1. What are cookies?
Cookies are small text files that sites visited by users send to their terminals, where they are stored and then transmitted back to the same sites on the next visit. So-called “third-party” cookies are, on the other hand, set by a website other than the one the user is visiting. This is because on each site there may be elements (images, maps, sounds, specific links to web pages on other domains, etc.) that reside on servers other than that of the visited site.
2. What are cookies used for?
Cookies are used for different purposes: performing computer authentication, session tracking, storing information about specific configurations regarding users accessing the server, storing preferences, etc.
3. What are “technical” cookies?
These are the cookies that are used to perform navigation or provide a service requested by the user. They are not used for any further purposes and are normally installed directly by the website owner.
Without the use of such cookies, some operations could not be carried out or would be more complex and/or less secure, such as home banking activities (viewing account statements, bank transfers, bill payments, etc.), for which cookies, which allow the user’s identification to be made and maintained within the session, are indispensable.
4. Are analytics cookies “technical” cookies?
No. The Garante (see order of May 8, 2014) clarified that they can be assimilated to technical cookies only if they are used for site optimization purposes directly by the site owner, who may collect information in aggregate form on the number of users and how they visit the site. Under these conditions, the same rules, regarding information and consent, apply to analytics cookies as to technical cookies.
5. What are “profiling” cookies?
These are the cookies used to track the user’s web browsing and create profiles on his tastes, habits, choices, etc. With these cookies, advertising messages can be transmitted to the user’s terminal in line with the preferences already expressed by the same user when browsing online.
6. Is the user’s consent required for the installation of cookies on his/her terminal?
It depends on the purposes for which the cookies are used and, therefore, whether they are “technical” or “profiling” cookies.
The installation of technical cookies does not require users’ consent, while it is necessary to give the information (Art. 13 of the Privacy Code). Profiling cookies, on the other hand, can only be installed on the user’s terminal if the user has given consent after being informed in a simplified manner.
7. How should the site owner provide the simplified notice and request consent for the use of profiling cookies?
As stated by the Supervisor in the order indicated in question no. 4, disclosure should be set up on two levels.
8. How should the banner be made?
The banner must be large enough to partially cover the content of the web page the user is visiting. It should only be able to be deleted by active user intervention, that is, by selecting an item contained on the page below.
9. What indications should the banner contain?
The banner should specify that the site uses profiling cookies, possibly including “third-party” cookies, which enable it to send advertising messages in line with user preferences.
It must contain a link to the extended information notice and an indication that, through that link, you can deny consent to the installation of any cookies.
10. How can the acquisition of consent made through the use of the banner be documented?
To keep track of the consent acquired, the site owner may use a special technical cookie, a system that is not particularly invasive and does not in turn require additional consent.
In the presence of such “documentation,” it is not necessary that the brief information be re-proposed on the user’s second visit to the site, without prejudice to the possibility for the user to deny consent and/or modify, at any time and in an easy manner, his or her options, for example by accessing the extended information notice, which must then be linkable from every page of the site.
No. Site owners always have the option of using modalities other than the one identified by the Guarantor in the above measure, provided that the chosen modalities meet all the requirements for the validity of consent required by law.>
12. Does the obligation to use the banner also apply to owners of sites that use only technical cookies?
13. What should the “extended” disclosure state?
It must contain all the elements required by law, describe analytically the characteristics and purposes of the cookies installed by the site, and allow the user to select/deselect individual cookies.
Must include updated links to the disclosures and consent forms of third parties with whom the owner has agreements to install cookies through its site.
Finally, it should recall the possibility for the user to manifest his or her options on cookies also through the settings of the browser used.
The owner of the website that installs profiling cookies.
For third-party cookies installed through the site, the information and consent obligations rest with the third parties, but the site owner, as a technical intermediary between them and users, is required to include in the “extended” information notice updated links to the third parties’ own disclosures and consent forms.
Profiling cookies, which usually persist over time, are subject to the notification requirement, while cookies that serve different purposes and fall under the category of technical cookies do not have to be notified to the Guarantor.
16. When do the measures prescribed by the Garante in its May 8, 2014 order come into effect?
The Garante has provided a one-year transition period from the publication of the measure in the Official Gazette to allow those affected to come into compliance. This period will end on June 2, 2015.