On 3 June 2014, the Garante published a general decision (the “Decision”) on the simplified modalities for the provision of the notice and the acquisition of data subject consent in case of use of cookies (doc. web n. 3118884, accessible in English here).

Below is a summary of the Decision.

1. Introduction

The Garante distinguishes two main categories of cookies:

  1. Technical cookies, used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or strictly necessary in order to provide the services requested by the users. These cookies include: (i) session cookies; (ii) analytics cookies and (iii) functionality cookies. Data subject's consent is not required for these cookies, although they have to be disclosed in the privacy notice.
  2. Profiling cookies, installed with the purpose of profiling sers in order to send tailored ads. These cookies require a prior data subject's consent (opt-in) and shall be disclosed in the privacy notice.

2. First and third party cookies

The Garante distinguishes between first and third parties cookies, defining as first party cookies all cookies placed by the “manager” of the website visited by the user (defined as “publisher”), while third party cookies are those cookies that are placed by the managers of another website (“third party”) via the publisher’s website.

The Decision clarifies why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of third parties cookies. Indeed, publishers are data controllers with regard to processing carried out through cookies installed by them while they are mere "technical intermediaries" with regard to processing carried out through third parties' cookies.   

3. Simplified modalities to provide privacy notice and obtain consent

The Garante prescribes a two-layer privacy notice: a first short privacy notice, included in a banner which immediately appears on the homepage of the website (or any other page through which users can access the website), integrated by a more extended privacy policy, accessible through a link.

    3.1 Banner including the short privacy notice and consent request

The banner shall immediately appear as the user accesses the homepage. The banner shall be "of adequate dimension i.e. dimension apt to sensitively discontinue the users experience on the webpages displayed". The banner shall include the following information:

  • that the website uses profiling cookies for the purpose of providing tailored ads;
  • that the website allows also third parties cookies (if any);
  • a link to the complete privacy notice, where information on technical cookies and analytics is provided along with tools to select the cookies to be enabled;
  • that on the extended privacy notice the user can opt-out from any cookie;
  • that if the user continues browsing, he or she provides his or her consent to the use of cookies. Such consent shall be provided through “a positive action”, i.e. by removing banner through a click or continuing to read other underlying pages.

Publishers may choose modalities other than those described above, provided that they comply with the prescriptions of the Italian Data Protection Code.  Publishers shall keep records of the consent granted by users through a specific technical cookie.

    3.2 Extended privacy notice

The extended privacy notice shall include all items listed in article 13 of the Italian privacy Code in respect to the processing of data collected by cookies, also describing the characteristics and purposes of the cookies and allowing the user to select/deselect each single cookie.

The extended notice shall be accessible from a link included in the short notice, as well as through a reference on every page of the website, located at the bottom of the same.

The notice must also contain an updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website. 

4. Notification to the Garante

Profiling cookies, which are “persistent in nature”, have to be notified to the Garante.

5. Deadline to comply with the prescriptions

Publishers have one year time starting from the publication of the Decision in the Official Journal (3 June 2014) to comply with the Guidelines.

6. Consequences in case of failure to comply with therules on cookies

Finally, the Garante recalls the following administrative sanctions for failure to comply with the Decision:

  1. Failure to provide adequate privacy notice: €10k-60k
  2. Installation of cookies without the user's prior consent: €10k-120k
  3. Failure to submit a complete notification to the Garante: €20k-120k

The Garante has published on its website a sample of the short notice/banner as follows:

Click here to view image.