Below is a summary of the Decision.
The Garante distinguishes two main categories of cookies:
- Technical cookies, used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or strictly necessary in order to provide the services requested by the users. These cookies include: (i) session cookies; (ii) analytics cookies and (iii) functionality cookies. Data subject's consent is not required for these cookies, although they have to be disclosed in the privacy notice.
- Profiling cookies, installed with the purpose of profiling sers in order to send tailored ads. These cookies require a prior data subject's consent (opt-in) and shall be disclosed in the privacy notice.
2. First and third party cookies
The Garante distinguishes between first and third parties cookies, defining as first party cookies all cookies placed by the “manager” of the website visited by the user (defined as “publisher”), while third party cookies are those cookies that are placed by the managers of another website (“third party”) via the publisher’s website.
The Decision clarifies why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of third parties cookies. Indeed, publishers are data controllers with regard to processing carried out through cookies installed by them while they are mere "technical intermediaries" with regard to processing carried out through third parties' cookies.
3. Simplified modalities to provide privacy notice and obtain consent
3.1 Banner including the short privacy notice and consent request
The banner shall immediately appear as the user accesses the homepage. The banner shall be "of adequate dimension i.e. dimension apt to sensitively discontinue the users experience on the webpages displayed". The banner shall include the following information:
- that the website uses profiling cookies for the purpose of providing tailored ads;
- that the website allows also third parties cookies (if any);
- a link to the complete privacy notice, where information on technical cookies and analytics is provided along with tools to select the cookies to be enabled;
- that on the extended privacy notice the user can opt-out from any cookie;
Publishers may choose modalities other than those described above, provided that they comply with the prescriptions of the Italian Data Protection Code. Publishers shall keep records of the consent granted by users through a specific technical cookie.
3.2 Extended privacy notice
The extended privacy notice shall include all items listed in article 13 of the Italian privacy Code in respect to the processing of data collected by cookies, also describing the characteristics and purposes of the cookies and allowing the user to select/deselect each single cookie.
The extended notice shall be accessible from a link included in the short notice, as well as through a reference on every page of the website, located at the bottom of the same.
The notice must also contain an updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website.
4. Notification to the Garante
Profiling cookies, which are “persistent in nature”, have to be notified to the Garante.
5. Deadline to comply with the prescriptions
Publishers have one year time starting from the publication of the Decision in the Official Journal (3 June 2014) to comply with the Guidelines.
6. Consequences in case of failure to comply with therules on cookies
Finally, the Garante recalls the following administrative sanctions for failure to comply with the Decision:
- Failure to provide adequate privacy notice: €10k-60k
- Installation of cookies without the user's prior consent: €10k-120k
- Failure to submit a complete notification to the Garante: €20k-120k
The Garante has published on its website a sample of the short notice/banner as follows:
Click here to view image.