Clarification on the implementation of cookie law
The Guarantor has received numerous requests - in particular from small operators - concerning certain points of the cookie measure of 8 May 2014.
The Guarantor, given the importance and sensitivity of the issue, which has the main objective of protecting users from profiling carried out without their knowledge on the basis of their online behavior, in reiterating what has already been agreed, considers it appropriate to provide some clarification.
In advance, it is necessary to represent that the obligations regarding cookies derive from a European legislation last amended in 2009 - and transposed in Italy by a decree of 2012 - which required to inform Internet users and acquire their prior consent. The provision of the Guarantor, whose final adoption was preceded by a public consultation, aimed at simplifying the requirements provided for by the standard and has left the recipients a year to adapt.
1. Scope of application
2. Use of third-party analytical cookies
In view of the simplification that the Authority is pursuing, has already been clarified in the measure as analytical cookies - which serve to monitor the use of the site by users for the purpose of optimizing the same - can be assimilated to technical cookies where they are created and used directly from the first part site (without, therefore, the intervention of third parties).
In many cases, however, the sites use, for statistical purposes only, analytical cookies created and made available by third parties. In these cases, it is considered that the aforementioned sites are not subject to the obligations and obligations provided by the legislation (notification to the Guarantor first) if appropriate tools are adopted to reduce the identifying power of analytical cookies that use (for example, by masking significant portions of the IP address).
The use of these cookies must, in addition, be subject to contractual obligations between sites and third parties, in which it is expressly a reference to the commitment of the third party or to use them exclusively for the provision of the service, to store them separately and not "enrich" or not "cross-reference" with other information at their disposal.
3. Use of platforms that install cookies
Some requests have highlighted the fact that it is difficult to make the necessary changes to implement the cookie legislation to the platforms used by many for the creation of websites and already containing tools, sometimes pre-configured, for the management of cookies or widgets.
In this regard, the awareness of the existing technological constraints led the Guarantor to indicate the period of twelve months to implement the indications contained in the measure of 8 May 2014 in order to allow a complete implementation of the regulatory obligations. It is believed that this objective, in view of the wide audience of users and developers of platforms (many of which open source), can be achieved through the application of c.d. privacy-toolsby-design made on the platforms themselves and made available to users and site operators.
Such interventions should be aimed at allowing the widest possible margin of action by users on the installation of cookies, allowing them to inhibit the installation of those they do not need, and in any case must provide for default options that subordinate the installation of non-technical cookies to the expression of prior consent in the simplified forms provided by the Provision.
4. Subjects required to create the banner: the role of the sites first part
With reference to the issue of the responsibility of site managers first part regarding the installation of profiling cookies from domains "third parties", it is confirmed that these subjects with respect to the installation of such cookies play a role of mere technical intermediary.
It should be noted, however, that due to the "distributed" nature of such processing, which sees the site as a first party involved in the process, the consent to the use of third-party cookies is substantiated in the composition of two elements both necessary: on the one hand the presence of the banner, which generates the event suitable to make the consent documentable (at the expense of the first part) and, on the other hand, the presence of updated links to sites managed by third parties in which the user can make their choices about the categories and subjects from which to receive profiling cookies.
It is also clarified that if on the site advertising banners or links with social networks are simple links to third-party sites that do not install profiling cookies there is no need for information and consent.
In this regard, we take the opportunity to reiterate that the requests for consent present within the extended information of the first party site or sites prepared by third parties, do not necessarily have to refer to individual cookies installed, but may concern broader categories or specific producers or brokers with which the site first party has established commercial relations.
It should be noted that the obligation to make the information and acquire consent arises from the choice of the site to host targeted advertising based on user profiling through cookies, in place of the general offer to all.
5. Arrangements for obtaining consent
In this regard, it is represented that solutions for the acquisition of consent based on "scroll", that is, on the continuation of navigation within the same web page, by many prospects and in fact particularly relevant in the case of mobile devices, are considered in line with the legal requirements, if these are clearly indicated in the information and are able to generate an event, registrable and documentable at the server of the site manager (first part), which may be qualified as positive user action.
6. Application of Italian law also to sites based in non-EU countries
With regard to the clarifications requested on the scope of the cookie legislation, it should be noted that the same applies to all sites that, regardless of the presence of an office in the territory of the State, install cookies on users' terminals, thus using for processing "tools located on the territory of the State" (cfr. art. 5, comma 2, of the Privacy Code).
7. Notification where several websites are set up
The request submitted by some publishers holders regarding the possibility of make a single notification for all the different websites that they manage,in line with regulatory requirements. In this case, in the notification of the processing will be indicated all the domains in which the processing carried out through cookies is carried out by keeping updated - through any amendments to the notification - the relevant list.
Further clarifications may be provided by the Authority following any questions that will be asked also in the light of technological innovations that may intervene.
IN PARTICULAR EVIDENCE
• Analytical cookies are assimilated to technical cookies only when made and used directly from the first part site to improve usability.
• If analytical cookies are made available by third parties, the owners are not subject to obligations (notification to the Guarantor first) if:
A) tools are adopted that reduce the identification power of cookies (for example through the masking of significant portions of the IP);
B) the third party undertakes not to cross-check the information contained in cookies with other information that it already has.
• If on the site there are links to third-party sites (e.g. advertising banners; links to social networks) that do not require the installation of profiling cookies there is no need for information and consent.
• In the extended information, consent to the use of profiling cookies may be requested for categories (e.g. travel, sport).
• It is possible to make a single notification for all the different websites that are managed within the same domain.
• The obligations apply to all sites that install cookies on users' terminals, regardless of the presence of an office in Italy.