Ruling on-line profiling involves a very difficult balance between the interests of the industry and the fundamental rights of the Internet users.

Few weeks before the expiring of the grace period for the implementation of the cookie rules issued on May 8th, 2014, the Italian Data Protection Authority (DPA) published a new set of guidelines focused on on-line profiling and addressed to internet service providers such as providers of e-mail services, search engines, social networks, electronic payments, maps, cloud services etc. .

As for the case of cookies, the principles at issue may apply also to providers established in Non EU Countries.

The rationale of such guidelines seems absolutely correct: they aim at extending to the other players of the web economy, using profiling techniques other than cookies, those obligations that have been imposed to Google through a decision of  July 10th, 2014:

First: a mechanism of multilayer notice and consent inferred from the conduct of the user, similar to the rules to be implemented for cookies is now expressly requested   also for the other online tracking technologies (such as, device fingerprinting), thus filling the gap resulting from the existing guidance, only concerning cookies. In this respect, the tracking tools shall be considered neutral, despite the remarkable differences between different technologies (e.g. only cookies are installed into the user devices).

Second: the same rules issued for online surfing by means of personal computers shall have to be applied as well to other kinds of devices, such as tablets, smartphones or smart TVs. The tracked devices shall be considered neutral.

To sum up, the mechanism designed by the DPA, to be applied to these tracking technologies and to any device should work as follows:

  1. A short privacy notice shall be provided as soon as a user accesses a website/application that makes use of tracking technologies;
  2. A link shall be provided to a more detailed privacy notice;
  3. A link shall be provided to an area where the user can deny his consent (in this respect, the cookies rules appear to be slightly different, as the detailed privacy notice shall also contain links to disable cookies);
  4. A click of the user outside the privacy notice area, in order to keep on surfing in the website, will be considered a valid and express consent to be profiled.

This being stated, we have to say that not all the provisions set out by means of such new set of guidelines seem unambiguous.

In particular, some problems may arise with regard to the definition of the scope of the consent expressed by the user and with regard to the criteria to manage possible inconsistent choices expressed by a registered user. 

According to the guidelines, once an Internet user (not registered) will have provided his consent with regard to the use of tracking technologies and the provider will have kept track of such a consent (for example, by means of a technical cookie), the provider shall not be required to provide the user, in case of future accesses by means of the same device to such website or to other domains of the same provider, with any home page privacy notice (the first layer notice). In principle, it seems a very good news for the providers. In deed, it will be sufficient to collect the consent once and keep track thereof, and no further home page notices shall have to be provided to such a user.

On the other hand, we have to consider that not always for the user it is easy to understand which are the domains controlled by the same provider.

A  second questionable issue is represented by the management of the choices of the registered users.

We assume the above mentioned mechanism should not regard the applications where a registered user is identified as soon as he opens the application and, consequently, the provider is immediately in the position to comply with the privacy settings chosen by such user upon registration. But the impact of such guidelines may be slightly different with regard to applications and websites that at any access, in order to recognize the registered user, require a log in process.

In such cases, as outlined by the DPA, before the log in, the registered user should be treated as a ghost and, therefore, before using tracking technologies, a privacy notice on cookies/online profiling shall have to be in any case provided and a specific, express and valid consent shall be collected.

Less clear is the following step: the DPA states that the privacy choices made by the user, as a ghost, will be valid and effective also after the log in and, therefore, also when the system will recognize the registered user. What happens then, for example, if a registered user in his personal settings has denied his consent to be profiled? Does it mean he  could be in any case profiled, also after the log in, if when he has accessed the website, as a ghost, did not deny his consent to be profiled?

And, does it mean that this choice made by the registered user as a ghost will be valid solely for that session or does it mean that such a choice can override the personal settings of the registered users also in the following sessions?

It goes without saying that the privacy choices made by a user when he decides, for the first time, to fill out a registration form and provide his privacy preferences are usually much more careful and meticulous than the choices that a user can make, at a later stage, whenever he will access again to the same website and will be keen to get specific contents.

In such circumstances, it could be disputed the fairness and transparency of a mechanism whereby the choices of an Internet user, as a ghost, can override the personal settings of the same as a registered user.

In the light of this very first analysis, it seems that also such detailed guidelines issued by the DPA left open very serious questions and we believe, while everybody is waiting to see how Google will abide by those rules in due time,  in the next months consultations with the stakeholders of the relevant industry are to be expected.