Date: The 2nd of December
Time: 01:00 - 02:00 PM
CEO, Legal Monster
Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.
Stine: So the legislation that we're talking about today is eCompliance. Sorry, ePrivacy. It is in the compliance space. It is the ePrivacy Directive. You might've heard that there will come a regulation at one point, it hasn't been passed yet. If and when that regulation comes into play, it will govern all of Europe. Right now we have the directive. And that directive means that every company in Europe have to have the same minimum set of rules that is dictated by the directive. But they can actually implement stricter interpretations, stricter rules or different approaches, but they can't go below the directive. This means that there are differences across Europe when it comes to ePrivacy, And the ePrivacy Directive is actually where we find the cookie rules. The cookie rules that very much talk a bit about what is a cookie, when do you need to actually have a cookie banner on your website, do you need to get consent for it? But when we're talking about consent, it is actually the GDPR that is kicking in, because GDPR contains to rules about capturing consent, and the rules and requirements for that consent.
Stine: On top of that, we're also seeing IP addresses as being personal identifiable information. What you also might know as PII or personal data. That is also regulated by the GDPR. So therefore GDPR is also important. And then, as I talked a little bit about, given the fact that directives can be interpreted differently from country to country, we're also talking about local guidelines and local rules that we need to actually always keep on top of. Some of these local authorities are the UK data protection authorities, it's the Danish. It is CNIL. CNIL is the French. And all other countries around Europe have their own authority with their own interpretations and their own guidelines. They're somewhat the same, but there are differences.
Stine: Then we have the analytical cookies. Those are the tracking cookies, the ones that are really important in order for you to make your website better. The ones that you need to get an understanding of where people are coming from, how are they using your website, and maybe also improve your decision-making in how to improve the website experience. But you need to remember that analytical cookies cannot be placed unless to user's given consent. You need to explain to the user the type of analytical cookies you use, more specifically the names of them. You need to tell them about who is providing the specific analytical cookie. And you need to tell the purpose for the use of the cookies that we're talking about.
Stine: And here I've just included a few examples. You can see you have Google Analytics and you have many different types of Google Analytic cookies. One expiring after one day. Somebody up to 500. Here it's really important, actually, to take a look at the expiration, because you can't keep cookies forever and you can't keep them for two years. That's way too long. So you need to only have them for as long it is required. It's not nice to have. It's a need to have. And 500 days might be regarded as being a bit too long, so you have to take a look at the duration of your different types of cookies.
Stine: Then you have the marketing cookies. That is also something you need to tell users about if you're using marketing cookies. Here, for example you have the tricky provider that I've just included that's LinkedIn, because LinkedIn is a kind of two-headed beast. It's not a beast, but it's just to give you an example and understanding, because LinkedIn can both give you analytical data, but they can also give you marketing data and marketing cookies. If the cookies are only used for analytical purposes, well, then you wouldn't include it here, but many people or companies are using Google, or sorry, LinkedIn for advertising/marketing. And in this case, you can see that we've included information a bit about clicking on ads and ending up purchasing products, et cetera. And here is also that you can see that the advertiser can determine whether or not you've clicked on an ad on LinkedIn and later visited their site. So this is for marketing purposes. And again, back to the information being here.
Stine: It was just an example, just FYI. So users also needs to be given information about how they can control the cookie settings and opt out. So you need to tell them not only about the fact that they can go in and make some changes to their browsers and configure it so that they accept cookies by default, or also reject them, but you also need to have some kind of a mechanism that makes it as easy for the user to opt out from cookies as it was to give the consent in the first place. So that's the information you need to include as well.
Stine: And you might be thinking, "Well, I'm not in France, so really doesn't impact me." And you're right. But what you should keep in mind is that CNIL, which is the French data protection agency, is one of the most powerful agencies in Europe, and many of the other agencies around Europe are looking towards the French when we're talking a bit about setting the bar, setting the standard, but also setting the tone. So you should definitely, if you don't have your cookie consents in order, take a look at it.
Stine: I hope that this was of value to you. We are always doing these small webinars that hopefully don't take as much time, so that you can actually join and get value out of it, and go and take a look at your own settings and hopefully feel safe and secure about what you're doing with the data online. We have more webinars coming up, so feel free to sign up on our page regarding webinars. But before we say goodbye today, I'm going to stop sharing my screen. Oh, sorry. Oh my God. So many things going on. I don't know. There it is.
Stine: Sorry. No, we just got the funnel of that overload. I can see that Dennis didn't get the intro, so I'm sorry for that, and as you've already been informed, we're going to be sending out a replay so that you can get the information as well. I can see that there is one question and I'm going to read it out loud just to make sure that you all get it. So how would you handle third party cookies from plugins that you need on your website, for example customer support chat, as conversion tracking, could some of these be justified as necessary? Well, the thing is, as soon as something is a third party cookie, it can't be necessary. And you might think, "Huh, what does she mean?" Well, the thing is, if it's a third party cookie, the data isn't going to you, so therefore it can't be necessary. It is not something that is 100% required for you to be able to run your website.
Stine: There will be some type of cookies that would be necessary, and in addition to security, login is also one of the things that could be necessary so that people can actually log into a product. It could also be classified as, for example, if you're using Calendly. So if you're using Calendly for people to actually book a meeting with a plumber, just as an example, that's required for you actually coming out and fixing their tubes. Well, then you could argue that that is a necessary cookie as well that is being placed by Calendly, but on your behalf, because it's a first party cookie. Does it make sense?
Stine: Any other questions? Just going to close the window for that one. If there aren't any more questions, I'm going to say goodbye now, but we will definitely send you guys an email and we are in the business of helping companies become better data citizens. So if you guys have any questions or if there's anything that you would like to know more about, just shoot us an email. The easiest way will be to just send an email to [email protected], and we will be more than happy to help you guys. So with that, I hope you are doing great and that you will have a wonderful afternoon. Take care. Bye.