The Italian Data Protection Authority Issues Guidelines for the Use of Cookies
The Italian Data Protection Authority (“Garante della privacy”) has recently issued a decision on practical ways to provide mandatory information and acquire consent for the use of cookies on websites.
Cookies can be distinguished as two major groups: “technical” cookies and “profiling” cookies. Technical cookies are used exclusively to carry out “the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide said service”. For example, session cookies, or analytics cookies, fall within this category. Users’ prior consent is not necessary to install these cookies, while information under Article 13 of the Italian Data Protection Code has to be provided.
The purpose of profiling cookies is to create user profiles. They are used to send advertising messages in line with the preferences shown by the user’s online behaviour. Because of the highly invasive nature of these cookies with regard to a user’s private life, Italian and European legislation requires users to be informed appropriately on their use and to give their valid consent.
Additionally, the use of profiling cookies, which are persistent in nature, must be notified to the Garante, whereas the use of cookies that pursue different purposes and fall within the scope of technical cookies does not have to be notified.
The Garante established that, on accessing a website using profiling cookies, users must be immediately shown an initial brief information notice in an overlay banner. The notice must inform the user a) that the website uses profiling cookies; b) that it allows the sending of third-party cookies (if this is the case); c) that an extended version of the information notice, where additional information must be available, exists, and provide a hyperlink to the same; d) that on the extended information notice the user may refuse to consent to specific cookies; and e) that if the user continues browsing by accessing any other section or selecting any item on the website, he or she signifies his or her consent to the use of cookies.
The extended information notice must also provide directions as to how to use browser settings in order to disable cookies.
Where cookies are installed by a third party, the Garante is of the opinion that the website publisher may not be required to directly provide information on, and obtain consent for, their installation. However, links to the third party’s notices and consent forms must be provided in the extended version of the information notice.