Whilst we are waiting for the publication of the results of the public consultation on cookies carried out by the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante), here are some thoughts on cookies, as discussed during our latest presentation within the Cybersecurity and Data Protection Course at the University of Milan: 

  • cookies reflect an old technology, as there are many other ways for profiling without cookie based technologies. It will be interesting to see whether the Garante will address also such new technologies;
  • protection based exclusively on the users’ consent may be counterproductive, placing an excessive burden over the user. An average Internet user may in fact find it very difficult to determine whether a cookie is acceptable (for example, see what ideas you may come up with by looking at a list of some strange cookie names!);
  • it would in any event be unfair to expect the Garante to opt for solutions that are not consent based, as the Garante has to operate within an Italian (and European) legal framework which remains based on consent;
  • so there will likely be the consolidation of a “two-layers” information and consent process. However, there is still a vital room for maneuver and it will be key to identify a solution that is also user friendly, so as to avoid unnecessary loss of time (and, ultimately, loss of business for many operators). Any consent should accordingly be devised taking into account how Internet currently operates, and not be based on a perfect world that does not exist;
  • it will accordingly be key to avoid excessively stringent regulations. In a totally integrated world, a strict regulation is not equivalent to the highest level of protection: it may, on the contrary, encourage the transfer of certain businesses to other jurisdictions with a lower level of protection, ultimately resulting in a lower level of protection for the local users’ data (we are all aware of the current difficulties in enforcing local data protection regulations against operators based in other jurisdictions). Strict regulations may also push certain operators to opt for more sophisticated registration processes, which would entail a more accurate profiling;
  • the current technological solutions to manage consent may not be fully appropriate for addressing all users’ needs. By way of example, a user may decide to accept cookies (including third parties’ cookies) that are placed through a certain site, but may not want accept the same cookies through another site. By doing so, it will end up revoking his/her prior consent, affecting the cookie setting through any site;
  • other browser based solutions would require a wider consensus from the main operators, and realistically this would be beyond the perimeter of the Garante’s operations;
  • whatever solution is reached, cookies and equivalent technologies are part of a wider debate (see, for example, the recent exchange between Mathias Döpfner of Axel Spinger and Eric Schmidt of Google). Personal data are becoming increasingly relevant, also from an economic perspective. Publishers and content providers may have diverging opinions, not only on content protection and remuneration, but also on the right to process the personal data of clients / communities that have been built around such content. Within this scenario, it will be very interesting to assess how the different level of responsibilities for first and third party cookies will be regulated.