< PreviousQUARTERLY Q/4 – 2019 Following a Trail of Crumbs – What Are Cookies and How May They Be Used? INNOVATION POWERHOUSE Indeed, with seemingly free Internet content often comes the price of decreased privacy through cookies that enable the monitoring of the user’s activities and preferences. Consequently, rules on cookies are at the core of ongoing and heatedly debated privacy law developments. It’s a safe bet that the average website or online service provider uses cookies. It’s less certain that such providers rigorously respect all the legal conditions for using them. Current legislation sets out various requirements for the use of cookies. Furthermore, the law of cookies is a moving target – relevant legal rules and their interpretations seem to be under constant reform, as we have noticed in the European Court of Justice’s (“ECJ”) recent ruling in the so-called Planet491 case. Despite legal boundaries, cookies are often essential for the functional operation of websites and can create significant commercial value, and benefit Internet users as well. It is not a question of whether cookies can be used but how. We at Dittmar & Indrenius have kept a close eye on the highly topical developments in legislation and interpretations concerning cookies. Following these developments should be a high priority for any organisation using cookies. As a starting point, it is Much ink has been spilled over questions regarding cookies: what exactly are they and how are they regulated? Cookies are an inseparable and often necessary part of modern Internet. However, cookies are also regarded as a threat to the privacy of Internet users. P20 vital to understand what cookies are and what the essential requirements for their use are. The following chapters provide an overview of the matter. Understanding Cookies A cookie is a small piece of data or text file, which is sent by a website to an Internet user’s browser along with a request that the browser stores the file on the user’s device. Essentially, this small file allows the website or other service provider to identify users and remember their selections or preferences over time. Put simply, without cookies websites would not remember the user, which would be unsustainable for many online services such as online banks and stores. Imagine having to re-enter information every time you browse from one page to another or revisit a page. Not very practical, right? Initially, the purpose of cookies was to enable the functional operation of websites. However, the broader potential of cookies has long been recognised: cookies enable targeted marketing and detailed web analytics. In this potential also lie the risks. For example, cookies that allow preference tracking over different websites are tantamount to monitoring a user’s browsing history. Rules on cookies are at the core of ongoing and heatedly debated privacy law developments. Following these developments should be a high priority for any organisation using cookies. “-120 Years of Thinking Ahead- 1 Judgment of the Court (Grand Chamber) of 1 October 2019 in the proceedings Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH. In other words, cookies are not all the same. Cookies used solely for the purpose of enabling the functioning of a website often expire at the end of the browsing session and are usually set by the website provider itself. However, cookies can also be stored on the user’s device for longer periods of time, enabling the remembering and tracking of the user’s actions and preferences across different websites and in between browsing sessions. It is also important to note that not all cookies are set by the website the user is actually visiting. Especially where the visited site includes social media plugins, advertisements or other types of third-party elements, such third parties may set cookies on the user’s device as well. Eye on Consent and Information Cookies are regulated by the Finnish Act on Electronic Communications Services, according to which the use of cookies is only allowed if one of the following main conditions apply: A. it is indispensable for and only used for providing the service requested by the user, which may be the case, for example, with session cookies used to remember the items in the user’s shopping basket; B. their sole purpose is transmitting electronic communications; orQUARTERLY Q/4 – 2019 C. the user has been informed of the use of cookies and has given their consent to it. In brief, if the use of the cookie is important to an online service provider, but not essential for providing the service, consent must be requested and the relevant information provided to the user. This basically means that, for example, the use of cookies for analytics purposes requires user consent. In addition to these requirements under ePrivacy legislation, it is equally important to note that the information collected as a result of placing the cookie may also constitute personal data. In such a case, provisions of the General Data Protection Regulation2 (“GDPR”) must also be taken into account. Compliance with the consent and information provision requirements under ePrivacy legislation will generally mean compliance with respective requirements in the GDPR. However, it is important to ensure that rules of the GDPR, which are not found in ePrivacy legislation, are met. These include, for example, rules on disclosures of personal data as well as the rights of data subjects. Explaining Cookies to the User Irrespective of whether the use of cookies entails the processing of personal data, the website users must be provided with clear and comprehensive information about cookies used and the purposes of saving or using user data. Based on the ECJ’s judgment in the recent Planet49 case, this should include at least 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.-120 Years of Thinking Ahead- information on the duration of the cookies, and whether third parties receive data collected with the cookies. The provision of information must be done in the most user-friendly way possible. In addition, where personal data is processed, the information requirements of the GDPR must also be fulfi lled. Under the GDPR, the users must also be provided with information on, inter alia, the recipients of the data collected and the users’ rights with respect to the processing of personal data. Obtaining Cookie Consent Users must consent to the use of most cookies. But what is considered to be valid cookie consent? This is a highly debated question in privacy and data protection law and EU member states have taken different views in what constitutes valid consent to cookies. The question of valid consent was at the core of the ECJ’s Planet49 case, which provides a useful example of non-compliant cookie practices. The case involved an online gaming company, which had organised a promotional lottery on a website. Upon participating in the lottery, the website user could consent to the operation of cookies. Participants were required to fi ll in certain input fi elds and press a selection button in order to participate and, below these, was a pre-selected checkbox, according to which the participant accepted the installation of cookies. Accepting cookies was not a precondition for participating QUARTERLY Q/4 – 2019 in the lottery and participants could refuse consent by deselecting the checkbox. The ECJ confirmed that the requirements for cookie consent correspond to the requirements set out under the former Data Protection Directive3 (95/46/EC), and consequently, the GDPR. In light of the GDPR, this ultimately means that cookie consent must meet the following requirements: - Specifi c and informed: Consent must be specifi c in that it must relate to clearly defi ned cookie use. In order for consent to be specifi c there must be appropriate information on the types and purposes of the cookies as outlined above. - Active choice: Consent has to be an active choice, which means that consent must be unambiguous. Passive behaviour such as the failure to object cookies without certainty of the user’s intention will be in confl ict with this requirement. - Freely given: Freely given consent entails real choice, which is not the case if the user is, for example, deceived into accepting cookies. In the case at hand, ‘consent’ collected through a pre-ticked checkbox was not considered valid consent. The court especially stressed the active and unambiguous nature of valid consent. Failing to object cookies is not active behaviour. The judgement also underlines that website and online service providers should pay particular attention to the layout used when providing information on and seeking consent to cookies. The view taken in the judgement precludes the possibility to give consent to cookies at the same time as pressing a lottery participation button. These selections should be clearly separate. In addition, in order for consent to be clearly aimed at cookies, the button, link or box, which indicates the consent, must be close to where cookie information is presented. Another particular problem with many website cookies relates to the timing of the consent. Practices where cookies are installed immediately when a user enters a website although the user has not yet selected to accept cookies cannot be considered acceptable. Some websites may try to circumvent this with cookie banners stating that using the website implies consent to cookies. This, in turn, does not comply with the requirement of active and unambiguous consent and does not exhibit real choice. The Finnish Way – Consent Through Browser Settings Despite seemingly strict restrictions, there is room to be creative in obtaining cookie consent. Possible tools to this end include splash screens, banners, modal dialog boxes and browser settings. In Finland, the position has been that obtaining consent through browser settings is a viable and user-friendly alternative. There are, however, clear differences in the EU in this respect and, in many member states, consent through browser settings is not deemed valid. As a result of the Planet49 case – which highlighted the unambiguous nature of consent – the Finnish Transport and Communications Agency reassessed its current cookie guidelines on 20 November 2019 in light of the judgment. Although browser settings are deemed an acceptable method in Finland by the competent authority, the general cookie requirements apply. For example, websites must notify users of the used cookie practices and consent through browser settings should be ‘given’ meaning that default settings should not allow cookies but instead the user may change the settings to allow them. The Planet49 judgment relates to a broader development in EU data protection and privacy law where criteria for the consent of individuals are subjected to higher scrutiny. In an online world characterised by a predominance of default settings and website users who are consent through browser settings is not deemed the failure to object cookies without certainty of the user’s intention will be in confl ict with - Freely given: Freely given consent entails real choice, which is not the case if the user is, for example, deceived into accepting cookies. In the case at hand, ‘consent’ collected through a pre-ticked checkbox was not considered valid consent. The court especially stressed the active and unambiguous nature of valid consent. Failing to object cookies is not active behaviour. The valid. As a result of the Planet49 case – which 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (repealed). 4 Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.-120 Years of Thinking Ahead- unaware of the privacy implications of online activity, website and other service providers should be increasingly cautious when relying on individuals’ consent. Consent practices should be deployed and reassessed by genuinely considering whether a website user understands how his or her privacy is affected. The ePrivacy Regulation (Still) Around the Corner The Finnish rules on cookies are based on the EU ePrivacy Directive4, which will be replaced by the ePrivacy Regulation in the future. The original (and ambitious) aim was that the regulation would be approved together with the entrance into application of the GDPR, on 25 May 2018, but current estimations predict approval in 2020 and application in 2022. Although the fi nal contents remain uncertain, latest draft versions provide a certain sneak peek into the upcoming regulation. In the latest version of the draft regulation published on 8 November 2019, there is a clear attempt to distinguish between harmful cookie practices and cookies which in themselves are not as depriving of end-users’ privacy. For example, the draft takes a critical view of cookie walls, i.e. practices where users are denied access to website content if they do not consent to all cookies. As users must have a genuine choice to consent or not, the draft regulation states that making website access dependent on cookie consent should include the possibility to choose between an offer to consent to all cookies and an offer with only necessary cookies. In other words, there should be alternative content for those not consenting to all cookies. On the other hand, the draft recognises the benefi ts of non-harmful and legitimate cookies. Accordingly, under certain conditions, consent would not be required for the use of cookies for the purpose of audience measuring. Interestingly and in relation to the discussion on consent through browser settings, the draft regulation recognises the possibility and benefi ts of users granting cookie consent to specifi c service providers for specifi ed purposes through software settings. Indeed, an overload of individual cookie pop-ups can easily lead to users dismissing their content and software settings provide a viable alternative in this respect. Beyond Privacy Concerns? Many of the contentious questions surrounding cookies relate to privacy and data protection. It is important to note that the use of cookies may have implications, which extend beyond strictly privacy- related concerns. For example, a common aim of cookies is the enabling of targeted marketing to Internet users. In carrying out marketing based on It is important to note that the use of cookies may have implications, which extend beyond strictly privacy-related concerns. “ cookies, it is important to observe the general requirements for marketing under consumer protection legislation. Even beyond strictly legal concerns, any entity using or enabling the operation of cookies should carefully consider why and how cookies are being used. It is clear that cookies can be an acceptable and useful tool enabling website providers to develop their websites further, providing a more user-friendly browsing experience and rewarding popular websites through advertising revenue. Conversely, intrusive and unnecessary functionalities – even where technically legal – should be avoided. Such considerations should be a high priority for website and service providers. Users may well be deterred from using websites and services, which they feel collect too much information or which provide confusing or overly technical information on cookies. Looking Forward With this article, we hope to encourage organisations to review their cookie practices and actively follow up on related developments. After a long wait, we are likely to know the fi nal contents of the ePrivacy Regulation later next year, which will mean that organisations will have to review and reassess existing practices. We at Dittmar & Indrenius will be happy to assist in such projects. Jukka Lång, Partner, Innovation Powerhouse @JukkaLang Oskari Paasikivi, Associate @OPaasikivi Suvi Syvänen, Associate @SuviSyvanenQUARTERLY Q/4 – 2019 Fashion Meets Tech… and the Digital Business Is H-U-G-E INNOVATION POWERHOUSE Fashion on Demand Technology responds to a wide range of industry demands. This applies also to fashion, which has turned digital-fi rst. Time to market is the key in most industries and very much so when it comes to fashion retail. Today, consumers have an instant access to fashion and styles online. Infl uencer marketing has blurred the lines between the appeal of lifestyles and the advertisement of fashion apparel. Manufacturers may use data science to predict the shifting trends and consumer needs while making the production cycle more effective and reducing both over and under stocking. In all, the availability of all things fashionable online creates the expectation of fashion on demand. Instead of spending time at shopping stores or brick and mortar shops browsing racks and trying to fi nd the right outfi ts, mobile shopping and fashion apps have transformed the (sometimes) exhausting exercise into a smoother, faster and more convenient process. Various apps will make fi nding the right outfi ts (including that lovely pre-Xmas party dress or the ugly Christmas sweater) in the right price range even easier. On the other hand, similar types of fashion app functionalities may also reveal the infringement of fashion designers’ IP rights. As sales of fashion apparel has turned online, also brand protection has followed online. New technologies revolutionize the way IP owners fi ght against online (and offl ine) IP infringements. Long behind are the days when ineffi cient manual searches where conducted to fi nd and attack counterfeits. Technology responds to a wide range of industry demands. This applies also to fashion, which has turned digital-fi rst. Fashion Tech Consumer expectation of fast access to fashion also requires easy, yet safe online payment process (in compliance with the regulatory framework) as well as fast delivery – and return, if the garment does not suit. It remains to be seen how drone delivery will accelerate the distribution channels and logistics in future. As the competition is fi erce, online market places are providing more digital services to add value to consumers and to differentiate from other players. Differentiation is the key and it may happen either by investing in internal R&D or acquiring technology assets. Yet the key legal control points are the same as for other retail driven apps, namely managing IP rights in the assets, ensuring compliance with applicable industry specifi c regulatory framework in all relevant jurisdictions of target markets and adjusting customer (often consumer) facing terms and conditions to sustainable liability models and ensuring suffi cient transparency as to privacy. However, tech is gaining ground in much wider sense in fashion. Fashion wearables such as wrist-worn devices or health tracking jewellery including smart rings assist in tracking all variables within sleep and wellness from activity and rest ratio to variation in recovery heart rate, body temperature or respiration. Yet fashion tech is moving fast forward all the way from fashion wearables to smart clothing refl ecting the wearer’s body or the surroundings – and beyond. P26 Digital Cinderella Moments We have already seen the colour-changing gowns on the red carpets of Met Gala in New York and high performing stilettos, but the combination of fashion and technology enables much more than the addition of a little piece of technology into wearables or clothing. New forms of technology unite the (wo)man-made to machine-made fashion and, by way of example, the use of digital 3-D processes into the generation of garments. Also hand-painted colour pigments or hand-embroidered pearls or gemstones may be mixed with machine-printed rhinestones. Technology may also transform the way one experiences fashion. In today’s world with higher concern about the environment, pressure to travel less and busy schedules, one does not necessarily have to travel to all fashion capitals for a special fashion or art event. Instead, technology can remove the distance between people and interesting content. “For example digital showrooms, lookbooks and product launches may be much more effective and -120 Years of Thinking Ahead- We have already seen the colour-changing gowns on the red carpets of Met Gala in New York. “ showstopping if created in virtual reality, not to mention the ability to attend even a haute couture show or any catwalk through streaming in virtual reality, which would have been otherwise impossible to access”, says Olesja Hännikäinen, Service Designer from Accenture Liquid Studio. Her recent fashion illustration project is a virtual art gallery for couture gowns; it allows wider audiences to admire Kisu Korsi’s fashion design from up close, thus turning a fashion exhibition into an immersive fairytale-like experience. This enables the viewer to experience the very own digital Cinderella moment in the setting of a magical starry universe - a dash of high fashion even in the middle of an ordinary day far away from the fashion weeks of New York, Paris, London or Pitti Uomo in Italy. We will show case this virtual technology at the FashionTech event on 10 December 2019 hosted by Dittmar & Indrenius and arranged together with the Finnish IT Law Association, the local member of IFCLA, the International Federation of Computer Law Associations. In case you miss our FashionTech event at D&I, this fashion VR experience is also running in the National Museum of Finland (Kansallismuseo, Helsink) as a pop-up exhibition during 4–15 December. Anna Haapanen, Partner, Innovation Powerhouse @AnnaHaapanenQUARTERLY Q/4 – 2019 Finnish Securities Market Association Adopts New Corporate Governance Code CORPORATE ADVISORY The Finnish Securities Market Association has adopted a new Corporate Governance Code (the “CG Code” or “Code”) that will enter into force on 1 January 2020. BY THE END OF 2019 Adopt principles for monitoring and evaluating related party transactions (also to be included in the annual corporate governance statement). In consideration of the reviewed changes, Finnish publicly listed companies should adopt the below timetable for introducing new corporate governance practices. NO LATER THAN THREE WEEKS BEFORE THE ANNUAL GENERAL MEETING OF 2020 Establish and publicly disclose the remuneration policy. P28 The Code was updated mainly as a consequence of the implementation of the EU’s Second Shareholder Rights Directive. The amendments of the Code deals with increased demand of transparency in relation to in particular management and board remuneration, related party transactions and director independence. In addition to the Code, the Advisory Board of Finnish Listed Companies is in the process of amending its model documentation on shareholders’ meetings. KEY CHANGES Remuneration Reporting Listed companies are required to prepare and publicly disclose a remuneration policy and report concerning the company’s governing bodies. The bodies are the board of directors, the managing director, the deputy managing director and the supervisory board. The remuneration policy and report replace earlier remuneration statements (in Finnish: palkka- ja palkkioselvitys). Companies are A TO-DO LIST FOR LISTED COMPANIES not permitted to deviate from this form of reporting under the “comply or explain” –principle. A remuneration policy outlines the future remuneration of the governing bodies as well as defines the principles and decision-making processes for remuneration. The actual remuneration must comply with the policy. Temporary deviation from the policy requires that the policy defines in advance the situations, the extent and the procedure for permitted deviations such as takeover situations or alike. Consequently, in order for the board of directors to be able to exercise a certain level of discretion on remuneration, the policy should be prepared with this in mind. Listed companies are required to submit the remuneration policy to the first annual general meeting held from 1 January 2020 onwards. The policy must be disclosed by a stock exchange release no later than three weeks prior to the meeting. Thereafter, the policy will need to be -120 Years of Thinking Ahead- DURING 2020 Gather information and properly document the remuneration within the group in order to be in the position to issue the remuneration report in 2021. submitted to the general meeting at every material change and in any case at least every four years. The policy must be made available on the company’s website at least for the period that it is applied. A remuneration report, in turn, describes how the company’s remuneration policy has been implemented. Accordingly, the report should provide information on the actual remuneration of the governing bodies during the preceding fi nancial year as well as demonstrate how the remuneration policy has been applied in a clear and comprehensive manner. In addition, the report should include information on the remuneration of the executive management. For example, comparative data describing the development of remuneration vis-à-vis the company’s directors and employees over the past fi ve years should be included in the report. The report shall be issued on an annual basis and disclosed as an appendix to a stock exchange release at the same time as the fi nancial statements, the management report and the CG statement. The report must be presented to the annual general meeting and made available on the company’s website for a period of ten years. The fi rst remuneration report will concern fi nancial year 2020. The CG Code contains helpful checklists on matters that the remuneration policy and the report should address. In addition, the CG Code contains guidance on what supplementary information regarding the remuneration of the company’s management group should be continuously available at the company’s website. Related Party Transactions Under the new CG Code, all listed companies are required to defi ne principles concerning the monitoring and evaluating of related party transactions as well as maintain a list of its related parties. The principles shall be disclosed in the company’s annual CG statement. The principles are meant to ensure that decision-making on related party transactions is conducted in accordance with statutory law (IAS 24). Directors and shareholders of listed companies are often signifi cant stakeholders in other businesses. Consequently, related party transactions, where directors or shareholders have a fi nancial, intrafamilial or other interest, occur on a frequent basis. For this reason, companies should ensure that all related party transactions are always well-documented and monitored. Director Independence The recommendation has been clarifi ed with respect to carrying out and reporting the assessment of independence for directors. The board is obliged to report which of the board members are independent of the company and which are independent of the company’s signifi cant shareholders. The reasoning for determining that a board member is not independent must also be reported. The criteria to be taken into account in the overall assessment of independence have been amended so that under the interpretation of the criteria, the benefi ts paid and offered to a member of the board by a shareholder otherwise than on the basis of an employment or service relationship may require assessment. Further Information The new CG Code is currently available in its entirety at the Securities Market Association’s website in both Finnish and English. Anders Carlberg, Managing Partner @AndersCarlberg_ Tuomas Tiensuu, Senior Associate Oskari Paasikivi, AssociateNext >