cookie

Cookies: the French Privacy Guarantor (the "CNIL") sanctions GOOGLE for a total of 150 million euros and FACEBOOK for 60 million euros for failing to comply with French privacy legislation.

On January 6, following investigations, the CNIL found that the sites facebook.com, google.fr and youtube.com do not allow users to refuse cookies as easily as they accept them. The CNIL thus fined FACEBOOK 60 million euros and GOOGLE 150 million euros and ordered them to comply within three months. The French authority noted, in particular, that the sites facebook.com, google.fr and youtube.com offer a button that allows the user to immediately accept cookies, while they do not provide an equivalent solution (button or other) that allows the user to refuse, in an equally simple way the use of the same cookies. Indeed, the websites under scrutiny by the CNIL provided for several clicks to refuse all cookies and only one click to accept them, thus limiting the freedom of consent, which is provided for as a fundamental element by Art. 82 of the French Privacy Law, as well as by the GDPR. In addition to the payment of the aforementioned penalties, Google and Facebook will have to comply with the CNIL's requirements within 3 months, providing users with a way to reject cookies that is as simple as accepting them. Failing this, companies will have to pay a penalty of 100,000 euros for each day of delay. These two decisions are part of the comprehensive compliance strategy launched by the CNIL over the past two years against French and foreign operators who publish websites with many visits and who engage in practices that are contrary to the legislation on cookies. Since March 31, 2021, when the deadline expired for websites and mobile applications to comply with the new cookie rules, the CNIL has taken nearly 100 corrective measures (orders and sanctions) related to non-compliance with cookie legislation. On the Italian landscape regarding cookies, we point out the Cookies Guidelines published by the Privacy Guarantor and entered into force last January 10, 2022, the details of which are provided, on our Blog

Clovers Alert! Is your website compliant with the new regulations that will enter into force on January 10, 2022?

Below we analyze the new guidelines on cookies of the Privacy Guarantor

  1. Guidelines on the use of Cookies and other tracking tools

With Measure no. 231 of June 10, 2021, published in the Official Gazette no. 163 of July 9, 2021, the Privacy Guarantor has provided its guidelines to

a) indicate to website operators the rules to be applied for the use of cookies and other tracking tools and

b) to specify the correct procedures for providing information and acquiring the consent of those concerned (the "Guidelines").

The Guidelines therefore aim to supplement the previous indications of the Privacy Guarantor (Measure no. 229 of 2014) by specifying that the manifestation of will of the interested party is "unequivocal" as well as free and informed and by requiring that data protection is ensured by design and through default settings (privacy by default and by design).

  1. What needs to be done from 10 January?

The following is a summary of the obligations set out in the Guidelines, with particular reference to the methods of acquiring consent and the characteristics of the Cookies disclosure.

a) The acquisition of consent

First, the Guarantor reiterates that are not allowed, as forms of acquisition of consent, the practices:

  • of the so-called "scrolling" (i.e., the downward movement of the cursor), which can be qualified as a positive action suitable to unequivocally manifest the will to give consent to the treatment, subject to exceptions to be seen case by case;
  • the so-called "cookie wall", i.e. a binding mechanism (so-called take it or leave it) in which the user is obliged, in order to access the site, to express his/her consent to the reception of cookies or other tracking tools, except for exceptions to be evaluated on a case-by-case basis.

From an operational perspective, the Guarantor requires the following characteristics to validly acquire the consent of the surfer:

  • at the time of a user's first access to the website, no cookies or other tools other than technical ones will be placed inside the device and no active or passive tracking techniques will be used;
  • at the first access to the web page, an area or a banner will appear of adequate size and such as not to induce the user to make unwanted choices;
  • such banner will have to allow the user to express his consent, through a positive action;
  • it is therefore necessary to allow the user to maintain the default settings and to continue browsing without giving any consent, by clicking on the command to close the banner marked by an "X" positioned at the top and on the right inside the banner;
  • it is necessary to insert (besides the link to the complete informative report) a minimum informative report relative to the use of technical cookies and - previous consent, in order to send advertising messages or to supply the service in a personalized way - of profiling cookies or other tracing instruments;
  • there will also be a command through which it is possible to express one's consent by accepting the placement of all cookies or the use of any other tracking tools and the link to a further dedicated area in which it is possible to select the functions, the so-called third parties and the cookies to the use of which the user chooses to consent.

The Guarantor also states that the banner will not have to be re-presented at each new access and that the user's choice must be duly recorded and no longer solicited for at least 6 months, unless significant changes in the conditions of treatment.

b) The informative report

The Cookies informative report will have to indicate the recipients of the personal data collected and the storage time of the acquired data and can also be made on more than one channel and with different modalities (for example, with pop-ups, videos, vocal interactions). If only technical cookies are used, the Cookies policy may be included in the general policy. The Guarantor then recommends that analytics cookies, used to assess the effectiveness of a service, be used only for statistical purposes.

The above is the general framework of the guidelines of the Privacy Guarantor that - with proper legal support - should be implemented on each website.