The Italian Data Protection Authority’s Guidelines on Compliance with EU Cookie Requirements

The Long Road to EU Regulation of Cookies and the Current State of Play

Put in a literary perspective, EU regulation of cookies may be considered as a sort of epic. The first piece of EU legislation concerning cookies, the e-Privacy Directive¹, dates back to 2002. That was followed by the so-called Cookie Directive in 2009², which provides remarkable amendments on the regulation of tracking technologies, introducing the general opt-in approach³. However, as of June 2014, the Cookie Directive has not yet been fully implemented among EU member states. Hence, the saga continues.

Furthermore, even among those EU member countries that have implemented the Cookie Directive, the result is a patchy framework, as implementation has not given rise to a harmonized legal framework. This is due in part to interventions of national data protection authorities, which have provided guidelines and opinions on the appropriate means to inform users and obtain their consent that are applicable on a country-by-county basis.

The activities of EU legislators over the years have been accompanied by the efforts of the EU Article 29 Data Protection Working Party⁴, which has issued various documents on the topic of cookies, the last being Working Document 02/2013, providing guidance on obtaining consent for cookies⁵ see analysis at WDPR, November 2013, page 15.

The Scope of Application

The long and difficult road to implementation of the Cookie Directive and the remarkable attention it has generated from commentators as well as business stakeholders are also the result of the fact that the scope of its application goes well beyond cookies.

For one thing, the directive applies not only to cookies containing direct identifiers of users, but also to cookies containing coded identifiers such as aliases and Internet protocol addresses.

In addition, the term “cookies” is used to refer to tracking technologies that may be other than traditional cookies, thus expanding the scope of application potentially to any technology able to track online user activities.

The Country-of-Origin Principle

In addition to national peculiarities stemming from the specifics of implementation, one remarkable matter that should be taken into careful consideration by companies when dealing with cookies is that the Cookie Directive has not always been implemented in EU member states as part of their national privacy law. Indeed, in some EU countries, the Cookie Directive has been transposed in national telecommunications law. The result is that the so-called country-of-origin principle may not always be applicable.

In a nutshell, the country-of-origin principle states that, for controllers based in the EU, when a controller is established in one member state but also processes personal information in other member states (through local data processors or without any presence in other member states), that controller may apply the privacy law of the EU country where it is established. This significantly reduces the regulatory requirements that such controllers must fulfill.

However, because the country-of-origin principle stems from the EU Data Protection Directive, and is therefore part of EU national privacy laws, in the countries where the Cookie Directive has been implemented through different pieces of legislation, this criterion of determining the applicable law cannot be relied upon. The paradox resulting from this situation is that a controller may find itself in the position of applying its own privacy law for data processing activities performed offline throughout the EU, yet it may be obliged to apply different cookie rules for its online activities.

The Situation in Italy

In Italy, the Cookie Directive was enacted through Legislative Decree No. 69/2012, which amended Legislative Decree No. 196/2003 (hereinafter, the “Privacy Code”) see analysis at WDPR, September 2012, page 8.

Specifically, Article 122 of the Privacy Code states:

1. Storing information, or accessing information that is already stored, in the terminal equipment of a contracting party or user shall only be permitted on condition that the contracting party or user has given his consent after being informed in accordance with the simplified arrangements mentioned in section 13(3). This shall be without prejudice to technical storage or access to stored information where they are aimed exclusively at carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service. In order to determine the simplified arrangements referred to herein, the Garante⁶ shall also take account of the proposals put forward by the nationally most representative consumer and industry associations involved in order to also ensure that the mechanisms implemented make the contracting party or user actually aware.

2. With a view to giving the consent referred to in paragraph 1 above, specific configurations of software or devices may be used that should be user-friendly as well as unambiguous vis-à-vis the contracting party or user.

2-bis. Subject to the provisions made in paragraph 1 above, it shall be prohibited to use an electronic communications network in order to access information stored in the terminal equipment of a contracting party or user, store information, or monitor the operations performed by the user.

It should be noted that, compared with the previous version of Article 122 of the Privacy Code, the changes may be regarded as less material than in other EU member states, since the opt-in rule was actually already in place, even if applicable only to “technical” cookies, notably cookies necessary to transmit an electronic communication or to provide users with a service expressly requested.

A substantial change brought about by the Cookie Directive is that, apart from technical cookies, access to or storage of information in the user’s equipment was prohibited, unless otherwise provided by a yet-to-be-issued code of ethics and practice. Since such a code was never enacted, the situation remained unclear, leaving a grey area triggering concerns.

Current Article 122 now provides that, for technical cookies, it is necessary only to inform users, while other kinds of cookies also require users’ consent.

The Garante’s FAQs

In November 2012, the Garante published on its website a document containing FAQs on cookies⁷. At the same time,⁸ the Garante launched a public consultation in order to collect consumers’ and stakeholders’ views and comments, with the aim to provide guidelines on simplified means to inform users and obtain their consent to the use of cookies, when necessary. The public consultation closed on March 19, 2013.

In the FAQs, the Garante specifies that the following are examples of technical cookies: first party shopping cart session cookies, generally on e-commerce websites to remember the items chosen by users; authentication cookies; multimedia contents session cookies; customization cookies (e.g., language preference cookies); and analytics cookies used for statistical analysis, provided they are used only for statistical purposes and collect only aggregate information. For analytics cookies, users should always be provided with appropriate and user-friendly tools to opt out, including anonymization mechanisms.

As to the information requirement, the Garante emphasizes in the FAQs that users should be clearly and properly made aware of the specific purposes for which cookies are implemented. In this regard, the Garante brings attention to the fact that, if cookies were used for profiling purposes to realize targeted advertising, mere reference to “advertising purposes” would not qualify as adequate information vis-à-vis users. Indeed, the controller should specify that the cookies deployed allow the profiling of website users and that such profiling is aimed at performing marketing activities.

The FAQs also clarify what are acceptable tools to obtain users’ consent, specifically:

• browser settings that allow the enabling or disabling of the acceptance of cookies;

• specific software (so-called plug-in software) to be added to a browser that allows relevant configuration by users, in order to select cookies based on their source domains; and

• so-called “do-not-track” devices, which allow users to decide for each site visited whether they agree to being tracked or not. However, since this tool is still under analysis among international standardization bodies, it may not be able to ensure that users’ preferences are respected by website servers.

A last point of attention of the FAQs is the relationship and the privacy role of controllers in case of first party and third party cookies. The Garante makes it clear that each controller has to satisfy the requirements set forth by the Privacy Code, and that, of course, it is possible that the “first party website” and the “third party website” reach a specific agreement on how to discharge these requirements, so that the “first party website” may also take care of them for the “third party website”.

The Garante’s New Guidelines

On May 8, 2014, the Garante issued a provision on “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies”⁹ (“Guidelines”), which is the result of the information and comments gathered during the public consultation on cookies launched in November 2012 and finished in March 2013. It is aimed at providing guidance on simplified means available to controllers making use of cookies in order to inform users and gather their consent.

The principal topics covered by the Garante’s Guidelines are as follows.

Clarifications on Technical Cookies Vs. Profiling Cookies

The Garante first of all provides guidance on the main features of technical cookies as opposed to profiling cookies, making it easier for companies to distinguish between the two types of cookies. The distinction is important, as technical cookies require only that users be properly and clearly informed, while profiling cookies also require users’ consent.

The Garante refers to technical cookies as cookies adopted with the sole aim of allowing the transmission of an electronic communication over a communications network or of delivering to users a service that users requested. As examples of technical cookies, the Garante mentions the following:

• browsing and session cookies;

• analytics cookies, provided they are first party cookies used solely to collect information in aggregate form relating to website visits (i.e., number of visits); and

• functional cookies.

In contrast, profiling cookies are identified as cookies adopted in order to create a user profile and usually in order to carry out marketing and promotional activities.

Information and Consent Requirements

The need to obtain users’ consent is limited to profiling cookies, while for technical cookies it is necessary only to properly and clearly inform users. In order to propose a suitable means to give users clear and comprehensive information on cookies and to gather valid consent, the Garante proposes a double-decker approach. Specifically, controllers of websites should publish a banner containing brief information on cookies (a sort of short privacy notice), to be supplemented by a complete privacy notice made available through a link.

The banner should be placed on the landing page of the website and shall be a “suitably sized banner — that is to say, the size of the banner must be such as to cause a perceptible discontinuity in the user’s experience of the visited webpage”.

The request of consent, when necessary, should be contained in the first banner, together with the short privacy notice.

Users should be informed of the following items:

• that the website makes use of profiling cookies for advertising purposes tailored to the online preferences of users;

• that cookies may be third party cookies (as applicable);

• that if users access any other page of the website or if they select any item on the website, these actions are considered as providing consent to cookies; and

• that users may change their preferences on cookies at any time through user-friendly mechanisms, for example, through the long privacy notice.

Lastly, the short privacy notice contained in the banner should contain a link to the complete privacy notice. At the same time, links to the privacy notice should appear on every page of the website, so that users may have easy access to the long privacy notice.

As for the long privacy notice, this should also:

• provide clarifications on technical and analytics cookies;

• give users the possibility to choose cookies on a case-by-case basis;

• give users the possibility to refuse any cookie;

• inform users that they may select options on cookies through browser settings, providing clarifications on the relevant procedures; and

• inform users about third party cookies.

The Garante further specifies that the banner used to provide information to users shall “be an integral part of the action through which the user signifies consent. In other words, the banner must give rise to a discontinuity, albeit a minimal one, in the browsing experience: the banner will only cease being displayed on screen if the user takes action — by selecting any item on the page underneath the banner”.

The Garante underlines that, even though the means adopted to collect the consent of users may vary, consent should be obtained in line with the requirements set forth in the Privacy Code¹⁰. In addition, controllers should keep evidence of the consent collected from users. For this purpose, the use of dedicated technical cookies is envisaged.

Third Party Cookies

The Garante acknowledges that the controller of a website has a different role and different liabilities in relation to first party cookies (which are under its direct control) and third party cookies (which are under the control of third parties). The Garante states that website managers “are, on the one hand, data controllers in respect of the cookies installed directly by their websites; on the other hand, they may be regarded more appropriately as a sort of technical intermediaries between third parties and users since they may hardly be considered to act as joint controllers with the said third parties in respect of the cookies the latter install by way of the publishers”.

The result of this reasoning is that, through contractual instruments, website managers should obtain from third parties the web links to pages where the third parties publish the required information and consent notices on cookies.

Deadline for Implementation and Sanctions

The Garante has set the deadline for implementation of the cookie requirements as one year from publication of the provision in the Official Gazette¹¹.

Non-compliance with the cookie provision triggers different sanctions, depending on the specific breach committed.

Specifically, failure to properly inform users, namely, if the information provided by the controller does not include the items identified in the provision of the Garante as well as those set forth in Article 13 of the Privacy Code¹², is sanctioned with a fine ranging from 6,000 euros to 30,000 euros (U.S.$8,159 to U.S.$40,794). If a controller does not collect the users’ consent when necessary, the sanction consists of a fine ranging from 10,000 euros to 120,000 euros (U.S.$13,598 to U.S.$163,176). In cases of multiple breaches of the same or different law provisions, a fine ranging from 50,000 euros to 300,000 euros (U.S.$67,990 to U.S.$407,940) may be applied.

Under some circumstances, the Garante may raise the sanctions thresholds up to four times in consideration of the financial situation of the breaching controller.

An ancillary sanction is publication of the sanctioning order.

What’s Next?

Companies are now required to start preparing for implementation of the cookie rules, and have one year to fully address the new requirements.

In general, the Garante is fairly active in carrying out investigations and enforcement actions. So far, it has not had a particular focus on cookie rules, most probably due to the fact that it had not yet issued specific guidelines on implementation issues as well as an interpretation of applicable rules.

Now that the Garante has provided a clear regulatory framework, we may reasonably expect that it will roll out an enforcement plan within a year’s time.

Francesca Gaudino is a Partner with Baker & McKenzie, Milan. She may be contacted at francesca.gaudino@bakermckenzie.com.