The rules for the use of cookies and similar devices (web beacons, web bugs, clear GIFs, etc.) in users’ terminal equipment (PCs, notebooks, tablets, smartphones, etc.) were changed recently when directive 2009/136/EU was implemented to amend the e-Privacy directive (2002/58/EC). These FAQs are aimed to clarify the new rules applying to cookies based on Italian and European legislation.
1.What is a “cookie”?
Cookies are small text files that are sent to the user’s terminal equipment (usually to the user’s browser) by visited websites; they are stored in the user’s terminal equipment to be then re-transmitted to the websites on the user’s subsequent visits to those websites. When navigating a website, a user may happen to receive cookies from other websites or web servers, which are the so-called “third party” cookies. This happens because the visited website may contain items such as images, maps, sound files, links to individual web pages on different domains that are located on servers other than the one where the page being visited is stored. In other words, these third-party cookies are set by a website other than the one the user is visiting at that specific time.
Cookies are used for IT authentication, to monitor browsing sessions and store specific information on users that access a given server; as a rule, they are present in substantial numbers in each user’s browser.
Certain operations could not be performed without cookies, which in some cases are therefore necessary for technical reasons. For instance, it would be much more complex and less secure to access home banking services and check one’s bank statement, transfer money, pay bills, etc. without using cookies that allow identifying the specific user and keeping such identification throughout the web session.
In some cases, cookies may stay in an IT system for quite long and contain a unique ID. This enables a website using such cookies to track a user’s navigation within the website for statistical or advertising purposes – that is, the website can create a customized user profile starting from the pages the user visited, to then serve targeted ads to that user (this is the so-called “behavioural advertising”).
2. What are the current rules based on the e-privacy directive?
The e-privacy directive (Directive 2002/58/EC) was amended in 2009 by another directive (Directive 2009/136/EC) which introduced the “opt-in” principle for all those cases in which one plans to access or store “information” (including cookies) in the user’s/subscriber’s terminal equipment. This means that cookies may be stored in the terminal equipment of a user navigating the Internet only if that user has given his prior consent, after being informed clearly and in full on the mechanisms and purposes of the processing – as provided for in Article 5(3) of the e-privacy directive.
However, the directive still allows using cookies (or similar devices) without the user’s prior consent if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
3. What has changed in the Italian legislation?
The changes made to the rules on cookies are less substantial in Italy than in the rest of Europe. The opt-in rule was actually already in place, even though it only applied to “technical” cookies – that is, cookies that were used “for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”
Any other type of unauthorised access or storage in the user’s/subscriber’s terminal equipment was prohibited. This means that providers of electronic communications services were only allowed in the past to use “technical” cookies and only if a user had consented to it after being informed appropriately on purposes and duration of the processing in question. The definition of specific rules for the use of these cookies was left to a code of ethics and practice.
Conversely, under Section 122(1) of the data protection Code now in force “technical” cookies may be used also without the user’s/subscriber’s consent, providing the user/subscriber is informed as required. This has resulted quite clearly into simplifying compliance for online operators at least regarding those cookies, given that operators are not required to obtain prior consent whenever cookies or other types of information stored in users’/subscribers’ terminal equipment only serve technical purposes or are aimed to meet specific requests made by users or subscribers of Internet services. The fact that no consent is required reduces data subjects’ awareness of the processing and makes it necessary to ensure that the information provided is worded clearly and in a straightforward manner.
As an example, and by taking also account of the guidance provided by the EU’s “Article 29” Working Party in a recent opinion (WP194), the user’s prior informed consent is not required for the following cookies:
– Cookies that are set in the user’s/subscriber’s terminal directly by the website controller, if they are not used for additional purposes: for instance, “shopping cart” session cookies used for purchasing items online; authentication cookies; multimedia contents cookies (e.g. FlashPlayer cookies) if they expire at the end of each session; customization cookies (e.g. language preference cookies, etc.);
– Cookies that are used for statistical analysis of accesses/visits to a website (so-called “analytics” cookies), if they only serve statistical purposes and collect aggregate information; however, the information notice provided by the website must be worded clearly and appropriately and user-friendly tools must be available to opt-out from the use of these cookies, including cookie anonymisation mechanisms.
Apart from technical cookies, the basic rule in the new legislation continues to be that “Storing information, or accessing information that is already stored, in the contracting party’s and/or user’s terminal equipment” are only permitted with the user’s/contracting party’s prior informed consent – i.e. the opt-in rule. Thus, any cookies that are not “technical” – for instance, those used for profiling and marketing purposes, which entail more criticalities from the standpoint of protecting users’ private sphere – may not be set on users’ terminal equipment if users have not been informed appropriately and given their valid consent.
4. What should the information notice to users be like?
The fact that cookies are stored in a user’s terminal equipment must first be made known to that user via an information notice that should be worded clearly and in line with the simplified arrangements mentioned in Section 13(3) of the Data Protection Code. This requirement applies even if the user’s or subscriber’s consent is not necessary – as explained above.
The new text of Section 122(1) in the Data Protection Code provides that in determining the simplified information arrangements “the data protection Authority shall also take account of the proposals put forward by the nationally most representative consumer and industry associations involved in order to also ensure that the mechanisms implemented make the user/contracting party actually aware.”
As well as publishing these FAQs, the Italian Garante decided accordingly to launch a public consultation among consumers and the main relevant operators to gather their proposals and lay down appropriate user information mechanisms by way of clear-cut, concise messages. Although simplified, the information notice must be such as to clarify what purposes are served specifically by the cookies.
For instance, if the purpose consists in profiling users to send them targeted ads, it will not be appropriate to only refer to “advertising purposes” in the information notice concerning cookies; rather, it will have to be specified that cookies will enable the website to profile visitors with a view to direct marketing activities.
5. How can users opt-in to the use of cookies?
The simplification concept also underlies the provision on “specific configurations of software or devices […] that should be user-friendly as well as unambiguous vis-à-vis the contracting party or user” to enable users to give their consent to cookies.
The point is that these tools can be used to facilitate operators in obtaining users’ consent to cookies; however, consent is only valid if it meets all the requirements made in the law – that is to say, consent must in all cases be specific, free, and explicit as provided for in Section 23 of the Data Protection Code. Actually, directive 2009/136/EC also clarifies that any alternative mechanisms to express the user’s consent must be “in accordance with the relevant provisions of Directive 95/46/EC”.
In the first place, before using any device to obtain the user’s consent to the setting of cookies, one must provide an appropriate information notice to allow that user to choose what cookies to accept for what purposes.
The devices and configurations mentioned above are currently of variable nature and it cannot be ruled out that new tools and devices will be developed shortly thanks to the creativity of advertising industry and network operators.
For example, the following tools can be mentioned:
– Setting the specifications of most browsers allows enabling or disabling the storage of cookies in terminal equipment that is used for browsing the Internet; generally speaking, the relevant rules can be set in such a way as to block “third party” cookies. Some browsers allow users to also block cookies from specific third parties by means of a function that enables only cookies from certain domains;
– Specific software (“plug-in software”) can be added to a browser in order to specialize browser functions and allow their configuration by users, who can select cookies on the basis of their source domains;
– The so-called “do-not-track” device, which allows users to flag for each site they visit whether they accept being tracked or not during navigation. This mechanism is still the subject of discussion within international standardization bodies, although it was made available on some last-generation browsers; however, since it is not regarded as a standard yet, no assurances can be given that the flags raised by a user to a server will be ultimately “considered” by that server.
6. Who is required to inform users and obtain their consent?
The operator of any website making use of cookies is required to inform users about cookies and obtain their prior consent, being the data controller.
Where a website allows setting “third-party” cookies (see FAQ 1), it will be as a rule such third party to provide information and obtain users’ consent. Users must be informed appropriately, also in accordance with the simplified arrangements mentioned in the law, at the time they access a website that allows the setting of third-party cookies or whenever they access contents made available by such third parties; at all events, the information must be provided before cookies are set in the user’s terminal equipment.
It cannot be ruled out that – possibly on the basis of agreements with third-party websites – the information provided to users by the “first-party” website also includes information on the cookies that are set automatically by those third parties. In any case, the information notice must specify the purposes of the cookies in question – that is, whether they are aimed at profiling users and sending them targeted ads or else at measuring traffic to assess website performance.
Similarly, it cannot be ruled out that consent may also be obtained by third parties via the “first-party” website. It should be considered that any request for a user’s consent must be closely related to the information provided to that user, who will thus be able to decide knowingly. It will then be up to the individual operators involved to regulate their respective roles – in particular concerning the relationship between data controller and data processor – in accordance with personal data protection legislation.