On April 26th, the Spanish Data Protection Agency (“SDPA”) issued its long-awaited guidance on the Spanish cookies regulation, which requires companies seeking to place cookies on users’ devices to obtain those users’ prior opt-in consent after providing them with clear and complete information about the use of cookies and the purposes for which data collected via cookies will be processed. The guidance, which the SDPA drafted in collaboration with industry, takes a business-oriented approach and provides companies with several alternatives for complying with the regulation’s notice and consent requirements.
Tag Archives: cookies
Privacy Law in 2012: Where We Are and Where We Are Going
On August 3, at the ABA Annual Meeting, the ABA Section of Administrative Law and Regulatory Practice held a panel moderated by Hogan Lovells privacy leader Chris Wolf entitled “Privacy Law in 2012: Where We Are and Where We Are Going.” The article below, reprinted with permission from ABA Now, describes thoughts of the panelists on the future of privacy in the US and in Europe.
Article 29 Working Party Publishes Opinion on Cookie Consent Exemptions
On 7 June 2012, the Article 29 Data Protection Working Party issued an opinion on cookie consent exemptions. The Directive 2009/136/EC, amending Directive 2002/58/EC, introduced an opt-in regime which requires providers to request that users grant their express consent to the use of cookies, as opposed to the regime under which users are given the opportunity to opt-out. This opinion clarified when opt in consent is needed, and when it is not.
Amended UK Cookie Regulation Grace Period Expires; Implied Consent Can Be Valid
For over a year companies have been trying to determine how to achieve compliance with the UK Information Commissioner’s Office’s (ICO) amended Privacy and Electronic Communications Regulations (the “cookies law”), which implemented 2009 amendments to the EU’s Privacy and Electronic Communications Directive of 2002. Last week, the ICO made it clear that reliance on implied consent would be an acceptable form of consent.
At Last, the EU Cookies Regulation Is Implemented in Spain
On April 2, after almost a year of delay, Spain published Royal Decree-Law 13/2012 requiring opt-in consent to place cookies as required by the EU e-Privacy Directive (2009/136/EC, modifying Directive 2002/58/EC).
Article 29 Working Party Rebuffs European OBA Industry… Again
In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising industry’s self-regulatory proposal, continuing to hold firm that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. The Working Party broke down the OBA industry proposal, and then–in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows–offered up a number of methods of obtaining consent not involving pop-ups.
FTC Announces First Flash Cookie Enforcement and Settlement with Child Social Network
The Federal Trade Commission yesterday announced settlements with two online companies for deceptively collecting personal information from consumers, including its first enforcement action against the use of “Flash cookies” and an enforcement action against a social network that collected children’s information without parental consent. As a result, businesses whose websites (or vendors) utilize Flash cookies, HTML5, or ETags to track user browsing should reexamine their privacy disclosures.
New Guidelines Released for Mobile App Privacy Policies
Amid increasing media and regulator scrutiny over location-based services, the Mobile Marketing Association has released a set of draft privacy policy guidelines for mobile applications (“apps”). These guidelines address key data privacy and security issues and provide a helpful “starting point” for companies that develop or deploy mobile apps. With assistance from Hogan Lovells, the Future of Privacy Forum participated in the development of these guidelines.
France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers
On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.
European Cookie Legislation: Pragmatic advice for five jurisdictions
Hogan Lovells privacy lawyers from five European jurisdictions have published an overview of privacy rules applicable to Internet cookies in Europe . The new rules, which flow from a recent amendment to the European E-Privacy Directive, are not yet settled in all European Member States. This overview provides practical guidance on how to comply with the new prior consent rules that will apply in the United Kingdom, France, Germany, Italy and Spain.
Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups
Article 29 WP has issued guidelines in which it recommends separate pop-ups and affirmative “check the box” consent options. Consent clauses buried in terms of use are not specific enough to meet European requirements, according to tthe guidelines. Consent requires an affirmative ‘click’ by the consumer. Browser settings alone may not be sufficient, which raises questions under new EU cookie regulations. Details are contained in this blog posting.
UK Issues Guidance on Obtaining Consent for the Use of Cookies
Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.
Court Finds NebuAd Users Gave Valid Consent to Monitoring
On December 13, 2010 a Federal District Court in Montana dismissed many of the claims brought against an ISP in connection with the ISP’s use of NebuAd monitoring technology. The court held that users had validly consented to the monitoring technology. The NebuAd case usefully focuses on the issue of user consent, rather than on technological distinctions between ISPs and service providers at the edge.
European Data Privacy Supervisor Issues Press Release on ePrivacy Directive
On 9 November, the European Data Privacy Supervisor (EDPS) issued a press release on the ePrivacy Directive. The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”
EU ePrivacy Directive and Cookies: The Consent Requirement May Not Be as Broad as Believed
As reported in the press, “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.” But it is not quite as clear-cut as that quote suggests. The consent requirement relates cookies that collect personal data — an important qualification — and some cookies appear to fall outside of the consent requirement. We detail the fine points of what has happened in this blog entry.