Tag Archive: cookies

BELGIUM: Belgian DPA’s annual report

By Patrick Van Eecke and Kaat Van Delm

The Belgian data protection authority (“Privacy Commission”) has released its annual report for the year 2015 (available in Dutch and French). The Privacy Commission provides an overview of the most important cases, projects and statistics summarising their activities in 2015.

1. Numbers
The annual report includes statistics on the Privacy Commission’s actions in 2015:

  • 5 recommendation files containing recommendations for legislative institutions or data controllers, issued upon the government’s request or on the Privacy Commission’s own initiative were initiated, the most famous recommendation being the one for Facebook, which amounted in judicial proceedings (see 2.), and 64 advice files, mostly triggered by requests for advice from legislative institutions and thus initiated only rarely on the Privacy Commission’s own initiative.
  • 6240 notifications of surveillance cameras were filed (representing an increase of 886 compared to 2014);
  • 4192 information-, mediation- and control files were treated (an increase of 366 compared to 2014): 3561 requests for information, 347 requests for mediation (i.e. complaint files, for which the Privacy Commission acts as mediator) and 284 control files (i.e. files concerning authorisation for e.g. indirect access to data, for which the Privacy Commission performs a control or investigation);

68% of the abovementioned 347 requests for mediation have already been closed in 2015. A privacy breach has been established in 64% of these finalised cases. 26% were declared to be unfounded.

The subjects which raised the most information requests concern surveillance cameras, privacy aspects at work, the right of personal portrayal, direct marketing and Internet.

 

 2. Important cases
The case which was granted the largest media attention in 2015 was the Belgian Facebook case (not to be confused with the European Facebook case (Maximilian Schrems v. Irish Data Protection Commissioner C-362/14)). The case concerned Facebook’s terms of use and more particularly, the use of cookies and social plug-ins to track the online behaviour of Internet users without a Facebook account. Following Facebook’s non-compliance with the recommendations addressed to it earlier by the Privacy Commission, the latter sued Facebook for breaching the Belgian Data Protection Act and the Electronic Communications Act.

It was ruled that Facebook had to stop registering these data, as Facebook had not received any authorisation to process the data of persons not disposing of an account. Facebook appealed the decision, and also reacted to the judgment by making public Facebook pages inaccessible to Belgian users who are not registered with the social network. Facebook argued that the cookies used for public pages are indispensable for access to those pages. Just recently, in June 2016, the Court of Appeal dismissed Facebook’s claim and stated that it is not competent to decide on the case. The Privacy Commission will await the judgment on the merits of the case in 2017 before deciding on which enforcement steps it can take against Facebook.

3. Projects

 

  • As the Privacy Commission received a growing number of queries with regard to cookies, it decided to issue a recommendation in this respect (Recommendation 01/2015 (NL/FR)). The Recommendation includes of a list of guidelines, summarising the problems and providing practical answers to questions from legal professionals, technicians and website developers with regard to the provision of information and direct marketing practices. The recommendations can proactively counter possible infringements on privacy rights.
  • The Minister of Transport asked for the advice of the Privacy Commission with regard to a draft Royal Decree concerning the use of ‘aircrafts controlled at distance’. The Privacy Commission rendered a positive advice, as the draft Royal Decree is applicable to, and subsequently makes the Privacy Act applicable to, all types of drones. The Royal Decree (NL/FR) entered into force on 25 April 2016.
  • Following the terrorist attacks in Paris, legislative initiatives have been taken which could have an impact on privacy. The Privacy Commission was therefore asked to issue an opinion with regard to certain anti-terrorism measures. It concerned advice 55/2015 with regard to the processing of passenger data (NL/FR), advice 57/2015 with regard to foreign terrorist fighters (NL/FR) and advice 54/2015 with regard to lifting anonymity for prepaid card users (NL/FR).
  • The Privacy Commission has published a paper with regard to the theme ‘Privacy aspects at work‘. This paper answers queries from both an employee and employer point of view on how to treat personal data in the work place in a correct and privacy friendly manner. Themes treated in the paper include geo-localisation (track and trace systems) in company cars, camera surveillance and monitoring of electronic communications.

Should you have any further questions regarding the above, please contact Patrick Van Eecke (Partner, Brussels) or Kaat Van Delm (kaat.vandelm@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/belgium-belgian-dpas-annual-report/

EUROPE: Does the use of ad-blocker detectors breach the e-Privacy Directive?

Online advertising has become increasingly sophisticated in recent years, progressing from text, to flash animations, to auto-playing videos. In response, increasing numbers of web users have turned to ad-blocking software to de-clutter and speed up their browsing experience.

 

However, the use of such software is obviously bad news for advertisers and for site owners, who rely on page impressions and click through to generate a return on investment or revenue respectively. Consequently, some sites have implemented their own “ad-blocker detection software”.  This  detects whether users have ad blockers installed on their devices, and then denies access to the site or to specific content unless the ad-blocker is disabled or the site is added to the user’s ‘white list’ of permitted sites.

 

In the past week, correspondence has emerged which indicates that the European Commission believes such detectors should be regulated by the EU’s e-Privacy Directive, Directive 2002/58/EC (“Directive“). Following an enquiry from a European privacy advocate, a letter from the Commission was disclosed which expressed the opinion that ad-blocker detectors would fall within the scope of Article 5.3 of the Directive.

 

Article 5.3 of the Directive permits the storing of information or the gaining of access to information stored in the terminal equipment of a user, where that user has given his or her consent, and has been supplied with clear and comprehensive information. This is sometimes known as the “cookie law”, as it is the same provision which gave rise to the requirement in the EU to provide information about, and obtain at least click through consent to the installing of cookies on a user’s device.  As ad-blocker detectors work by storing a script on the user’s device, the Commission clearly believes they fall into the same category.

 

This interpretation is broadly in line with previous guidance from the EU’s Article 29 Working Party, which has indicated that Article 5.3 should be read as covering tracking technologies more broadly, and not just cookies. Parts of another EU Directive[1] give examples of technologies caught by Article 5.3, including spyware, web bugs and hidden identifiers.

 

If ad-blocker detectors are treated as equivalent to cookies, it may negate their usefulness. If site owners were required to ask for consent to use such detectors, the majority of users with ad-blockers (who are typically amongst the more savvy web users), are likely to refuse to give that consent.  This will leave site owners and advertisers with a need to find more creative solutions, or to re-assess why it is that the use of ad-blockers is on the rise, and address the underlying causes.

 

In the meantime, companies who make use of online advertising would be advised to ensure their privacy policies and notices cover comprehensively the use of any tracking technologies (including detectors), and to review their contracts with either advertisers or site owners, as appropriate, to ascertain what they say about obligations to obtain consents from site users to data processing activities.

 

The publication of this letter may well give rise to a legal challenge to test the point, and establish categorically whether detectors are caught by Article 5.3. If they are, we might expect some guidance from national Data Protection Authorities.

[1] Recitals 24 and 65 of Directive 2009/136/EC

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/does-the-use-of-ad-blocker-detectors-breach-the-e-privacy-directive/

BELGIUM – Belgian Privacy Commission publishes first official guidance on cookies

By Patrick van Eecke and Mathieu Le Boudec

Almost one year after the publication of the draft version, the Belgian Privacy Commission has recently issued the final version of its recommendation regarding the use of cookies (which can be consulted through the following links in Dutch language or in French language).

The extensive document (over 70 pages), covering both technical and legal aspects, constitutes the first official guidance by a Belgian authority on the use of cookies.

In accordance with the opt-in rule, introduced by the revised ePrivacy Directive in 2009 and transposed into Belgian law by an amendment of the Act on Electronic Communications in 2012, cookies (and similar technologies) can only be stored and accessed on a user’s device after having obtained the informed consent of this user.

However, in two cases cookies are exempted from this informed consent requirement:

  1. when the cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  2. when they are strictly necessary in order to provide the user with a service s/he has explicitly requested.

These rules have not always been easy to implement in practice and therefore this recent recommendation may provide useful guidance to website owners and other stakeholders.

Below some key points of the recommendation relating to (1) the information obligation, (2) the consent requirement and (3) the exemptions have been summarized.

1. Information obligation

Users should be provided with a clear, comprehensible and visible notice on the use of cookies. This notice should provide a link to a more detailed cookie policy.

The cookie policy should be accessible and referred to at every page of a website.

The information should cover the following elements:

  • the purposes for which the different types of cookies are stored or accessed;
  • the categories of saved information;
  • the storage terms;
  • how to erase the information;
  • means to object to the processing;
  • the communications, if any, to third parties.

The Privacy Commission stresses that in case the data controller does not respect his cookie policy it may be subject to sanctions based on the Privacy Act and consumer legislation.

2. Obtaining consent

The Privacy Commission calls for a granular approach, giving users the possibility to accept all or only certain types of cookies. Moreover, users should be able to change their choices at all times.

Consent can be given through an affirmative action of the user (e.g. clicking or checking a box) from which the consent can be inferred unambiguously.

It is explicitly stated that “further browsing” can qualify as a valid consent provided that:

  • the notice regarding the use of cookies is clearly visible on the homepage in such a manner that it cannot be missed;
  • the notice has to state explicitly that further browsing on the website can be construed as consent;
  • the notice remains visible as long as the user has not continued browsing the website.

However, a lack of action cannot be interpreted as a valid consent.

Once consent has been obtained it is not required to ask the user’s consent again for the storing of a cookie with the same purpose and originating from the same provider. However, the validity of the consent should be limited in time, especially when the consent was obtained implicitly or relates to tracking cookies.

The Privacy Commission advises against the use of pop-ups due to their obtrusive nature and provides several examples of means to validly obtain consent from visitors such as banners (provided an affirmative action of the visitor is required in order to proceed his/her visit of the website) and tick boxes.

Visitors should at all times be able to easily withdraw their consent. Upon withdrawal the cookies and data collected through the cookies shall be deleted from the devices of the users by the data controller. In case this is not possible, the privacy policy of the data controller should clearly describe how the user can delete the information himself.

3. Exemptions

The recommendation also sheds some light on the exemptions by illustrating the two categories with examples and by giving examples of non-exempted cookies. Unless stated otherwise all these examples relate to session cookies.

Examples of cookies exempted according to the first criterion (i.e. cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network) are:

  • cookies used to detect to origin of the users and how they visit a website, provided they are analyzed anonymously. However, it should be noted that the Privacy Commission explicitly states that first party analytic cookies do not fall within the scope of this exemption;
  • load balancing session cookies provided they are only analyzed anonymously.

The following cookies are exempted according to the second criterion (i.e. strictly necessary cookies for providing a service the user has explicitly requested):

  • user input cookies;
  • authentication cookies that are necessary for authenticated services;
  • user centric security cookies, e.g. the data necessary for securing a service the user has explicitly requested;
  • multimedia content player cookies;
  • user interface customization cookies, for the duration of a session (or slightly more if additional information is provided).

Finally, the Privacy Commission explicitly states that no exemption exists for the following types of cookies:

  • tracking cookies of social network plug-ins;
  • advertising cookies.

It is important to note that apart from the abovementioned cookie rules the general rules of the Privacy Act (e.g. regarding the purpose limitation principle, the transfer of personal data to third countries, the data subject’s rights, etc.) will generally also apply taking into account the fact that most cookies constitute personal data.

For more information, please contact Patrick.VanEecke@dlapiper.com or Mathieu.LeBoudec@dlapiper.com

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/belgian-privacy-commission-publishes-first-official-guidance-on-cookies/

THE NETHERLANDS: new cookie legislation entered into effect

By Richard van Schaik and Róbin de Wit

 

Today, the amendments to the current Dutch cookies regulation in Article 11.7a Telecommunications Act (TA) entered into force.

In short, amendments provide for:

1. an additional exception to the required prior informed consent rule for the placement of cookies and similar software. This means that both cookies that are strictly necessary for the provision of an information society service (functional cookies), as well as cookies that have little or no impact on the privacy of the internet user (e.g. first party analytic cookies), do not require prior informed consent of the user. The prior informed consent- instrument is now restricted to serious privacy cases and does not apply to cases which do not infringe users’ privacy;

and

2. a ban on the use of cookie walls by public agencies. With this amendment, public agencies cannot refuse users who do not wish to pay for access to public services, by giving away their personal data.

For more detailed information about the new legislation, please click here.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-new-cookie-legislation-entered-into-effect/

EUROPE: European cookie sweep results published: average of 34.6 cookies per website.

By Patrick Van Eecke and Julie De Bruyn

Article 29 Working Party, the European data protection advisory body, has published its report on the ‘cookie sweep’ that was carried out in September last year in partnership with data protection authorities and other regulators across 8 Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the UK).

The cookie sweep covered 478 websites in the e-commerce, media and public sectors, which are considered by the Article 29 Working Group to present the greatest data protection and privacy risks to EU citizens. The specific websites targeted by the sweep were amongst the 250 most frequently visited websites by individuals within each participating Member State.

The sweep was carried out to assess the current steps taken by website operators to comply with the requirements set forth by Article 5 (3) of the ePrivacy Directive 2002/58/EC (notably the information and consent requirements) and to inform the Article 29 Working Party of the current usage of cookies. In a first stage, the cookies used by the websites and their technical properties were put through a statistical review, while in a second stage a more thorough manual review of the cookie information and consent mechanisms was carried out.

Key findings of the automated, statistical review (478 websites reviewed by 8 Member States) are that: 

  • 16.555 (both first and third party) cookies were set by 478 websites, resulting in an average of 34.6 cookies per website;
  • over 70% of the cookies are third party cookies, notably cookies that are set by a domain other than that of the website visited by the user);
  • over 86% of the cookies are persistent cookies, notably cookies that remain on a user’s device for the period of time specified in the cookie, rather than being deleted once the browser is closed by the user. The average duration of the first party persistent cookies was 14,34 years and 1,77 years for third party persistent cookies;

Key findings of the manual sweep (437 websites inspected by 7 Member States) are that: 

  • only 7 websites did not set any cookies;
  • the most common notification method is to use some sort of cookie banner (59%) or a link in the header or footer (39%), or both;
  • 26% of the websites did not show any notification of any kind on the landing page visited during the sweep. The vast majority of these websites were swept by the Czech Republic;
  • of the websites that did provide some sort of notification, 43% of them were considered not to provide sufficient information regarding the types or purposes of cookies used;
  • 50% of the websites inspected request consent from the user to store cookies; the remaining 50% use language such as ‘we use cookies’, ‘cookies are being set’, or similar;
  • Only 16% of the websites inspected provided the user a granular level of control by offering the choice to accept or decline certain types of cookies. For 84% of the inspected websites, the user is required to review his browser settings to control the use of cookies;
  • If a user had set its browser settings to not accept third party cookies and visited the same websites, 70% of the cookies recorded would not have been set;
  • Of the 3 sectors in the scope of the sweep, websites of the media sector set on average the highest number of cookies, public sector sites set the fewest cookies.

The full report (including more statistics and diagrams) can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp229_en.pdf

The Article 29 Working Party’s working document providing guidance on obtaining consent for cookies can be consulted here:  http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf  The Article 29 Working Party’s Opinion on Cookie Consent Exemption can be consulted here: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

 

For further information, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com) or Julie De Bruyn (julie.debruyn@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-cookie-sweep-results-published-average-of-34-6-cookies-per-website/

EUROPE – Internet of Things – When your yogurt pots start talking to you. An EU Common Approach?

When your yogurt pots start talking to you“. Do you remember? This was the start of a call for action from the European Commission on Internet of Things back in 2009.

A lot changed since 2009: (i) there are little doubts about the relevance of IoT (estimated 25 billion connected devices by the end of this year – see here on encouraging trends); and (ii) the role that can be played by regulators in fostering growth of IoT related businesses (whilst some regulators already took action, more is expected in the near future). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-internet-of-things-when-your-yogurt-pots-start-talking-to-you-an-eu-common-approach/

EUROPE: Fingerprinting treated like cookies under privacy law

Device fingerprinting is replacing cookies for analytics and tracking purposes, but privacy regulators now held that their usage is subject to the privacy consent, unless exemptions apply. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-fingerprinting-treated-like-cookies-under-privacy-law/

GLOBAL: Sweep Day 2014: Global Coordinated Enforcement

Read here an article by DLA Piper Partner Carol Umhoefer, published in E-Commerce Law & Policy in July 2014 discussing how Internet Sweep Day illustrates trends in the data protection regulatory space.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/sweep-day-2014-global-coordinated-enforcement/

THE NETHERLANDS: Public service broadcasting modifies its cookie policy after fine threat

By Richard van Schaik and Róbin de Wit

 

The Dutch telecommunications supervisory authority, the Authority for Consumers & Markets (“ACM”), has established that the Netherlands Public Broadcasting (“NPO”) violated the rules for placing cookies. On various websites managed by the NPO, the NPO places cookies at user’s devices without having obtained their priot informed opt-in consent. By doing so, the NPO violates Dutch cookie law as laid down in the Telecommunications Act (Telecommunicatiewet “Tw”). Under the Tw, it is prohibited to place cookies without having informed users properly and without having obtained their prior opt-in consent.

 

Background decision ACM

In 2012, the ACM sent letters to a large number of Dutch government websites or websites linked to the government on the compliance with Dutch cookie law. The ACM holds the opinion that now that the government is (indirectly) involved, it is of importance that these websites set a good example in this respect. Therefore, the ACM currently takes enforcement action where government websites are concerned.

The websites managed by the NPO fall within the scope of government websites. According to the ACM, it had confronted the NPO with its violating behavior several times. Since the NPO failed to come up with a satisfactory response and in order to force the NPO to adjust its current policy, the ACM imposed an order subject to a penalty for noncompliance amounting to EUR 25,000 per week with a maximum of EUR 125,000.

 

Background Dutch cookie law

Under Dutch cookie law, website operations need to consider the application of article 11.7a of the Tw for the use of cookies. Cookies that are placed on, or read from, a user’s computer require informed prior opt-in consent before being placed. The principle of informed prior consent does not apply where functional cookies are concerned, i.e. cookies that are strictly necessary for the provision of an information society service requested by the user. For example, tracking cookies do not fall under this “strictly necessary”. On the contrary: tracking cookies or similar data files placed or accessed, are considered to be personal data, unless the party placing such cookies or information can prove otherwise. If the placement of cookies – like tracking cookies – also involves the processing of personal data, the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens “Wbp”) also applies. Under the Wbp, a legal basis for the processing of personal data is required, which can often be found in the unambiguous consent of the user. Currently, the Dutch cookie legislation is being reviewed and it is very likely that after the summer holidays, new legislation comes into force.

In reply to ACM’s decision, NPO confirmed it will change its policies.

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) or Róbin de Wit (robin.dewit@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-public-service-broadcasting-modifies-its-cookie-policy-after-fine-threat/

FRANCE: CNIL to begin cookies enforcement in october

By Carol Umhoefer, Jeanne Dauzier & Mathilde Hallé

Starting in October 2014, the French Data Protection Authority (the “CNIL”), will monitor compliance with its Recommendation on the use of cookies and tracking technologies

The CNIL’s inspections will follow the “cookies sweep day” which is due to take place from September 15, to September 19, 2014 and during which Data Protection Authorities across the European Union will review how Internet users are notified of the use of cookies, and how their consent to such use is obtained.

The CNIL recently announced that, as from October 2014, it will verify compliance with its Recommendation on cookies and tracking technologies issued on December 5, 2013. Compliance checks will be conducted through on-site and online inspections.

The CNIL may review:

  • The types of cookies used by internet websites (e.g.: HTTP cookies, local shared object, finger printing techniques, etc.);
  • The purpose of the cookies: (i) whether website operators are aware of the purpose of all the cookies that are set or read from their websites (including first-party and third-party cookies), and (ii) whether cookies are set that have no purpose (e.g.: obsolete cookies).

Furthermore, in cases where the cookies’ purpose requires obtaining users’ prior consent, the CNIL will review:

  • How users’ consent is obtained;
  • The visibility, quality and simplicity of the information pertaining to the use of cookies;
  • The consequences of users’ refusal to consent to the use of cookies;
  • The possibility for users to withdraw their consent at any time;
  • Cookies’ lifespan and consent period (the CNIL recommends a maximum validity of 13 months).

The other statutory provisions pertaining to the use of cookies (e.g.: data security, sensitive data, etc.) may be subject to compliance checks as well. Depending on the inspections’ outcome, the CNIL may issue cease and desist letters and sanctions.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com), Jeanne Dauzier (jeanne.dauzier@dlapiper.com), or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-cnil-to-begin-cookies-enforcement-in-october/

Older posts «