This document summarizes a presentation on cookies and data privacy regulations. It begins by defining what cookies are and noting the confusion around their technical definitions. It then summarizes the key aspects of the EU ePrivacy Directive regarding consent requirements for storing cookies. There is discussion of varying levels of compliance among industries and challenges in interpreting and applying the regulations. The presentation argues for a shift towards viewing cookies as data assets and focusing on privacy over technology. It suggests that self-regulation combined with sensible enforcement could help drive improved privacy practices.

1. COOKIES
The Practitioner‟s Perspective
Presentation by Daragh O Brien, Regulatory Advisor IDMA and MD Castlebridge Associates.

2. • This slide deck was prepared for
an Interactive Direct Marketing
Association presentation to the
International Bar Association
Conference 2012

3. Confusion

4. What is a Cookie?
“…is usually a small piece of data sent
from a website and stored in a
user's web browser while a user is
browsing a website” (Wikipedia)
…”cookies are small, often encrypted
text files, located in browser directories”
(allaboutcookies.org)
“A cookie is information that a Web site
puts on your hard disk so that it can
remember something about you at a
later time.”
(http://searchsoftwarequality.techtarget.com/
definition/cookie)

5. What SI336 says…
• (3) A person shall not use an electronic communications network to store information, or to
gain access to information already stored in the terminal equipment of a subscriber or user,
unless
(a) the subscriber or user has given his or her consent to that use, and
(b) the subscriber or user has been provided with clear and comprehensive information in accordance
with the Data Protection Acts which—
• (i) is both prominently displayed and easily accessible, and
• (ii) includes, without limitation, the purposes of the processing of the information.
• (4) For the purpose of paragraph (3), the methods of providing information and giving
consent should be as user-friendly as possible. Where it is technically possible and effective,
having regard to the relevant provisions of the Data Protection Acts, the user‟s consent to
the storing of information or to gaining access to information already stored may be given by
the use of appropriate browser settings or other technological application by means of which
the user can be considered to have given his or her consent.
• (5) Paragraph (3) does not prevent any technical storage of, or access to, information for the
sole purpose of carrying out the transmission of a communication over an electronic
communications network or which is strictly necessary in order to provide an information
society service explicitly requested by the subscriber or user.

6. Which Means?
The Legislation
covers a LOT more
than just text
Cookies and
Browsers

7. • Flash Local Objects
• Apps storing data
• SQLite databases
• HTML 5
Local
Storage
• Traditional
browser cookies
(plus SQLite,
Flash, HTML5
• Traditional
• Data
browser cookies
logging
(plus SQLite,
• Usage
Flash, HTML5
data

8. Exceptions?
Strictly Necessary?
Information Society Service?
Explicitly Requested?

9. “So far, for 50 years, the
information revolution has
centered on data—their
collection, storage,
transmission, analysis, and
presentation. It has
centered on the "T" in IT.
The next information
revolution asks, what is the
MEANING of information,
and what is its PURPOSE?”

10. Directive does not specify how consent
Questions of Consent & Guidance
should be obtained.
ICO in the UK allowed “implied consent” at
the last minute.
A29 Working Group Opinion (subsequently)
focused on “informed consent”.
Guidance (to date) has focused on
traditional web browser and flash cookies.

11. DPC Guidance
• Non-third party cookies:
• Prominent Notice giving information on Cookies with ability to
click through and make an informed choice re: consent
• Cookies in General:
• Consent should be user friendly as possible
• Require clear communication about what the user is being asked to
consent to
• A means of giving or refusing consent to data being stored or
retrieved

12. Varying Degrees of Compliance
utilities
telecomms
media
legal
insurance
industry group
government
financial
consulting
charity
0% 20% 40% 60% 80% 100%
Mentioned in Privacy Statement No Notice Given Cookies Policy Cookie Notice

13. An example of Compliance Confusion
UK Website for a major multinational professional services
firm.

14. An example of Compliance Confusion
Irish Website of same Professional Services firm.

15. Announcement on 5th September by leading UK web design firm that developed a leading Cookie Compliance
solution

16. Don’t endorse this approach
But can understand
Screen grab of Silktide.com’s “No Cookie Law” website
(www.nocookielaw.com)

17. Motivation

18. • Unaware of what needs to be
done?
• Aware but not willing to make
changes until their peers are
making changes?

19. Yes, I know we are not compliant but none of
our competitors are either. Given the limits on
our budgets we can‟t even begin to put those
changes on the table for discussion until our
competitors are also being forced to make the
change.
We don‟t see a “first mover advantage” here if
there is no enforcement and if the penalty is
less than the cost of development.
It doesn’t help that Government and EU
departments have failed to bring their
websites and mobile apps into
compliance.

20. A change of mind set and culture is
required
Compliance =
GOOD!! Cookies need to be seen as data assets
that your organisation wants to store in
someone else’s property
The focus needs to shift to PRIVACY not
the Technology. Meaning and intent of
the stored data is imperative
Professional bodies like IDMA can
promote good practice.
Regulators must enforce
Legal Counsel must look to the Meaning
and Purpose of Cookies

21. Is Self Regulation an Option?
• Comments here are not
necessarily the views of the
IDMA and are the
speaker‟s personal
opinions.
© Adam Zyglis
2008, http://www.adamzyglis.com/cartoon787.html

22. Self-Regulation  Light Touch  Rigid Rules
Self Policing / Sensible
Peer Policing Enforcement
&
Enforceability

23. Self-Regulation  Light Touch  Rigid Rules
Need to learn from mistakes and
successes of other Regulatory
regimes and laws.

24. Evidence based policy
objectives and
governance requirements
are key
“The Information Commissioner Christopher
Graham has questioned the effectiveness of the
EU cookie directive, suggesting that it was
„dreamed up by politicians in Brussels‟ without the
appropriate market research to back it up.”
- quoted in TechWorld.com, 15/09/2012

25. "More and more citizens and
consumers are waking up to the
implications of sharing personal
data online," he said. "By fresh
thinking that recognises where
the consumer is coming
from, we can develop policies
that really work.“
(speaking at launch of “Data Dialogue” Report, Sept 2012)

26. Solutions ?

27. Good Information Management culture
1. Recognise cookies as a data asset
• Bring in advisors who understand Data Governance principles if necessary
• Think “Privacy” first, then “Technology”
2. Think in terms of the process that is using the Data Asset
• Is the use of the asset essential to the objective/purpose of the process?
• Does the process require data to be shared with 3rd parties?
• How „invasive‟ is the process?
• Is the process adding value or creating risk?
3. Document
4. Promote transparency
• A GOOD Privacy Statement that can be read by HUMANS!!!
5. Keep under regular review
6. Consider spirit and intent of Directive, not just the literal interpretation.
7. Implement appropriate (often low cost) solutions to design compliance and
privacy controls into your processes.
8. Think about PRIVACY then about TECHNOLOGY