Archive for August, 2011

Website Legal Requirements – Cookies and Consent Policies

Thursday, August 25th, 2011 at 13:00  
Comments Off

As a result of changes to the EU Privacy and Electronic Communications Directive, it is now unlawful to use cookies to collect user data without first obtaining explicit consent. Accordingly, the Information Commissioner’s Office (ICO), which is responsible for ensuring that websites comply with the new cookie law, has implemented a technical solution on its own website with the result that traffic to it plummeted.

UK  Cookie Acceptance Policy

In May the ICO placed a banner at the top of its website in order to obtain consent from users to the placing of cookies on its website. The banner stated how and why cookies would be stored and cross-referred to the ICO’s privacy statement. By clicking on the banner users consented to the use of cookies. If users did not consent, then parts of the website did not work and were not accessible.

In the following 35 days, traffic to the website fell by 90%.

Unlike the ICO’s website, many commercial websites rely upon multiple cookies for tracking, customer service, analytics and advertising revenues.

Prior Consent Required?

The current guidance from the ICO states that consent to cookies can be obtained after processing has begun. The UK authorities base their advice on the fact that the word ‘prior’ does not appear in the EU directive upon which the UK law is based. However, the Article 29 Working Party – which advises the EU on data protection issues – disagrees and claims that prior consent must be obtained to make cookie use legal.

It will now be necessary for the ICO to provide further guidance to businesses on this issue. This is however unlikely until the new proposed EU data protection law, which should better define consent and its practical meaning, is published by the European Commission later this year.

Dutch Cookie Acceptance Policy

In the Netherlands a new Dutch law requires prior “opt-in” consent before a cookie can be installed or stored on a user’s computer. The language of the proposed law is quite broad and could require website owners outside of the Netherlands to comply with the Dutch law when processing personal data of Dutch citizens. In addition the websites owners would also have to comply with their own local cookie rules, which may be different.

EU Implementation of Cookie Acceptance Policies

To date only the UK, Denmark, Estonia, Finland, Sweden and the Netherlands have introduced measures implementing the Privacy and Electronic Communications Directive.

The European Commission has set a deadline for European companies to create a uniform way for web users to opt out of being tracked by cookies within a year of the previous deadline. The Commission has said it will take action if industry does not standardise opt outs in that time.

Help

Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – Patriot Act

Thursday, August 11th, 2011 at 08:02  
Comments Off

Under the provisions of the US Patriot Act the personal data of SaaS customers based in the EU could be shared with US law enforcers without the customer being informed, although this conflicts with EU data protection laws. This Act applies not just to SaaS suppliers owned by a US company but any SaaS suppliers using the services of a US subsidiary for data processing or a US data centre.

The Patriot Act

Under EU data protection laws SaaS suppliers must tell customers when they are asked to disclose personal data. However, such provisions conflict with SaaS supplier’s obligations to comply with the Patriot Act.

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have had to hand over personal data.

Conflict with EU Data Protection Laws

If the Patriot Act applies to you, you should have procedures and measures in place to deal with any requests for information under the Patriot Act. These procedures need to be set out clearly in your SaaS agreement, bearing in mind your obligation to comply with this particular US law.

For example Microsoft states in its SaaS privacy policy “in a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).”

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: