure in place for this and record from whom you obtained the consent. Attention: the most user-friendly way to record consent obtained is by means of a cookie!

Third party cookiesIn principle, each party that places data must inform the visitor and obtain consent, third parties as well. Instead of obtaining consent separately (your cookies separate from third party cookies) you can also make an agreement with the third party to include a reference in the information provision to the privacy information of the third party. This means one extra pop-up less for the visitor. Besides you can inform the user on how to switch off third party cookies in the browser.

One cookie for several websitesAre you using a cookie for several websites? Do you have various websites linked to each other and are you using the samen cookies for those. In order to obtain consent for all websites, you must see to it that you clearly inform the visitor for which websites you wish to obtain consent.

Modification after cookies consent has been obtainedIf after you have obtained consent you apply modifications in the cookies to be used or purchase new cookie services from third parties, it is possible that you have to obtain consent once again from your visitor. You will have to ask for consent once again if you apply modifications to:

1. The purpose of the cookie that is placed;2. By whom the cookie has been placed;3. How long the cookie is being stored;4. Who will have access to the data;5. Whether the cookie will be reused and by whom.

Revoking consentConsent once give can always be revoked.Do not forget to offer visitors the opportunity to simply revoke their consent.

Points of interest

Page 14: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 14

4. Demonstrate that you do not process personal data

From 1 January 2013, the new Cookie Provision will be enforced in which the use of ‘commercial’ cookies (a cookie that has the objective to collect, combine, or analyse data on the use of various services of the information agency by the user or subscriber for commercial, charitable, or idealistic purposes) will be regarded as the processing of personal data, as a result of which the privacy legislation becomes applicable. Hereby the legislator has made use of the concept of ‘legal presumption’: you are deemed to process personal data, unless you can demonstrate that this is not the case. See Appendix E in case the suspicion that you process personal data is justified, and you have not made arrangements for this yet. I you find that this suspicion is not justified and you are of the opinion that you are not processing personal data, this Chapter describes what you must do. Demonstrating that you are not processing personal data is not easy. A sound preparation is important so that by the time you need to provide the proof you are not standing empty-handed but can act pro-actively. By following the subsequent steps you will obtain a sound idea on the use of data within the organisation, and you have your file with proof ready in order to demonstrate that you are not processing personal data.erkt.

Step 1. Record in a management statement why you are not processing personal dataKnow what you want to demonstrate. Formulate (management) statements in which you indicate why you are not processing personal data. These should also indicate which measures you have taken in order to keep data anonymous.

YOU CAN FOR EXAMPLE STATE:• The data collected, stored, and edited by [your organisation] can not be reduced to the individual internet user or computer from which the data originates;

By following the subsequent steps you will obtain a

sound idea on the use of data within the organisation,

and you have your file with proof ready in order

to demonstrate that you are

not processing personal data.

Page 15: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 15

Step 2. Map processes and information flowsMap the relevant processes and information flows in relation to the use of the cookies.

• Which cookies do you use?• Where does all information go to?• What sort of information is being collected?• Who makes use of that information?

By mapping the processes and information flows, you yourself will obtain a clear overview of the organisation of information. Because of this you see to it that you are certain that you have taken all information collections into account.

Step 3. Establish how you can demonstrate that it does not concern personal dataWhat can you show so that you can demonstrate that you are not processing personal data? Show for example which data you collect, which measures you have taken to make data anonymous, and what sort of use you make of the data (for example: only for statistical purposes).

Step 4. Carry out a gap analysisA gap analysis is a method to make a comparison between an existing and a desired situation. Check whether you are not unexpectedly still collecting data that can be reduced to the internet user or computer. Use the information flows and processes as mapped in step 2. Try by means of the already collected data whether his can be reduced to a computer or person.

Step 5. If applicable:repair the gaps encountered and report the actual use of dataShould you have established during the previous step that so-called gaps still exist, then try to repair those. Make data anonymous where necessary or take other measures to see to it that you comply with the desired situation. Finally report on the actual use of data within your organisation so that you can demonstrate that you – if applicable – do not process personal data and therefore as far as this data is concerned to not have to comply with the Dutch Data Protection Act.

Page 16: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 16

The law amendment in shortBased on the new Cookie Provision in the Dutch Telecommunication Act, one should first obtain consent from the user before placing cookies on the computer (or obtaining access thereto).

Information obligationOne should provide the user in advance with clear and complete information on the objectives for which one wants to place or read the cookies.

ConsentThe consent should take place in advance and to comply with the concept of ‘consent’ as described in Article 1 of the Dutch Data Protection Act: it should concern a free, specific, and information-based expression of will. Consent does not have to be given separately for each individual cookie by the various parties. The users must be able to revoke this consent at all times.

Appendix A.The new ‘cookie regulations’

“Consent: a free,

specific and information-

based expression of will with

which the party involved

accepts that personal data

concerning him is

processed.”

Page 17: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 17

Exception to the rule: strictly necessary cookiesThe information obligation and the consent requirement of the Cookie Provision do not apply if the cookies are strictly necessary. You should thereby reason from cookies that are strictly necessary for the website user and not for you as person/entity responsible for the website.

Article 11.7a1. Without prejudice to the Dutch Data Protection Act, anyone who wishes to obtain access by

means of electronic communication networks to data that is stored on auxiliary equipment of a user and/or wishes to store data on the auxiliary equipment of the user shall: a. provide the user with

clear and complete information in accordance with the Dutch Data Protection Act, and at least on the purposes for which one wishes to obtain access to the respective data and/or for which one

wishes to store data, and b. have obtained consent from the user for the respective action. An action as intended in the preamble that has the objective to collect, combine, or analyse data on the use of

various services fro the information company by the user or the subscriber for commercial, charitable, or idealistic objectives, is assumed to be a processing of personal data as intended in

Article 1, sub b, of the Dutch Data Protection Act. 2. The requirements mentioned in the first Section, sub a and b, also apply in case in a different way than by an electronic communication network is arranged that via an electronic communication network data is stored or access is provided to the

data stored on the auxiliary equipment. 3. What is determined in Section one and two does not apply, in as far as it concerns the technical storage of or access to data with the exclusive objective to: a. carry out the communication via an electronic communication network, or b. the service to be

supplied by the information company requested by the subscriber or user and the storage of or access to data thereto is strictly necessary. 4. By means of an Order in Council, in agreement with

Our Minister of Safety and Justice, further regulations can be issued with regard to the requirements mentioned in the first Section, sub a and b. The Dutch Data Protection Authority will be requested to

advise on a draft of the intended Order in Council.

Page 18: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 18

Enforcement OPTAOPTA can impose a maximum penalty of € 450,000 per violation of the Dutch Telecommunication Act and decide to impose a burden under penalty.

Enforcement CBPIf personal data is processed with the text files to be placed or to be read, then you are also confronted with the Dutch Data Protection Act, whereby the Data Protection Authority is the enforcing authority.

Civil penalties If you for example to not report data processing with the CBP or with an officer for data protection, the Authority can impose a civil penalty of at most € 4,500. When determining the height of the penalty, the culpability, the seriousness, and the duration of the violation are taken into account.

Burdens and civil enforcement If to the judgment of the CBP the obligations as set forth in the Dutch Data Protection act are violated, the CBP can decide to impose a burden under civil enforcement or a burden under penalty. First a preliminary investigation by the CBP will have to take place. The violator will then be granted a term to unto the respective violation before a burden on civil enforcement or a burden under penalty will be imposed.

Appendix B. What if you do not comply with these regulations?

Page 19: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 19

It is important that all stakeholders are informed on the new obligations and determine a strategy on how to be able to become compliant.

The new cookie obligations will at least be of importance for the following stakeholders:

• Ad network providers;• Publishers;• Social media• Advertisers• Digital media developers and ad serving technology;• Affiliates and affiliate networks;• Data providers;• Online ad traders;• Media agencies

The new regulations for that matter apply to each party that wants to store information or provide itself access to information that is available on auxiliary equipment of each Dutch internet user. In short: also the websites of foreign parties that are visited by Dutch website users should comply with the obligations from the Cookie Provision.

Appendix C. For who are the cookie regulations important?

Page 20: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 20

User: a natural person who makes use of a public electronic communication service for private or business purposes without necessarily being subscribed to that service;

End user:a natural person or legal person who makes use or wants to make use of a public electronic communication service and who does not also offer public electronic communication networks or public electronic communication services;

Communication:information that is exchanged or transferred between a definite amount of parties by means of a public electronic communication service; this does not encompass the information that is transferred via a broadcasting service via an electronic communication network, except when the information can be related to the identifiable subscriber or user who receives the information;

Consent from a user or subscriber:consent from a party involved as intended in Article 1 sub i,of the Dutch Data Protection Act, on the understanding that the consent can also be related to data from subscribers that are not natural persons;

Appendix D. Legal definitions

Page 21: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 21

It is possible that your personal data is processed by placing or reading cookies. In that case, the Dutch Data Protection Act (Wbp) applies. For the Wbp a stronger regime applies than for cookies without personal data. If you also process cookies, then you should follow the following steps in order to comply with the Wbp.

Step 1. Is personal data being processed?Establish whether you store or read personal data. This is the case when the information you store in or read from a cookie concerns information on a natural person, also when this is not directly related to that person but a person can be reduced from this information. For example: name and address data, or an IP address.

Step 2. Report the processing ofpersonal data to the Dutch Data Protection AuthorityIf it has been established that personal data is processed as you have established under ‘Step 1’, you should inform the Dutch Data Protection Authority (CBP) on this, unless it concerns processing which is exempted from the obligation to report.

Step 3. Inform the person from whom you are collecting dataOne objective of the privacy legislation is to see to transparency on the processing of personal data. You should make it clear to your website visitors in a comprehensible manner what you are going to do with the data, for what you need this data, and whether u will forward the personal data to other parties. You must also make your own identity known.

Step 4. For which purpose do you need the personal data?The personal data may only be processed for a previously determined purpose. Therefore it is important that you properly think in advance for what you need the data, and whether you are not collecting more data than is necessary to achieve this purpose. You will have to make this objective known to both the CBP and the party involved from who you collect the personal data.

Appendix E. Dutch Data Protection Act

Page 22: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 22

It is important that you may not store the data that is collected for the specific purpose longer than necessary for the materialisation of these purposes. What you can do is store this data in an anonymous form, so that you can still use it for statistic purposes for example.

Step 5. See to it that you only process data based on one of the foundations of the WbpYou cannot just collect personal data from someone; this is only permitted if a foundation can be found for that in the Dutch Data Protection Act (Wbp).

The Act states six foundations, of which one of the most important ones is obtaining unequivocal consent from the party involved. The Act describes consent as a ‘free, specific, and information-based expression of will’, meaning that the party involved has been properly informed in advance on the collection of personal data, and has explicitly gives his or her consent for that.

You can for example combine this with the already existing information obligation based on the Cookie Provision, although stricter regulations apply for that!

Step 6. Do you comply with the quality requirements?The Wbp has formulated a number of quality requirements that should see to it that the personal data is correct and accurate. In other words: no more data than necessary, but certainly also no less!• See to it that you therefore collect all what you need, and that this data is also correct and complete.• Regularly check your database on outdated information, and• Try to clear as many faulty and incomplete data as possible.

If you no longer need the data, you must remove it (or make it anonymous/aggregate it).

Page 23: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 23

Step 7. Establish procedures to be able to comply with the rights of parties involvedWithin the framework of the transparency and quality of the data, persons of whom you collect data were allotted a number of rights.If a person would like to know which data you collected of him/her, he can file a request for perusal. The Law has formulated a number a requirements for that, such as the obligation to inform the party involved within four weeks on whether personal data on him/her is being processed. If the person establishes errors based on the perusal, he/she can request to correct this error.

• See to it that the party involved knows whom they can address in order to exert their rights.• Formulate a procedure to be able to comply with the exertion of those rights.

Step 8. Take suitable organisational and technical security measuresAscertain that measures have been taken to protect personal data against loss or any form of illegal processing. Depending on the sensitivity of the data, the security level is determined. If for example concerns very sensitive medical data is concerned, you should take stricter measures than when you are for example only collecting IP addresses.• See to it that malevolent people cannot access the personal data, or that unauthorised persons (both internally and externally) cannot access the data.• If necessary, have yourself consulted by security experts in order to obtain a ‘suitable protection level’.

Step 9. Do you outsource the processing of personal data to a third party?If you have another party store the data for you, you should make proper agreements on this processing. By means of an agreement/contract you must agree that the third party complies with the Wbp requirements, such as taking suitable organisational and technical measures.• See to it that you periodically check the compliance with the agreement and the obligations resulting from it.

Step 10. Do you transfer the data outside the EU? Then please take extra measuresCheck whether it concerns a non-EU country that offers a so-called ‘suitable protection level’. You can inform yourself on the CBP website on this (www.cbpweb.nl). Should this not be the case, then you will be confronted with additional requirements from the Wbp.

Page 24: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 24

WHATLate 2009 the European legislator introduced new, stricter legislation with regard to behavioral targeting and the use of cookies. This legislation is laid down in the amended ePrivacy Directive of 25 November 2009 and should have been implemented in the laws of the Member States by 25 May 2011.

On 8 May 2012 the Dutch passed a Bill to amend the Dutch Telecommunications Act (Telecommunicatiewet, hereinafter ‘DTA’). This introduces a legal regime governing the use of cookies which is stricter than the ePrivacy Directive prescribes. The new regime for the use of cookies boils down to the requirement of informed consent based on an opt-in system:

• Prior to installing or reading cookies on the terminal equipment of the end user, the end user should be informed, and consent of the end user should be obtained.

• If the cookies are used to collect, combine or analyze information on the use of different services of the information society by the end user for commercial, charitable or non-profit purposes, this is presumed to be a procession of personal data. That means the Dutch Data Protection Act

is applicable. • Functional cookies are exempted.

Principal rule: prior informed consent

TECHNOLOGYThe new legislation doesn’t specifically apply to cookies. It applies to any technology • by which information is stored on the terminal equipment of a user, or• by which information already stored is being accessed.

It concerns not only personal computers, but also mobile phones and other mobile devices.

Examples of cookies that fall within the exemption are cookies that are stored and read to remember the personal settings and preferences of a user, such as the preferred language, cookies used for the processing of online orders and the execution of transactions.

The new rules do apply to any other cookies, flash-cookies, Java-scripts, web taps and spyware or similar software such as dialler programmes. Device fingerprinting and digital television are also covered.

The Bill makes no distinctions between first party or third party cookies.

Appendix F. SOLV Factsheet – ‘New Cookie Rules’

Page 25: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 25

PRIOR INFORMATIONThe information that has to be provided prior to placing or reading the cookie, needs to be ‘clear and comprehensive’. It needs to inform the end user of the purpose of the cookie and the further processing of the data collected by the cookie. This means that the end user should at least be provided with the following information: • the identity of the user of the cookie technology;• the fact that the cookie is being stored on the terminal equipment;• the purpose of the cookie;• the period it remains active;• if the cookie is being used to track online behaviour for targeted advertising

this should be mentioned too, including with whom the information is being shared.

The information has to be easily accessible and understandable to the users.

PRIOR CONSENTThere has been a lot of debate about the question how consent can be obtained. The legal requirement is that consent has to be free, specific and informed. Unambiguous consent is not a requirement, although some parties argue the law has to be interpreted as such. The preamble of the ePrivacy Directive it is made clear that browser settings may possibly be an adequate means of giving consent. Dutch government has confirmed that the present browsers are insufficient, mainly because they are set to accept cookies by default.

In line with the European Commission, the Dutch government is in favor of a Do-Not-Track standard as a means to obtain prior consent. However, the current standard, implemented in www.youronlinechoices.eu is deemed to be insufficient.

Dutch data protection act (Wet bescherming persoonsgegevens)

The requirement of obtaining informed consent before placing or further accessing cookies is in line with the ePrivacy Directive.

However, the adopted Dutch Bill goes considerably further and introduces an additional legal regime for the use of cookies. Any cookie used to collect, combine or analyze information of the user with regard to his online surfing behaviour, is presumed to involve personal data. As a consequence, the Dutch Data Protection Act is applicable to many different cookies, entailing an even stricter legal regime to the use of cookies.

This ‘cookie plus’ regime is applicable to all cookies used for behavioural targeting, but may also apply to analytics cookies such as Google Analytics.

Page 26: Iab cookie compliance guide

iab. Cookie compliance A Practical Guide | 26

WHOAny party that places cookies on the terminal equipment of the user or accesses information already stored on this equipment should comply with the new rules. The regulatory authorities have stressed that there can be a shared responsibility, imposing at least some responsibly for the publishers.

The new rules are applicable to anyone who wants to store information or access information already stored on the terminal equipment of internet users in the Netherlands. Thus, also companies established outside the Netherlands are governed by the Dutch rules for the use of cookies.

WHENThe new rules have come into effect as of 5 June 2012. The Dutch government has stated that it wants to await further developments of a Do-Not-Track standard within the European Union. For this reason it said that the new rules with respect to the consent requirement shall not be enforced before 1 January 2013. However, the responsible regulatory authority, OPTA, is an independent authority and therefore may enforce despite such promises of the government.

HOWThe information that needs to be provided prior to placing the cookies has to be easily accessible and understandable to the users. This implies that a clearly visible link to the information most likely does suffice, however, a privacy policy as sole source of information is insufficient.

It is obvious that publishers and users of the cookie technology have to work together on this since the most logical place to provide information is on the website the consumer is visiting when the cookie is dropped. The consent of the user must be a clear indication of his wishes. A pop-up screen with clear and comprehensive information and a tick-box stating “I accept” seems at present the only way to comply to the new cookie rules.

The regulatory authorities have expressed that consent is not required for each individual cookie. Once the user has agreed to cookies of a specific ad network provider, this ad network provider doesn’t need to obtain additional consent for cookies serving the same purpose.

Users should always be given to possibility to opt-out.

Please note that at present it is still unclear how parties should comply to the consent requirement. The responsible regulatory authority OPTA has not given any guidelines, opinions or such on this subject yet. The responsible Minister has only expressed that browsers are currently not sufficient. Other than that he confirms there is no consensus in the EU and that therefore he cannot give any indication on how to practically obtain adequate consent.

Page 27: Iab cookie compliance guide

IAB The NetherlandsPrins Hendriklaan 291075 AZ AmsterdamT: +31 85 401 08 02