Below we analyze the new guidelines on cookies of the Privacy Guarantor
- Guidelines on the use of Cookies and other tracking tools
With Measure no. 231 of June 10, 2021, published in the Official Gazette no. 163 of July 9, 2021, the Privacy Guarantor has provided its guidelines to
a) indicate to website operators the rules to be applied for the use of cookies and other tracking tools and
b) to specify the correct procedures for providing information and acquiring the consent of those concerned (the "Guidelines").
The Guidelines therefore aim to supplement the previous indications of the Privacy Guarantor (Measure no. 229 of 2014) by specifying that the manifestation of will of the interested party is "unequivocal" as well as free and informed and by requiring that data protection is ensured by design and through default settings (privacy by default and by design).
- What needs to be done from 10 January?
The following is a summary of the obligations set out in the Guidelines, with particular reference to the methods of acquiring consent and the characteristics of the Cookies disclosure.
a) The acquisition of consent
First, the Guarantor reiterates that are not allowed, as forms of acquisition of consent, the practices:
- of the so-called "scrolling" (i.e., the downward movement of the cursor), which can be qualified as a positive action suitable to unequivocally manifest the will to give consent to the treatment, subject to exceptions to be seen case by case;
- the so-called "cookie wall", i.e. a binding mechanism (so-called take it or leave it) in which the user is obliged, in order to access the site, to express his/her consent to the reception of cookies or other tracking tools, except for exceptions to be evaluated on a case-by-case basis.
From an operational perspective, the Guarantor requires the following characteristics to validly acquire the consent of the surfer:
- at the time of a user's first access to the website, no cookies or other tools other than technical ones will be placed inside the device and no active or passive tracking techniques will be used;
- at the first access to the web page, an area or a banner will appear of adequate size and such as not to induce the user to make unwanted choices;
- such banner will have to allow the user to express his consent, through a positive action;
- it is therefore necessary to allow the user to maintain the default settings and to continue browsing without giving any consent, by clicking on the command to close the banner marked by an "X" positioned at the top and on the right inside the banner;
- it is necessary to insert (besides the link to the complete informative report) a minimum informative report relative to the use of technical cookies and - previous consent, in order to send advertising messages or to supply the service in a personalized way - of profiling cookies or other tracing instruments;
- there will also be a command through which it is possible to express one's consent by accepting the placement of all cookies or the use of any other tracking tools and the link to a further dedicated area in which it is possible to select the functions, the so-called third parties and the cookies to the use of which the user chooses to consent.
The Guarantor also states that the banner will not have to be re-presented at each new access and that the user's choice must be duly recorded and no longer solicited for at least 6 months, unless significant changes in the conditions of treatment.
b) The informative report
The Cookies informative report will have to indicate the recipients of the personal data collected and the storage time of the acquired data and can also be made on more than one channel and with different modalities (for example, with pop-ups, videos, vocal interactions). If only technical cookies are used, the Cookies policy may be included in the general policy. The Guarantor then recommends that analytics cookies, used to assess the effectiveness of a service, be used only for statistical purposes.
The above is the general framework of the guidelines of the Privacy Guarantor that - with proper legal support - should be implemented on each website.