Il blog di E-Lex

The New Cookies Provisions of the Italian Data Protection Authority

The new provisions on consent and privacy policy for using cookies, held by the Italian Data Protection Authority, has been published yesterday in the Official Gazette.

First of all, the long-expected provision emphasizes the distinction between the so-called technical cookies and the so-called profiling cookies. In order to process the first ones will be sufficient to provide users with a privacy policy, while, for using the latter ones a specific consent, even if through a simplified procedure, will be required.

In this regard, however, the DPA recalls that when cookies are used for profilization it is also necessary to notify to the authority this treatment before starting it.

The other essential demarcation underlined by the provision is between the so-called “first party cookies”, i.e. cookies “launched” on users’ devices directly from the editor of the website or otherwise under his control, and the so-called “third-party cookies”, which are installed on devices by third parties other than the editor of the visited website.

This distinction is essential since it draws a line between the liability of publishers, whose work is limited to the processing of personal data related to the installation of his own cookies – no matter if technical or profiling – and the liability of other subjects which use, as a part of advertising contracts, the pages of the editor of the website to install their own cookies on users’ devices.

On this point the DPA is clear: as for the to third parties cookies, the editor acts as a mere technical intermediary and does not have any responsibility for privacy infringements.

From a practical point of view, the editor is expected to provide a privacy policy, to be published through a special banner shown on the homepage of the website. The banner should be articulated on two distinct levels. The first one advising users that cookies are installed through the website, from first and third parties, allowing users to provide their consent without examining the terms of such data processing. The second one – accessible through a link to be posted on same banner – through which the editor should provide further information, especially for third parties cookies, concerning the different treatments, allowing user  to provide their consent in a selective way, even for each single cookie .

Taking into account the difficult technical implementation of the new rules, the DPA has postponed for 12 months the deadline to comply with the new measures.

The full text is available here.

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Novità normative e giurisprudenziali dal mondo del diritto delle tecnologie e dal nostro Studio