PRIVACY E COOKIES: LA PROTEZIONE DEI DATI NELL E-COMMERCE COOKIES AND PRIVACY: DATA PROTECTION LAW FOR E-COMMERCE BUSINESS

Transcription

1 PRIVACY E COOKIES: LA PROTEZIONE DEI DATI NELL E-COMMERCE COOKIES AND PRIVACY: DATA PROTECTION LAW FOR E-COMMERCE BUSINESS Anna Frankum Partner: IP, IT and Commercial

2 Agenda Overview of EU/UK Data Protection Law Cookies Data Protection Checklist for on-line businesses Future: new EU Data Protection Regulation

3 European Data Protection Directive Data Protection Act Codice In Materia di 1998 Protezione dei Dati Personali Fair and lawful processing of personal data Rights for individuals Obligations for organisations

4 What is personal data? Personal data is: Data Relating to a living individual Who is identified or identifiable Not just name and contact details Not just confidential information

5 Quiz: spot the personal data! Personal data? Elderly lady with a white cat who lives on Bond Street and drives a Ferrari Penningtons Manches LLP CCTV footage of hotel guests taken from cameras in the hotel s lift and bar Luciano Pavarotti was born on 12 October 1935 Patient X is pregnant and lives in a flat on Baker Street Cookies used by a website to recognise an on-line shopper so that when shopper returns to the website they can be greeted by name

6 Cookies Cookie is a small text file that websites leave on computers, tablets and smartphones when used to visit a website Cookies can be used to: remember customers preferences record items placed in an online shopping basket track number of users of a website target adverts to users February 2015 international study: UK websites place more cookies, but give more information, than websites in any other country surveyed

7 Cookies Privacy and Electronic Communications Directive Privacy and Electronic Communications (EC Directive) Regulations 2003 Codice In Materia di Protezione dei Dati Personali Plus special guidance on cookies from UK Regulator Information to users about cookies Consent from user Different approaches in different EU countries

8 Cookies in the UK Those setting cookies must: tell users that the cookies are there explain what the cookies are doing obtain the user s consent to store a cookie on their device consent not needed for essential cookies allow users to refuse cookies Implied Consent consent that is specific and informed and an indication of wishes can be inferred from a user s actions if: user is given clear and comprehensive information about the cookies that are used AND on that basis decides to continue using the website (clicks or moves to another webpage)

9 Market practice (endorsed by ICO) Cookie pop-up/banner appears on website s landing page notifying that cookies are used, with a link to a more detailed policy Generally the user is not required to tick an acceptance box Normally the cookie pop-up/banner will obscure some of the page until closed by the user

10 Cookie notices: good examples:

11 any issues? DRINKYSLIM: THE TASTY WAY TO SKINNY BARGAIN: one month s supply only 100 We hope you enjoy your visit to the Drinkyslim website. Please complete: Name: Current weight: Ideal weight: Gender: Date of birth: address: I agree to the DrinkySlim privacy policy: SUBMIT weight-loss guaranteed, free delivery tasty and nutritious

12 Notification (registration) in the UK Every data controller (eg organisation) who is processing personal data must register with the Information Commissioner s Office, unless exempt Fee 35 (about 50) Renewable annually Must be kept updated State types of data processed and purposes

13 Data Protection: on-line business checklist Do you need to collect the personal data? only collect what you need, when you need it ok to ask users to log-in, register or provide their personal data once they make an enquiry or decide to buy on-line Is there a clear prominent explanation of who you are and what you are going to do with the personal data you collect? privacy policy cookies information Is customer information secure? encryption staff trained to look after information properly and securely if sub-contractors used (e.g. to manage database) ensure contract obliges them to look after information properly and securely

14 Data Protection: on-line business checklist (cont.) Do you use customer information to send out promotional s or other marketing materials? if so, need to give customers a clear choice specific consent for , text and automated calls Do you only collect information you use? stop collecting any information you no longer need dispose securely of any unnecessary information collected Right of access train staff to recognise and deal with a request for access encourage customers to check and update information you hold about them

15 Future: EU Data Protection Regulation New EU Data Protection Regulation (Regolamento Generale Sulla Protezione Dei Dati) that aims to harmonise and strengthen data protection laws across EU Once adopted EU Data Protection Regulation will replace existing Data Protection Directive (including the DPA and Codice In Materia di Protezione dei Dati Personali) and have direct effect in all EU member states Currently being negotiated between Council, European Parliament and the Commission to agree on its final text and is likely to be agreed end of 2015/early 2016 Two year run in period likely to start between June and December 2016 Likely to be in force between June and December 2018

16 Grazie Anna Frankum Tel: +44(0)

17