Cookie

 

Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies - 8 may 2014 

 

THE ITALIAN  DATA PROTECTION AUTHORITY

 

Having  convened today, in the presence of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi- Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary General;

 

Having  regard to Directive 2002/58/EC of 12 July 2002, of the European Parliament  and of the Council, concerning the processing of personal data and the protection of privacy in the electronic communications sector;

 

Having  regard to Directive 2009/136/EC of 25 November 2009, of the European Parliament  and of the Council, amending Directive

2002/22/EC on universal service and users' rights relating to electronic  communications  networks and services, Directive 2002/58/EC

concerning the processing of personal data and the protection  of privacy in the electronic  communications  sector and Regulation (EC) No

2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;

 

Having  regard to legislative  decree No. 69 of 28 May 2012 concerning "Amendments  to legislative  decree No. 196 of 30 June 2003, containing  the personal data protection  Code, in pursuance of Directives  2009/136/EC concerning the processing of personal data and the protection  of privacy in the electronic  communications  sector, and 2009/140/EC  concerning  electronic  communications  networks  and services and of Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws" as published  in the Official Journal No. 126 of 31 May 2012;

 

Having regard to the personal data protection  Code (legislative  decree No. 196 of 30 June 2003, hereinafter  the "Code"), in particular to

Sections 13(3) and 122(1) thereof;

 

Having  regard to the previous resolution by this DPA concerning "Start of a public consultation  under Section 122 to devise simplified arrangements for providing the information  mentioned in Section 13(3) of the personal data protection  Code" (No. 359 of 22 November

2012, published in Italy's Official Journal No. 295 of 19 December 2012);

 

Taking account of the guidance provided  by the Article 29  Working Party, in particular via its Opinion 4/2012 on Cookie Consent Exemption  as adopted on 7 June 2012 as well as via its Working Document 2/2013 providing guidance on obtaining consent for cookies  as adopted on 2 October 2013;

 

Taking account of the contributions submitted to the Garante by the main electronic  communication  service providers  as well as by the consumer associations and the industry sectors involved that have participated in the aforementioned public consultation;

 

Considering the additional inputs provided on the occasion of the meetings held in September 2013 and February 2014 at the Garante within the framework of the working group started by the Garante in order to foster further, more direct exchanges of views with the above stakeholders  as well as with representatives from academia and research dealing with the topics at issue;

 

Whereas it is necessary to adopt, under the terms of Section 13(3) as applied  jointly with Sections 122(1) and 154(1)c)  of the Code,  a decision of a general nature to set out the simplified arrangements to inform users online regarding the storage of cookies on their terminal equipment by the websites they visit as well as to provide appropriate guidance on the mechanisms to obtain the users' consent where this is required under the law;

 

Whereas the provisions  on the use of cookies also apply to similar  tools such as web beacons, web bugs, clear GIFs or others, which allow identifying users or terminals and fall accordingly  under the scope of this decision;

 

Having regard to the considerations by the Office as submitted  by the Secretary General under Article 15 of the Garante's Rules of Procedure

No. 1/2000;

 

Acting on the report submitted by Mr. Antonello Soro;

 

PREAMBLE

 

1. Preliminary Remarks

 

Cookies are small text files that are sent to the user's terminal equipment (usually to the user's browser) by visited websites; they are stored in the user's terminal equipment to be then re-transmitted  to the websites on the user's subsequent visits to those websites. When navigating  a website,  a user may  happen to receive cookies from other websites or web servers, which are the so-called "third party" cookies. This happens because the visited  website may contain items such as images, maps, sound files, links to individual web pages on different  domains that are located on servers other than the one where the page being visited is stored.

 

Cookies are present as a rule in substantial numbers in each user's browser and at times they remain stored for long. They are used for several purposes  ranging from IT  authentication  to the monitoring of  browsing sessions  up to the storage  of specific information on user configurations in accessing a given server, and so on.

 

In order to appropriately  regulate these devices, it is necessary to distinguish them by having regard to the purposes sought by the entities relying on them,  as there are no technical features that allow differentiating  them. This is actually the approach followed by Parliament, which provided for the obligation to obtain the users' prior informed consent to the installation of cookies for purposes other than those of a merely technical nature – pursuant to EC directive 2009/136 (see Section 1(5), letter a), of legislative  decree No. 69 of 28 May 2012, which amended Section 122 of the Code).

 

From this standpoint  and for the purposes of this decision, cookies may be distinguished into two major group: "technical" cookies and

"profiling" cookies.

 

a. Technical Cookies

 

Technical cookies are those  used exclusively  with a  view to "carrying out the transmission  of a  communication   on an electronic communications network, or insofar  as this is strictly necessary to the provider of an information  society service that has been explicitly requested by the contracting party or user to provide the said service." (see Section 122(1) of the Code).

 

They are not used for further purposes and are usually installed directly  by the data controller  or the website manager. They can be grouped into browsing or session cookies, which allow users to navigate and use a website (e.g. to purchase items online or authenticate themselves to access certain  sections);  analytics  cookies,  which can be equated to technical cookies insofar as they are used directly by the website manager to collect aggregate information on the number of visitors  and the pattern of visits to the website; functional cookies, which allow users to navigate  as a function of certain pre-determined criteria  such as language or products to be purchased   so as to improve the quality of service

 

Users' prior consent is not necessary to install these cookies,  whilst information  under Section 13 of the code has to be provided in the manner considered to be most appropriate by the website manager – if only such cookies are relied upon

 

b.Profiling Cookies

 

Profiling cookies are aimed at creating user profiles.  They are used to send ads messages in line with the preferences shown by the user during navigation. In the light of the highly invasive nature of these cookies vis-à-vis users' private sphere, Italian and European legislation requires users to be informed appropriately on their use so as to give their valid consent.

 

These cookies are referred to in Article 122(1) of the Code where it is provided that "Storing information, or accessing information  that is already stored, in the terminal equipment of a contracting  party or user shall only be permitted on condition that the contracting party or user has given his consent after being informed  in accordance with the simplified arrangements mentioned in section 13(3)."

 

2. Entities involved: Publishers and "Third Parties"

 

An additional element to be taken into account in order to put this issue against the appropriate backdrop has to do with the entities involved. That is to say, account should be taken of the entity installing cookies on the user's terminal,  which may be the manager of the website visited by the user – which can be referred to as the "publisher" for the sake of convenience – or the manager of another website that installs the cookies by way of the former – which is a  so-called  "third party".

 

Based on the contributions  from the public consultation, it is considered necessary for the above distinction  to be taken into due account also in order to appropriately  outline  the respective roles and responsibilities  as for providing information to and obtaining  consent from users online.

 

There  are several reasons why it would appear impossible  to require  a publisher  to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by "third parties".

 

In the first place, a publisher would  be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually  aiming at via their cookies. This is a daunting  task because a publisher  often has no direct contacts with all the third parties installing cookies via his website, nor does he know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher  and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.

 

Secondly, third parties' cookies might be modified by the third parties with time, and it would prove rather dysfunctional  to require publishers to keep track also of these subsequent changes.

 

Furthermore, one should also consider that publishers – a category including  natural persons and SMEs – are often the "weaker" party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable  number of third parties.

 

For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers' websites. In fact, this would make the information notice provided by a publisher  highly ambiguous and would make it difficult for users to read and understand the information  contained in such a notice – which would be ultimately prejudicial to the simplification  objective set out in Section 122 of the Code.

 

A similar reasoning applies to the consent required for profiling cookies. Being it necessary to keep separate – for the above reasons – the roles played by publishers and third parties, this DPA is of the opinion  that publishers' role cannot but be two-fold as users are directly in contact with them when they visit the respective websites.

 

Indeed, publishers are, on the one hand, data controllers  in respect of the cookies installed directly by their websites; on the other hand, they may be regarded more appropriately  as a sort of technical intermediaries between third parties and users since they may hardly be considered to act as joint controllers with the said third parties in respect of the cookies the latter install by way of the publishers. It is accordingly in this capacity that they are called upon to step in pursuant to this decision (see below) regarding information to and consent from online users as for third parties' cookies.

 

3. Impact of Cookie-Related Measures on the Net

 

Cookies perform several important  functions  on the Internet. Any decisions on regulating information and consent online will  concern practically  every website and are bound to impact substantially on a huge number of entities, which are actually (as shown above) very much different from one another.

 

Being aware of the import of this decision, the Garante considers it necessary for the measures set forth herein under Section 122(1) of the Code to be, on the one hand, such as to allow users to make fully informed choices on cookies installation by giving their explicit as well as specific consent (pursuant to Section 23 of the Code) and, on the other hand, as low-impact  as possible in terms of interfering with users' seamless navigation experience and the provision of IT services.

 

These two opposing requirements were highlighted quite clearly also by the public consultation and the meetings held by the DPA and will be taken into account first and foremost in determining the mechanisms for providing simplified information notices.

 

In fact, the Garante is convinced that these two issues, i.e.  information and consent,  have to be tackled jointly to prevent the use  of excessively complex online consent mechanisms from ultimately voiding the benefits of a simplified  information  notice.

 

4. Providing Information Via Simplified Mechanisms and Obtaining Consent Online

 

With a view to simplifying information  arrangements, the DPA considers that an effective solution – i.e. one that leaves unprejudiced  the requirements of Section 13 of the Code including  the description of the individual  cookies – consists in envisaging a two-tiered  approach.

 

On accessing a website, users must be shown an initial "short" notice in an overlay banner on the home page (or on any other landing page). This short notice must be supplemented by an "extended" notice to be accessed via a clickable  hyperlink.

 

To achieve meaningful simplification, it is necessary that the consent request to the use of cookies is included in the banner displaying the short information  notice. If a user wishes  to get additional,  more detailed information  and make more granular choices with regard to the individual cookies stored by the website being visited, he or she can access other  website  pages providing tools to make more specific selections in addition to the extended information  notice.

 

4.1. The banner containing the short information  notice and the consent request

 

More specifically, on accessing the home page (or any other landing page) of a website, the user must be shown immediately a suitably  sized banner – that is to say, the size of the banner must be such as to cause a perceptible discontinuity  in the user's experience of the visited webpage. The banner must include the following information:

 

a) That the website uses profiling cookies to send advertising messages in line with the user's online navigation preferences;

 

b) That the website allows sending third-party cookies as well (of course, if this is actually the case);

 

c) A clickable link to the extended information  notice, where information  on technical and analytics cookies must be provided along with tools to select the cookies to be enabled;

 

d) That on the extended information notice page the user may refuse to consent to the installation of whatever cookies;

 

e) That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.

 

As well as being of a sufficient  size to accommodate the information  notice, short as it may be, the banner in question must be an integral

 

part of the action through which the user signifies consent. In other words, the banner must give rise to a discontinuity,  albeit a minimal  one, in the browsing experience: the banner will only cease being displayed  on screen if the user takes action – by selecting any item on the page underneath the banner.

 

Publishers are obviously free to rely on other mechanisms in order to obtain users' consent to online cookies, providing  such mechanisms can ensure compliance with the requirements of Section 23(5) of the Code.

 

In line with the general principles of data protection, the publisher must in any case keep track of the user's consent. To that end, an ad-hoc technical cookie might be relied upon, which would not appear to be especially privacy-intrusive  as a tool – in this connection,  see also Recital 25 in Directive 2002/58/EC.

 

The availability of this type of "documentation" of the user's preferences will enable the publisher not to display the information  notice on subsequent visits made by that user to the website. This is without prejudice to the user's right to refuse consent and/or change the relevant cookie options at any time and in accordance with user-friendly mechanisms – for instance by accessing the extended information  notice, which must be linkable from every website page.

 

4.2 Extended Information  Notice

 

The extended information  notice must include all the items mentioned in Section 13 of the Code, describe the detailed features and purposes of the cookies installed by the website, and allow users to select/deselect the individual cookies. It must be linkable  from the short version notice as well as from a hyperlink  in the bottom section of each website page.

 

The notice must also contain an updated link to the information  notices and consent forms of the third parties the publisher  has agreed to let install cookies via his own website. If the publisher is not directly in touch with third parties, he will have to include the links to the websites of the intermediaries or brokers between him and those third parties. It is conceivable that these links with third-party websites can be collected in a single website managed by an entity other than the publisher, for instance a licensee's website.

 

In order to keep publishers' responsibilities  separate from those vested in third parties as regards the information  provided and the consent obtained  via the publishers'  websites  for the said third parties'  cookies,  it  is considered  necessary for the publishers  to acquire  the aforementioned links from the third parties (including  licensees, if any) at the time of entering into the respective agreements.

 

The extended information  notice must also refer to the possibility  (which is mentioned in Section 122(2) of the Code) for users to signify their choices on the use of cookies by way of browser settings. To that end, at least the procedure to be followed  to configure those  settings will have to be described. If the technology underlying  the website is compatible with the user's browser version, the publisher may make available a direct link with the settings configuration section in the browser.

 

5. Notification of Processing

 

It should be recalled that the use of cookies falls under the scope of notification  obligations pursuant to Section 37(1), letter d), of the Code if it is aimed at "profiling the data subject and/or his/her personality,  analysing consumption  patterns and/or choices, or monitoring  use of electronic communications services except for such processing operations  as are technically indispensable to deliver said services to users."

 

On the other hand, the use of cookies was exempted from notification obligations by a decision  of the DPA of 31 March 2004 whereby notification  was ruled out with regard to processing "that is related to the use of electronic markers or similar devices whether installed or temporarily stored, in a non-persistent  manner, on an user's terminal  equipment, as consisting exclusively  in the transmission of session IDs pursuant to the applicable regulations for the sole purpose of facilitating access to the contents of Internet sites" (decision No. 1 of 31 march

2004 as published in the Official Journal No. 81 of 6 April 2004).

 

Based on the above premises, it can be concluded that profiling cookies, which are persistent in nature, have to be notified to the DPA; conversely, the cookies pursuing different purposes  and falling within the scope  of technical cookies, including analytics  cookies  (see paragraph 1, letter a), of this decision), do not have to be notified to the DPA.

 

6. Deadline for Compliance

 

As already pointed out, the Garante is aware of the impact – not only in financial terms – that cookie-related  measures are bound to produce on the whole IT services sector; this includes the need for substantial resources and time to implement  the measures set out herein.

 

This is why it is considered appropriate to lay down  a one-year term as from publication of this decision in the Official Journal in order to enable the entities concerned to avail themselves of the simplified arrangements described herein.

 

7. Consequences in Case of Non-Compliance with Cookie-Related Measures

 

It should be recalled that the failure to provide information or the provision of inadequate information, i.e. information that does not include the items specified in this decision  as well as in Section 13 of the Code, carry administrative  sanctions consisting in payment of a fine ranging from six thousand to thirty-six thousand Euro (Section 161 of the Code).

 

Conversely, installing cookies on users' terminal  equipment without the users' prior consent carries an administrative  sanction consisting in payment of a fine ranging from ten thousand to one hundred and twenty thousand Euro (Section 162, paragraph 2 a of the Code).

 

Finally, the failure to notify processing operations to the DPA or the provision of an incomplete notification  to the DPA under the terms of Section 37(1), letter d) of the Code carry an administrative  sanction consisting in payment of a fine ranging from twenty thousand to one hundred and twenty thousand Euro (Section 163 of the Code).

 

BASED ON THE ABOVE PREMISES, THE ITALIAN  DATA PROTECTION AUTHORITY

 

1. Under Section 122(1) and Section 154(1), letter h), of the Code and in order to determine the simplified arrangements for the information to be provided  to users by website managers (as defined in the Preamble) regarding cookies and other devices installed by or through their websites, provides that a suitably sized banner is to be displayed on screen immediately a user accesses the home page or any other page of a website, and that such banner is to contain the information  listed below:

 

a. That the website uses profiling cookies to send advertising messages in line with the user's online navigation preferences;

 

b. That the website allows sending third-party cookies as well (of course, if this is actually the case);

 

c. A clickable link to the extended information  notice, where additional information  must be available on the following:

 

i. Use of technical and analytics cookies;

 

ii. Tools available to select the cookies to be enabled;

 

iii.  Possibility for the user to configure   browser  settings  as a further mechanism to select the preferred  use of cookies by the website, including  at least a reference to the procedure to be followed to configure those  settings;

 

d. That on the extended information notice page the user may refuse to consent to the installation of whatever cookies;

 

e. That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies;

 

2. Under Section 154(1), letter c), of the Code and in order to keep the responsibilities  vested in website managers (as defined in the Preamble) separate from those vested in third parties, requires the said managers to acquire the links to the webpages containing the information  and consent forms relating to third parties' cookies (including licensees, if any) at the time of entering into the respective agreements.

 

A copy of this decision shall be transmitted to the Ministry of Justice in order for it to be published in the Official Journal of the

Italian Republic under the responsibility of the Ufficio pubblicazione leggi e decreti.

 

Done in Rome, this 8th day of the month of May 2014

 

THE PRESIDENT Soro

 

THE RAPPORTEUR Soro 

 

THE SECRETARY GENERAL Busia