Iab cookie compliance guide

Cookie
Compliance
A Practical Guide

Table of contents
1. Introduction

2. Cookie Compliance Guide

A. Cookie inventory
1. Identifying cookies
2. Cookie impact assessment
3. Cookie categorisation

B. Compliance path
1. Risk assessment
2. Information obligation in practice
3. Methods for obtaining consent
4. Demonstrating that you are not processing personal data

APPENDICES:

A. The new ‘cookie regulations’
B. Enforcement and fines in case of non-compliance
C. For whom are the cookie regulations important?
D. Legal definitions
E. The Dutch Data Protection Act
F. Fact sheet SOLV

1. Introduction
Summary
On 5 June 2012, the new Dutch Telecommunication Legislation became effective with
which Article 11.7a (hereafter called “Cookie Provision”) was implemented.
What does this Cookie Provision concretely mean? With the implementation of the
Cookie Provision, stricter rules will apply for the use of cookies. In short, this means
that in certain cases an information and consent obligation has to be complied with.

Scope
The new Cookie Provision applies in case of the placing of or obtaining access to data
on auxiliary equipment of the user. Thereby, no difference is made between the
nature of the data. For reasons of readability we will refer to “cookies” in this
document, but this encompasses all technology that is used in order to store data
on the auxiliary equipment of a user. Besides various types of cookies, this therefore
also concerns installed apps and/or plug-ins, information stored in the Web Storage,
screen size, OS, browser type, device fingerprinting, etc.

Responsibility
The obligations based on the Cookie Provision rest on the one who is responsible for
placing cookies and for obtaining access to the data stored. In short: if you supply an
online service and place cookies at this, in principle you will have to comply with the
obligations included in the Cookie Provision.

For that matter, the obligations do not always rest on the person who is responsible
for the service requested or site visited by user. It can also happen that a third party
places cookies via your website, since via a site for example another site is displayed, The new Act
as a result of which the third party must comply with the obligations as well. In view
of the shared responsibility to comply with the obligations, it is advisable to reach
applies in case
collaboration at this. of the placing
of or obtaining
access to data
on auxiliary
equipment of the
user. Thereby
no difference is
made between
the nature of the
data. For reasons
of readability
we will in this
document refer
to cookies.

iab. Cookie compliance A Practical Guide | 3

What is the objective of this guide?
This Cookie Compliance Guide provides you with a tool with regard to the new
Cookie Provision. The objective of this Guide is to map the process you must follow in
order to comply with the obligations from the Cookie Provision. This Guide however
does not provide specific advice on how you must implement the various steps (this
will vary per company). Since at the time of writing of this Guide still many
uncertainties remain on the exact interpretation of the Cookie Provision, this document
has the status of a “live” document. By the time more will become clear on the
interpretation of the Cookie Provision, this document will be modified.

For whom is this guide intended?
This Guide is intended for everyone who has a website and wants to become
compliant with the new legislation. It is not intended as technical manual for web
developers. This Cookie
Compliance
On the authors
This document was formulated by assignment of the IAB by: Guide provides
AUKE VAN DEN HOUT
you with a tool
Auke van den Hout is responsible for the privacy portfolio with the Management of with regard to
IAB. He is co-founder of Adatus, the European market place for ‘audience targeting’ the new Cookie
and has over 15 years’ experience in data-driven advertising in Europe.
Provision. The
EMAIL: INFO@IAB.NL / TEL: +31 854010802
objective of this
ROEL VAN RIJSEWIJK Guide is to map
Roel van Rijsewijk is Director at Deloitte with over 10 years’ experience in consulting
media and technology companies in the field of risk management and compliance.
the process you
Roel is co-founder of Deloitte Online Business Innovation and leads the innovation must follow
programme in the field of confidence in the digital world.
in order to
EMAIL: RVANRIJSEWIJK@DELOITTE.NL / TEL: +31 652615087 comply with
This Cookie Compliance Guide was developed with the utmost
the obligations
care, whereby the legal regulations as set out by or by virtue of from the Cookie
the Dutch Telecommunication Act and the Dutch Data Protection Act
have been taken into account as good as possible. Despite that,
Provision. This
this document can contain inaccuracies or deficiencies and no rights Guide however
can be derived from the Guide. Neither the IAB nor the makers of
does not provide
the Guide are liable for possible inaccuracies and/or deficiencies.
Since apart from this the exact meaning of these regulations specific advice
always depends on the circumstances of the case which during the on how you must
development of this Cookie Compliance Guide could not be taken
into account, the use of this Cookie Compliance Guide is always implement the
fully at the risk of the user. various steps
(this will vary
per company).


2. Cookie Compliance Guide
A. Cookie inventory
1. IDENTIFYING COOKIES

Introduction
In order to be able to comply with the obligations included in the Cookie Provision it is
important to start by making an inventory on which type of cookies – and
comparable techniques – your website places and/or which type of cookies are
possibly placed by third parties. This phase therefore consists of identifying the type
of cookies.

Why?
• It clarifies which obligations from the Cookie Provision you will have to comply with.
• It provides insight on the way in which your management will be affected by the
new Cookie Provision.
• It sees to it that you can comply more easily with the information
and consent obligations.
Tips
• You make it known to the supervising authorities that you are aware of the • There are tools available that can be
problems related to the Cookie Provision and that you are willing to work on this. helpful at analysing the use of cookies
on your website – mostly in the form of
For the benefit of a thorough inventory, we advise you to answer the plug-ins for your browser.
following questions.
• Review all parts of your website that
1. Which type of cookies is used on my website and who places them? could potentiallly place cookies, both
2. Why are the cookies being used? by yourself and by third parties. Please
3. Is it a persistent or a session cookie? pay special attention at that at the
4. Is the cookie used over several connected websites or is the website only used on integration of external scripts, such as
one single domain? Like buttons of Facebook, +1
5. To which data does the cookie refer / which data does the cookie contain? of Google, etc.
6. How long is the data that the cookie refers to being stored?

The questions are discussed step-by-step below.

Step 1. Which cookies are placed by whom?
• Identify which cookies are used on you website.
• Pay attention thereby to cookies that you yourself have placed on your website
(First Party Cookies).
• Identify which cookies have been placed on your website by third parties. Pay
attention thereby to cookies that are placed by for example social networks and
advertising networks (Third Party Cookies).
• Please do not forget to identify the flash cookies used!


Step 2. Objective
In this step it is important to indicate per cookie with which objective the cookie is
placed.

In order to help you with your investigation, among other things you may ask the
following questions:

• Was the cookie placed in order to see to it that the products in the shopping cart
are remembered?
• Do the cookies see to it that the contents of the page are loaded faster?
• Are the cookies used because of certain security requirements?
• Is the data used/read by third parties, and why?
• Are the cookies used in order to recognise a user in order to be welcomed upon
returning to a website?
• Is data collected by means of the cookie data on the use of the website, such as the
number of unique visitors?

Step 3. Life-span
• Indicate per cookie whether it concerns a session cookie or a persistent cookie.
• Identify how long the cookie is stored.

Step 4. Number of websites
• Indicate per cookie whether it is used in order to collect information from several
websites, and if so: what information that is.

Tips
• Establish whether cookies that are used on several websites have the same
functionality everywhere, or that the functionality/functionalities differ(s).

Step 5. Which data the cookie refers to? for
In this step you will investigate which type of data the cookie contains and/or to which
data the cookies refers. Indenifying
cookies
• Does the cookie itself contain personal data?
• Which other data is stored in the cookie itself?
• Establish to which data the cookie refers in your own environment and databases.
• Record which data is all collected from the users in the databases. • See to it that you analyse the use of
• Establish which other data from other databases can be linked to this. cookies on all pages, in each phase
during which your user is
on your website.
Step 6. Storage term
Besides the life-span of the cookie itself, you must establish how long • Ascertain that you have a complete
the data to which the cookie refers will be stored. overview of all websites and webpages
• Establish which procedures apply for the destruction of user data for which you are responsible.
within the various databases.
• Establish whether in practice these procedures are complied with.


2. Cookie impact assessment
We advise you – after you have made an inventory of the types of cookies that are
being used on your website – to also carry out a cookie impact assessment for
reasons of completeness.

The objective of the Cookie Provision is namely to provide the internet user with more
control on his/her privacy. Thereto it is important that you gain insight in the impact
on the privacy of website visitors by the use of cookies.

By means of this assessment you evaluate the impact of each type of cookie on the
privacy of your website user. Subsequently you can become aware of the
consequences a visit to your website has for a user, and you can take a critical look at
the cookies that you are placing.

Assess this impact by completing the following steps.

Step 1. First party cookies
Use the questions and answers from the cookie inventory phase to carry out this
cookie impact assessment.

It is important that you regard this impact as a moving matrix (see Figure below).

Cookie Cookie Cookie

Little impact Lot of impact

Step 2. Third party cookies
If via your website cookies from third parties are placed, it is also important to assess
to which extent these cookies might violate the privacy of your website users and how
this party deals with the information and consent requirements.

FOR THIS YOU CAN:
1. Contact the party concerned in order to inform on what we advise; and/or
2. Assess the privacy policy of that party.

Place these cookies on the moving matrix of cookie impact as indicated above
as well.


3. Cookie categorisation guide
With the results from the inventory phase, you can subdivide the cookies into two
categories: these to categories originate from the Cookie Provision.

Category 1
Based on the inventory phase, you can assess whether the type of cookies that you
place is categorised under one of the following exceptions:
• The technical storage or access to data is only intended to carry out the
communication via an electronic communication network.
The communication on the website can in some cases only take place by
using a cookie. This is for example the case if a language
setting is remembered.
• Storage of or access to this data is strictly necessary.
The legislator has determined that strictly necessary use of cookies is
exempted from the cookie obligations (on the condition that you do not
process personal data). An example of this is a shopping cart cookie. It is
important that you reason from the perspective of the website user whether
certain cookie use is strictly necessary. If this is the case, then this concerns
cookies that in line with the Cookie Provision are deemed
as strictly necessary.

In these cases you do not have to comply with the consent
requirement as included in the Cookie Provision, on the condition
that you do not process personal data herewith.

For the benefit of transparency you might consider to inform the user on placing such
cookies. This does not have to be done via a pop-up or the like, but can also be
included in the privacy policy.

Category 2
Should the cookies not resort under the first category, then in principle it concerns
cookies that are not strictly necessary.

For these cookies prior consent is required. Besides, the user should
be informed on - among other things - the placing of cookies and
the consequences thereof.

Do you make use of client profiling or re-targeting? Then without any doubt you must
obtain prior consent from your website users.

Are you in doubt in which category a specific cookies should be placed?
This will certainly be the case, since many issues are still unclear. In order to determine
the correct approach, a risk assessment would have to be carried out as described in
the next Chapter.


B. Compliance path
1. Risk assessment
There will be cookies of which is not completely clear whether the use thereof is
deemed strictly necessary and whether consent is therefore needed. In that case we
advise you to carry out a risk assessment to be able to choose the correct compliance
approach. A compliance approach for these cookies should take into account:

• The importance of the use of a cookie and the data related to it for the
organisational objectives.
• The impact of the use of cookies on the privacy of the user.

Thereby we provide you with the following considerations:

- If the importance of the use of the cookie and the data related to it is low for the
organisational objectives, you could consider stopping using this cookie, especially
when the impact of the use of cookies on the privacy of the user is high.

- If the importance of the use of the cookie is high for organisational objectives and
the impact on the privacy of the user is high, the explicitly requesting consent is the
obvious choice. In your provision of information towards the consumer, in that case
you also have to indicate very clearly how the data is used, stored, and protected,
apart from a very sound explanation on the importance of the cookie for your
organisation as well as the advantages and disadvantages for the consumer when
he/she does/does not accept the cookie.

- If the impact on the privacy of the user is negligible and the importance of the use of
the cookie for the organisational objectives is high, extra steps can be taken in order
to obtain certainty on the approach, such as consulting experts, testing the approach
on standards, as well as the approach of others that make use of these cookies and
building up a well-founded case.

Now that you know which category of cookies is placed via your website, you can
start determining in which way you will comply with the information obligation and
the consent requirement. Thereby we refer to the following Chapters.n.


2. Information obligation in practice
This Chapter provides you with tools on in which way you can comply with the
information obligation.

Providing information
The Cookie Provision does not stipulate in which way the website user must be
informed. Still, it is clear that the information provided must be unequivocally clear
and complete in advance. This means that each website visitor must be informed
prior to the placing of the cookie on:

1. The fact that a cookie is being placed;
2. By whom a cookie is being placed;
3. What the objective of this cookie is;
4. How long the cookie is stored;
5. Who will obtain access to the data;
6. Whether the cookie will be reused and if so by whom.

Making information on the use of cookies
transparent
It is by all means insufficient to only describe the use of cookies
in your privacy policy.
It is namely important that you can establish that the users have picked up the
information.

Tips
• See to it that your users cannot
evade the information
• Describe the privacy and cookie
policy in simple terms that can be
understood by everyone


Grouping cookies
You do not have to inform your website visitors on each separate use of a cookie; you
may also group the use of cookies into type and objective of the cookie.

Advantages of information obligation
By being completely transparent on the use of cookies on your website, the confidence
of your visitor will increase. For the complete provision of information it is wise to add
the following to the information:

• Why your websites needs these cookies
• What the advantage is for your website user
• Make it clear for the user that he/she can revoke the consent given at all
times, as well as in which way he/she can do this.

3. Obtaining consent in practice
From the categorisation phase it has become clear for which cookies you should
specifically obtain consent. This Chapter clarifies in which way you can comply
with the consent requirement.

It goes without saying the obtaining consent is closely related to the information
obligation. After all, it should be clear for which the user gives his/her consent.
Which method is most suited in practice to obtain consent from your website users
depends on the objective of the cookies, how privacy-sensitive the data is, and what
the relation with your website visitors is.

There are various methods to point out visitors on the presence of the cookies and to
inform them in a transparent way. Below a number of examples are summed up:

FEATURE LED
At the feature-led method, the visitor is requested to give consent when he or she
wants to make use of a certain feature. Prior to the use of a certain part of the website Attention:
(for which cookies should be placed), the visitor can be informed and requested for
• By no means are you permitted to fix
consent, instead of requesting for consent directly upon arrival on the website for all
tick boxes at ‘on’. This is namely not
cookies on the complete website.
regarded as opt-in by the legislator but
as opt-out. Herewith you would
LOGGING IN
therefore not comply with the
Prior to logging in to a certain part of the website, you can indicate that you intend
requirements of the Cookie Provision.
to place cookies. You can inform the visitor prior to logging in on the use of certain
cookies, so that he/she can take an informed decision on giving consent or not.
• See to it that your users can see the
information and that you communicate
in a transparent way why you are
making use of cookies.


DIALOGUE WINDOW
By means of a dialogue window you force the visitor to first make a selection before
being able to visit the website that is behind the window. In this window you inform
the visitor and you refer to the privacy policy.

STATUS BAR
You can make use of the status bar to inform the visitor. This can be done both on top
and at the bottom of the page. This status bar informs the users on the cookies that
you intend to place, provides access to the privacy policy, and allows visitors to
accept the use of the cookies based on the information provided. Since with this type
of information a selection is not necessarily enforced before the consumer can
continue, you must pay attention that you place the status bar at a location where the
bar is clearly visible for the user. See to it that no cookies are being used until the user
actually explicitly gives his/her consent thereto.

WARNING BAR
A similar method as the status bar method, but this one is more insistently present on
your website. Each time the website wants to place a cookie, the warning bar appears.
Inform the visitor in this way, link to the privacy policy, and see to it that visitors can
accept or refuse the cookies.

SETTING-LED
If the website contains options for the user to select settings, you can also use those
settings to switch on or off certain functionalities that require cookies. Visitors can then
take an informed decision at the settings to make use of the functionalities and to give
consent to place the cookies. Since at this way of informing no prior selection is
enforced, you must clearly explain to the user how he/she can give consent via
his/her settings.


Points of interest
Proving that you obtained consent
You need consent in order to be able to place a cookie. Realise that you also must be
able to demonstrate that you have obtained this consent. See to it that you have a
procedure in place for this and record from whom you obtained the consent.
Attention: the most user-friendly way to record consent obtained is by means
of a cookie!

Third party cookies
In principle, each party that places data must inform the visitor and obtain consent,
third parties as well. Instead of obtaining consent separately (your cookies separate
from third party cookies) you can also make an agreement with the third party to
include a reference in the information provision to the privacy information of the third
party. This means one extra pop-up less for the visitor. Besides you can inform the
user on how to switch off third party cookies in the browser.

One cookie for several websites
Are you using a cookie for several websites? Do you have various websites linked to
each other and are you using the samen cookies for those. In order to obtain consent
for all websites, you must see to it that you clearly inform the visitor for which websites
you wish to obtain consent.

Modification after cookies consent
has been obtained
If after you have obtained consent you apply modifications in the cookies to be used
or purchase new cookie services from third parties, it is possible that you have to
obtain consent once again from your visitor. You will have to ask for consent once
again if you apply modifications to:

1. The purpose of the cookie that is placed;
2. By whom the cookie has been placed;
3. How long the cookie is being stored;
4. Who will have access to the data;
5. Whether the cookie will be reused and by whom.

Revoking consent
Consent once give can always be revoked.
Do not forget to offer visitors the opportunity to simply revoke their consent.


4. Demonstrate that you do not process
personal data
From 1 January 2013, the new Cookie Provision will be enforced in which the use of
‘commercial’ cookies (a cookie that has the objective to collect, combine, or analyse
data on the use of various services of the information agency by the user or
subscriber for commercial, charitable, or idealistic purposes) will be regarded as the
processing of personal data, as a result of which the privacy legislation becomes
applicable. Hereby the legislator has made use of the concept of ‘legal presumption’:
you are deemed to process personal data, unless you can demonstrate that this is not
the case. See Appendix E in case the suspicion that you process personal data is
justified, and you have not made arrangements for this yet. I you find that this
suspicion is not justified and you are of the opinion that you are not processing
personal data, this Chapter describes what you must do.

Demonstrating that you are not processing personal data is not easy. A sound
preparation is important so that by the time you need to provide the proof you are
not standing empty-handed but can act pro-actively. By following the subsequent
steps you will obtain a sound idea on the use of data within the organisation, and you
have your file with proof ready in order to demonstrate that you are not processing
personal data.
erkt.

Step 1. Record in a management statement why
you are not processing personal data
Know what you want to demonstrate. Formulate (management) statements in which
you indicate why you are not processing personal data. These should also indicate
which measures you have taken in order to keep data anonymous.
By following the
YOU CAN FOR EXAMPLE STATE: subsequent steps
• The data collected, stored, and edited by [your organisation] can not be reduced
to the individual internet user or computer from which the data originates; you will obtain a
sound idea on the
use of data within
the organisation,
and you have your
file with proof
ready in order
to demonstrate
that you are
not processing
personal data.


Step 2. Map processes and information flows
Map the relevant processes and information flows in relation to the use of the cookies.

• Which cookies do you use?
• Where does all information go to?
• What sort of information is being collected?
• Who makes use of that information?

By mapping the processes and information flows, you yourself will obtain a clear
overview of the organisation of information. Because of this you see to it that you are
certain that you have taken all information collections into account.

Step 3. Establish how you can demonstrate that it
does not concern personal data
What can you show so that you can demonstrate that you are not processing
personal data? Show for example which data you collect, which measures you have
taken to make data anonymous, and what sort of use you make of the data
(for example: only for statistical purposes).

Step 4. Carry out a gap analysis
A gap analysis is a method to make a comparison between an existing and a desired
situation. Check whether you are not unexpectedly still collecting data that can be
reduced to the internet user or computer. Use the information flows and processes as
mapped in step 2. Try by means of the already collected data whether his can
be reduced to a computer or person.

Step 5. If applicable:
repair the gaps encountered and report the
actual use of data
Should you have established during the previous step that so-called gaps still exist,
then try to repair those. Make data anonymous where necessary or take other
measures to see to it that you comply with the desired situation. Finally report on the
actual use of data within your organisation so that you can demonstrate that you
– if applicable – do not process personal data and therefore as far as this data is
concerned to not have to comply with the Dutch Data Protection Act.


Appendix A.
The new ‘cookie regulations’
The law amendment in short
Based on the new Cookie Provision in the Dutch Telecommunication Act, one should
first obtain consent from the user before placing cookies on the computer (or
obtaining access thereto).

Information obligation
One should provide the user in advance with clear and complete information on the
objectives for which one wants to place or read the cookies.

Consent
The consent should take place in advance and to comply with the concept of ‘consent’
as described in Article 1 of the Dutch Data Protection Act: it should concern a free,
specific, and information-based expression of will. Consent does not have to be given
separately for each individual cookie by the various parties. The users must be able
to revoke this consent at all times.

“Consent:
a free,
specific and
information-
based
expression
of will with
which the
party involved
accepts that
personal data
concerning
him is
processed.”


Exception to the rule: strictly necessary cookies
The information obligation and the consent requirement of the Cookie Provision do
not apply if the cookies are strictly necessary. You should thereby reason from
cookies that are strictly necessary for the website user and not for you as
person/entity responsible for the website.

Article 11.7a
1. Without prejudice to the Dutch Data Protection Act, anyone who wishes to obtain access by
means of electronic communication networks to data that is stored on auxiliary equipment of a user
and/or wishes to store data on the auxiliary equipment of the user shall: a. provide the user with
clear and complete information in accordance with the Dutch Data Protection Act, and at least on
the purposes for which one wishes to obtain access to the respective data and/or for which one
wishes to store data, and b. have obtained consent from the user for the respective action. An action
as intended in the preamble that has the objective to collect, combine, or analyse data on the use of
various services fro the information company by the user or the subscriber for commercial,
charitable, or idealistic objectives, is assumed to be a processing of personal data as intended in
Article 1, sub b, of the Dutch Data Protection Act. 2. The requirements mentioned in the first Section,
sub a and b, also apply in case in a different way than by an electronic communication network is
arranged that via an electronic communication network data is stored or access is provided to the
data stored on the auxiliary equipment. 3. What is determined in Section one and two does not
apply, in as far as it concerns the technical storage of or access to data with the exclusive objective
to: a. carry out the communication via an electronic communication network, or b. the service to be
supplied by the information company requested by the subscriber or user and the storage of or
access to data thereto is strictly necessary. 4. By means of an Order in Council, in agreement with
Our Minister of Safety and Justice, further regulations can be issued with regard to the requirements
mentioned in the first Section, sub a and b. The Dutch Data Protection Authority will be requested to
advise on a draft of the intended Order in Council.


Appendix B.
What if you do not comply
with these regulations?
Enforcement OPTA
OPTA can impose a maximum penalty of € 450,000 per violation of the Dutch
Telecommunication Act and decide to impose a burden under penalty.

Enforcement CBP
If personal data is processed with the text files to be placed or to be read, then you
are also confronted with the Dutch Data Protection Act, whereby the Data Protection
Authority is the enforcing authority.

Civil penalties
If you for example to not report data processing with the CBP or with an officer for
data protection, the Authority can impose a civil penalty of at most € 4,500. When
determining the height of the penalty, the culpability, the seriousness, and the duration
of the violation are taken into account.

Burdens and civil enforcement
If to the judgment of the CBP the obligations as set forth in the Dutch Data Protection
act are violated, the CBP can decide to impose a burden under civil enforcement or a
burden under penalty. First a preliminary investigation by the CBP will have to take
place. The violator will then be granted a term to unto the respective violation before
a burden on civil enforcement or a burden under penalty will be imposed.


Appendix C.
For who are the cookie
regulations important?
It is important that all stakeholders are informed on the new obligations and
determine a strategy on how to be able to become compliant.

The new cookie obligations will at least be of importance
for the following stakeholders:

• Ad network providers;
• Publishers;
• Social media
• Advertisers
• Digital media developers and ad serving technology;
• Affiliates and affiliate networks;
• Data providers;
• Online ad traders;
• Media agencies

The new regulations for that matter apply to each party that wants to store
information or provide itself access to information that is available on auxiliary
equipment of each Dutch internet user. In short: also the websites of foreign parties
that are visited by Dutch website users should comply with the obligations from the
Cookie Provision.


Appendix D.
Legal definitions
User:
a natural person who makes use of a public electronic communication service for
private or business purposes without necessarily being subscribed to that service;

End user:
a natural person or legal person who makes use or wants to make use of a public
electronic communication service and who does not also offer public electronic
communication networks or public electronic communication services;

Communication:
information that is exchanged or transferred between a definite amount of parties by
means of a public electronic communication service; this does not encompass the
information that is transferred via a broadcasting service via an electronic
communication network, except when the information can be related to the
identifiable subscriber or user who receives the information;

Consent from a user or subscriber:
consent from a party involved as intended in Article 1 sub i,
of the Dutch Data Protection Act, on the understanding that
the consent can also be related to data from subscribers
that are not natural persons;


Appendix E.
Dutch Data Protection Act
It is possible that your personal data is processed by placing or reading cookies. In
that case, the Dutch Data Protection Act (Wbp) applies. For the Wbp a stronger
regime applies than for cookies without personal data. If you also process cookies,
then you should follow the following steps in order to comply with the Wbp.

Step 1. Is personal data being processed?
Establish whether you store or read personal data. This is the case when the
information you store in or read from a cookie concerns information on a natural
person, also when this is not directly related to that person but a person can be
reduced from this information. For example: name and address data,
or an IP address.

Step 2. Report the processing of
personal data to the Dutch Data Protection
Authority
If it has been established that personal data is processed as you have established
under ‘Step 1’, you should inform the Dutch Data Protection Authority (CBP) on this,
unless it concerns processing which is exempted from the obligation to report.

Step 3. Inform the person from whom you are
collecting data
One objective of the privacy legislation is to see to transparency on the processing of
personal data. You should make it clear to your website visitors in a comprehensible
manner what you are going to do with the data, for what you need this data, and
whether u will forward the personal data to other parties. You must also make your
own identity known.

Step 4. For which purpose do you need the
personal data?
The personal data may only be processed for a previously determined purpose.
Therefore it is important that you properly think in advance for what you need the
data, and whether you are not collecting more data than is necessary to achieve this
purpose. You will have to make this objective known to both the CBP and the party
involved from who you collect the personal data.


It is important that you may not store the data that is collected for the specific purpose
longer than necessary for the materialisation of these purposes. What you can do is
store this data in an anonymous form, so that you can still use it for statistic purposes
for example.

Step 5. See to it that you only process data
based on one of the foundations of the Wbp
You cannot just collect personal data from someone; this is only permitted if a
foundation can be found for that in the Dutch Data Protection Act (Wbp).

The Act states six foundations, of which one of the most important ones is obtaining
unequivocal consent from the party involved. The Act describes consent as a ‘free,
specific, and information-based expression of will’, meaning that the party involved
has been properly informed in advance on the collection of personal data, and has
explicitly gives his or her consent for that.

You can for example combine this with the already existing information obligation
based on the Cookie Provision, although stricter regulations apply for that!

Step 6. Do you comply with the quality
requirements?
The Wbp has formulated a number of quality requirements that should see to it that
the personal data is correct and accurate. In other words: no more data than
necessary, but certainly also no less!
• See to it that you therefore collect all what you need, and that this data is
also correct and complete.
• Regularly check your database on outdated information, and
• Try to clear as many faulty and incomplete data as possible.

If you no longer need the data, you must remove it
(or make it anonymous/aggregate it).


Step 7 Establish procedures to be able to comply
.
with the rights of parties involved
Within the framework of the transparency and quality of the data, persons of whom
you collect data were allotted a number of rights.
If a person would like to know which data you collected of him/her, he can file a
request for perusal. The Law has formulated a number a requirements for that, such
as the obligation to inform the party involved within four weeks on whether personal
data on him/her is being processed. If the person establishes errors based on the
perusal, he/she can request to correct this error.

• See to it that the party involved knows whom they can address in order to
exert their rights.
• Formulate a procedure to be able to comply with the exertion of
those rights.

Step 8. Take suitable organisational and
technical security measures
Ascertain that measures have been taken to protect personal data against loss or any
form of illegal processing. Depending on the sensitivity of the data, the security level
is determined. If for example concerns very sensitive medical data is concerned, you
should take stricter measures than when you are for example only collecting IP
addresses.
• See to it that malevolent people cannot access the personal data, or that
unauthorised persons (both internally and externally) cannot access
the data.
• If necessary, have yourself consulted by security experts in order to obtain a
‘suitable protection level’.

Step 9. Do you outsource the processing of
personal data to a third party?
If you have another party store the data for you, you should make proper agreements
on this processing. By means of an agreement/contract you must agree that the third
party complies with the Wbp requirements, such as taking suitable organisational and
technical measures.
• See to it that you periodically check the compliance with the agreement and
the obligations resulting from it.

Step 10. Do you transfer the data outside the
EU? Then please take extra measures
Check whether it concerns a non-EU country that offers a so-called ‘suitable
protection level’. You can inform yourself on the CBP website on this (www.cbpweb.nl).
Should this not be the case, then you will be confronted with additional requirements
from the Wbp.


Appendix F.
SOLV Factsheet – ‘New Cookie Rules’
WHAT
Late 2009 the European legislator introduced new, stricter legislation with regard to
behavioral targeting and the use of cookies. This legislation is laid down in the
amended ePrivacy Directive of 25 November 2009 and should have been
implemented in the laws of the Member States by 25 May 2011.

On 8 May 2012 the Dutch passed a Bill to amend the Dutch Telecommunications Act
(Telecommunicatiewet, hereinafter ‘DTA’). This introduces a legal regime governing the
use of cookies which is stricter than the ePrivacy Directive prescribes. The new regime
for the use of cookies boils down to the requirement of informed consent based on an
opt-in system:

• Prior to installing or reading cookies on the terminal equipment of the end
user, the end user should be informed, and consent of the end user should
be obtained.
• the cookies are used to collect, combine or analyze information on the use
If
of different services of the information society by the end user for
commercial, charitable or non-profit purposes, this is presumed to be a
procession of personal data. That means the Dutch Data Protection Act
is applicable.
• Functional cookies are exempted.

Principal rule: prior informed consent

TECHNOLOGY
The new legislation doesn’t specifically apply to cookies. It applies to any technology
• by which information is stored on the terminal equipment of a user, or
• by which information already stored is being accessed.

It concerns not only personal computers,
but also mobile phones and other mobile devices.

Examples of cookies that fall within the exemption are cookies that are stored and
read to remember the personal settings and preferences of a user, such as the
preferred language, cookies used for the processing of online orders and the
execution of transactions.

The new rules do apply to any other cookies, flash-cookies, Java-scripts, web taps
and spyware or similar software such as dialler programmes. Device fingerprinting
and digital television are also covered.

The Bill makes no distinctions between first party or third party cookies.


PRIOR INFORMATION
The information that has to be provided prior to placing or reading the cookie, needs
to be ‘clear and comprehensive’. It needs to inform the end user of the purpose of the
cookie and the further processing of the data collected by the cookie.
This means that the end user should at least be provided
with the following information:
• the identity of the user of the cookie technology;
• the fact that the cookie is being stored on the terminal equipment;
• the purpose of the cookie;
• the period it remains active;
• if the cookie is being used to track online behaviour for targeted advertising
this should be mentioned too, including with whom the information
is being shared.

The information has to be easily accessible and understandable to the users.

PRIOR CONSENT
There has been a lot of debate about the question how consent can be obtained. The
legal requirement is that consent has to be free, specific and informed. Unambiguous
consent is not a requirement, although some parties argue the law has to be
interpreted as such. The preamble of the ePrivacy Directive it is made clear that
browser settings may possibly be an adequate means of giving consent.
Dutch government has confirmed that the present browsers are insufficient, mainly
because they are set to accept cookies by default.

In line with the European Commission, the Dutch government is in favor of a
Do-Not-Track standard as a means to obtain prior consent. However, the current
standard, implemented in www.youronlinechoices.eu is deemed to be insufficient.

Dutch data protection act (Wet bescherming persoonsgegevens)

The requirement of obtaining informed consent before placing or further accessing
cookies is in line with the ePrivacy Directive.

However, the adopted Dutch Bill goes considerably further and introduces an
additional legal regime for the use of cookies. Any cookie used to collect, combine
or analyze information of the user with regard to his online surfing behaviour,
is presumed to involve personal data. As a consequence, the Dutch Data Protection
Act is applicable to many different cookies, entailing an even stricter legal regime
to the use of cookies.

This ‘cookie plus’ regime is applicable to all cookies used for behavioural targeting,
but may also apply to analytics cookies such as Google Analytics.


WHO
Any party that places cookies on the terminal equipment of the user or accesses
information already stored on this equipment should comply with the new rules.
The regulatory authorities have stressed that there can be a shared responsibility,
imposing at least some responsibly for the publishers.

The new rules are applicable to anyone who wants to store information or access
information already stored on the terminal equipment of internet users in the
Netherlands. Thus, also companies established outside the Netherlands are governed
by the Dutch rules for the use of cookies.

WHEN
The new rules have come into effect as of 5 June 2012. The Dutch government has
stated that it wants to await further developments of a Do-Not-Track standard within
the European Union. For this reason it said that the new rules with respect to
the consent requirement shall not be enforced before 1 January 2013. However, the
responsible regulatory authority, OPTA, is an independent authority and therefore
may enforce despite such promises of the government.

HOW
The information that needs to be provided prior to placing the cookies has to be
easily accessible and understandable to the users. This implies that a clearly visible
link to the information most likely does suffice, however, a privacy policy as sole
source of information is insufficient.

It is obvious that publishers and users of the cookie technology have to work together
on this since the most logical place to provide information is on the website the
consumer is visiting when the cookie is dropped. The consent of the user must be a
clear indication of his wishes. A pop-up screen with clear and comprehensive
information and a tick-box stating “I accept” seems at present the only way to comply
to the new cookie rules.

The regulatory authorities have expressed that consent is not required for each
individual cookie. Once the user has agreed to cookies of a specific ad network
provider, this ad network provider doesn’t need to obtain additional consent for
cookies serving the same purpose.

Users should always be given to possibility to opt-out.

Please note that at present it is still unclear how parties should comply to the consent
requirement. The responsible regulatory authority OPTA has not given any guidelines,
opinions or such on this subject yet. The responsible Minister has only expressed that
browsers are currently not sufficient. Other than that he confirms there is no consensus
in the EU and that therefore he cannot give any indication on how to practically
obtain adequate consent.


IAB The Netherlands
Prins Hendriklaan 29
1075 AZ Amsterdam
T: +31 85 401 08 02

Iab cookie compliance guide

Recommended

Recommended

More Related Content

Similar to Iab cookie compliance guide

Similar to Iab cookie compliance guide (20)

More from IAB Netherlands

More from IAB Netherlands (20)

Iab cookie compliance guide