Cookie Policy
PROVISION OF THE PERSONAL DATA PROTECTION AUTHORITY: FORM FOR PROVISION SUMMARY No. 231 OF 10 JUNE 2021 “COOKIES: NEW GUIDELINES FOR THE PROTECTION OF USERS”
By the Provision issued last June, the Personal Data Protection Authority intended to bring together and update all the regulatory instructions concerning cookies and/or other tracking systems of those who make use of technological tools for navigation.
The core point is compliance with the principles of accountability, privacy by design and privacy by default, which are summarised in order to allow users to be more conscious of and to strengthen their decision-making power when surfing online.
Pursuant to the Provision of the Personal Data Protection Authority, website owners have 6 months to implement the guidelines.
The diagram below shows the main questions and answers for the correct management of the cookie policy of each website.
1 What are cookies?
They are text strings that the websites visited by users (so-called Publisher, or “first parties”), or different sites or web servers (so-called “third parties”) place and store within the user’s terminal device, so that they are then retransmitted to the same sites on the next visit.
2 How do cookies function?
They are used for different purposes such as:
a) execution of computer authentication;
b) monitoring of sessions;
c) storage of information on specific configurations regarding users accessing the server;
d) storage of preferences, or to facilitate the use of online content (e.g., to keep track of items in a shopping cart or information for filling in a computer form, etc.);
e) profile the user (i.e., “observe” behavior, e.g., send targeted advertisements, measure the effectiveness of the advertising message and adopt consequent commercial strategies), so-called profiling cookies.
The same result can also be achieved by means of other tracking tools or techniques, including fingerprinting.
3 What are technical cookies?
Technical cookies are used to browse or provide a service requested by the user. They are not used for other purposes, and are normally installed directly by the website owner.
Without these cookies, some operations could not be performed or would be more complex and/or less secure, such as, home banking activities (accessing account statements, bank transfers, bill payment, etc.); since cookies allow the identification of the user to be made and maintained during a session, these transactions could not be performed.
4 Are analytical cookies technical cookies?
No.
The Personal Data Protection Authority has specified that analytical cookies can be assimilated to technical cookies if used directly by the site owner for the purpose of optimising a site; the site owner can collect statistical information in aggregate form on the number of users and how they visit the site. If, on the other hand, the processing of such statistical analyses is entrusted to third parties, the user data must be minimised in advance and cannot be combined with other processing, or transmitted to other third parties. Under these conditions, the same rules provided for technical cookies apply to analytical cookies, in terms of information and consent.
Exceptionally, both the first party, on his/her own, and the third party, acting on a mandate of the first, are allowed to produce of statistics with data relating to multiple domains, websites or apps attributable to the same owner or business group.
5 Is consent always required for the installation of cookies on one’s computer?
It depends on the purposes for which the cookies are used and, therefore, if they are “technical” or “profiling” cookies.
Users’ consent is not required for the installation of technical and analytical cookies, while it is always necessary to provide the required disclosure (Article 13 of EU Regulation 2016/679). Profiling cookies or other tracking tools, on the other hand, can only be used if the user has given his/her consent after being informed by means of a simplified procedure.
6 How are the simplified information on cookies and the consent for profiling cookies provided?
As established by the Personal Data Protection Authority, the information should be set on several levels and can also be made on multiple channels, adopting all the most appropriate measures to make it usable without discrimination, including for people with disabilities. Although complying with the accountability principles, the Personal Data Protection Authority nevertheless suggests the adoption of a mechanism by which, a banner containing some initial “brief” information, the request for consent to the use of cookies and a link to access a more “extended” information pops up (on the home page or on any other page) when the user accesses a website.
On this page, the user can find more detailed information about cookies and select which specific cookies to authorize.
7 How should the banner be configured?
The owner must ensure that, by default, only the data necessary to achieve specific purposes are processed, thus limiting processing to the minimum, to the extent necessary to allow users to browse the site; consequently, no cookie or other tracking tool can be used at the time of the user’s first access.
A banner of adequate size, depending upon the different devices to be used, may subsequently appear. While not preventing the maintenance of the default settings, any such banner allows users who wish to do so, to manifest their consent.
A user who does not intend to give his/her consent can simply close the banner by selecting the appropriate command normally used for this purpose (as a rule, a button with an X placed at the top right of the banner itself).
8 What instructions and commands must a banner contain?
The banner must:
- specify, if any, that the site uses profiling cookies, possibly also from “third parties”, which allow sending advertising messages in line a user’s preferences;
- contain the link to the extended disclosure and to a different area in which it is possible to select analytically only functions, cookies and third parties to which a user intend to give his/her consent;
- contain a command to express one’s consent by accepting all cookies or other tracking tools;
- specify that if a user chooses to close the banner using the button with the X at the top right, the default settings that do not allow the use of cookies or other tracking tools, other than technical cookies, will be preserved.
9 How can the acquisition of consent made through the use of banners be documented?
To keep track of the consent received, the site owner can use a specific technical cookie, a system that is not particularly invasive and does not require further consent, as well as other methods that allow a concerned party to keep the documentation on choices up to date.
The user can modify his/her options easily and at any time. In this regard, it is good practice to use a technical device (for example, an icon or a graphic sign) that indicates at any time the status of any and all consents previously given by the user.
10 Can the banner be repeated each time the site is accessed after the first time?
No.
If the user has not given his/her consent or has provided it only for the use of some cookies, the banner will no longer have to pop up, except in the following specific cases:
a) when one or more processing conditions change significantly, for example “third parties”;
b) when when it is impossible for the provider to know if a technical cookie has already been placed on the user’s device (for example, if the user deletes the cookies);
c) when at least six months have passed since the banner last popped up..
11 Can the online consent to the use of cookies be requested only through banners?
No.
Site owners always have the possibility of implementing methods other than those identified by the Personal Data Protection Authority in the aforementioned provision, provided that the methods chosen meet all the consent validity requirements pursuant to the law.
12 Is the cookie banner necessary even if only technical cookies are used?
No.
In this case, the site owner can give the information to users in the manner he/she deems most suitable, for example, also by adding the relevant information in the Privacy Policy posted on the site.
13 Consent by scrolling
No, the scrolling of the page cursor is not an act in itself suitable for the manifestation of consent. If anything, scrolling could constitute one of the components of a more complex process that allows the generation of an IT event suitable for expressing a recordable, documentable and unequivocal choice.
14 Is it lawful to deny access to a site if the user does not give his/her consent to the use of cookies and/or other tracking systems?
No, except for the case, to be verified on a case-by-case basis, in which the site owner, in compliance with the principle of correctness, offers the data subject the possibility of accessing an equivalent content or service without giving consent.
15 What should the extended disclosure contain?
- All the elements required by law and analytically describe the characteristics and purposes of the cookies installed by the site.
- List any other recipients of personal data, information retention times and indications on the possibility and methods for users to exercise their rights regarding the protection of personal data.
- Contain the coding criteria of cookies or other tracking tools used in order to distinguish, in particular, technical cookies from analytical and profiling ones.
16 Who is required to provide the information and request consent for the use of cookies?
The site owner who installs profiling cookies. For third-party cookies installed through the site, disclosure and consent requirements fall to third parties, but the site owner, as a technical intermediary between them and the users, is required to include the updated links in the “extended” version of the disclosure and of consent forms of third parties.