Italy has implemented the European legal framework regarding cookies a couple of years ago. But the last mile was still missing as the relevant provision of Italian Data Protection Code (Legislative Decree no. 196/2003 - art. 122) was making reference to further guidance to be provided by the Italian Data Protection Authority.

Eventually, on June 3 2014, the Italian Data Protection Authority (hereinafter, the “Authority”), following a long public consultation phase started on December 19, 2012, published an order on cookies, entitled “Identification of simplified methods to provide information and obtain consent to the use of cookies” (hereinafter, the “Order”).

The good news is that industry shall benefit of a one year grace period (expiring on June 3, 2015) to implement the relevant measures.

The second positive remark is that the Authority proved in this case to be open and responsive to some of the recommendations made by stakeholders, adopting a non-restrictive definition of express consent (which is mandatory under Italian Law) and a realistic solution to inform the data subjects. It also took into consideration that third party cookies shall be treated in a different way.

Provided that, it will be a busy year for brokers, agencies, behavioral advertising operators, publishers and web sites owners in general, since compliance with the new rules involves a number of changes in the website operation and some accomplishments to be fulfilled by the data controller, meaning the subject on whose behalf information is collected through the cookies.

The Order identifies simplified methods to give users information on the use of cookies and provides detailed indications for obtaining consent. To allow users to give their express and specific consent while not disrupting website experience, the Authority provides for a system organized into two layers:

  1. Short information notice and request for consent to the use of cookies

As soon as the user accesses the homepage or another web page, a banner shall immediately appear, containing a “short information notice”.

The short information notice shall state:

  • whether the website uses profiling cookies to send advertising messages in line with the preferences expressed by the user during web access;
  • whether the site also allows the sending of third-party cookies;
  • a link to the full text notice providing information on the use of technical and analytical cookies, as well as the possibility to choose which specific cookies to authorize;
  • a statement informing that the full text notice offers the possibility of denying consent to the installation of any cookie;
  • a statement informing that by continuing to use the website, e.g. accessing a different area or selecting an item contained in it (such as an image or a link), the user consents to the use of cookies.

 

The Order specifies that the banner should be large enough to accommodate the (short) information notice and should create a perceptible discontinuity in the use of the web page that the user is visiting. The user shall be able to get rid of the banner only by performing an action but it will be deemed sufficient the selection of an item contained in the page under the banner. An example of correct banner has been attached to the Order, as a reference for the public.

To avoid displaying the short information notice every time the user accesses the same website, the administrator may use a specific technical cookie. However, the user must have the possibility of denying and/or modifying consent easily at any time.

Room is left as well for alternative solutions: provided that the consent must be expressed freely and specifically, and that the user must be given the information (as set out under the Data Protection Code), the Order allows website administrators to use different methods for obtaining consent to the use of cookies.

2. Full text information notice and possibility of making specific choices

The full text notice must be accessible from a link contained in the short notice as well as from a link located at the bottom of each page of the website and shall contain the information required under Italian Data Protection Code (art. 13). In particular, the full text notice shall:

  • contain a specific and analytical description of the characteristics and purposes of the cookies used by the website;
  • allow users to select/deselect the individual cookies;
  • contain an updated link to the information notices and the consent forms of third parties with which the site administrator has signed agreements for the installation of cookies through the website. Website administrators who have indirect contact with third parties must post links to the entities that act as intermediaries between them and such third parties, e.g. the advertising networks and advertising brokers. These links to third parties may be contained in a single website administered by a different entity, as in the case of brokers;
  • mention the possibility for users to select cookie options through their browser settings, by describing at least the procedure to be followed for adjusting these settings. If the technologies used by the website are compatible with the user's browser version, the editor can set up a direct link to the browser page where these settings can be adjusted.

Finally, website owners using third party cookies (publishers) are requested to gather all necessary information regarding the relevant cookies (link to notice and consent form) while discussing contractual arrangements with advertising brokers. So foreign digital advertising companies should get prepared to these requests.

Notification and compliance with the new rules.

As if that was not enough, the Authority expressly recalls another obligation laid down under the Italian Data Protection Code in connection with use of profiling technologies, whenever they are aimed at gaining knowledge of the personality of the data subject or analyze his/her choices or market behavior: notification of such data processing to the Authority will be necessary.

All in all there is a number of changes to bring to websites targeting the Italian market and some activities to be fulfilled by all behavioral advertisers. Taking a look to the risks connected with failure to comply with the new rules here is a short recap of the fines set out in the Data Protection Code. In particular, in case of omitted or inadequate information notice, infringers are subject to an administrative penalty of € 6,000.00 to € 36,000.00; installation of cookies without prior consent is subject to an administrative penalty of € 10,000.00 to € 120,000.00 and failure of or inadequate notification to the Authority is subject to an administrative penalty of €20,000.00 to €120,000.00.

Final remarks

Considering all the effects – including the financial impact – of the new regulation, the Authority has granted a grace period of one year to align to the new standards. During this period, further guidance and clarifications will certainly be given by the Authority. Interestingly enough profiling technologies meanwhile develop at a fast pace and cookies now are not the only way to profile users. Also no mention at all is made of mobile environment while cookies have a more limited and peculiar functioning on mobile devices and applications only support different profiling techniques.