In this regard, however, the DPA recalls that when cookies are used for profilization it is also necessary to notify to the authority this treatment before starting it.
The other essential demarcation underlined by the provision is between the so-called “first party cookies”, i.e. cookies “launched” on users’ devices directly from the editor of the website or otherwise under his control, and the so-called “third-party cookies”, which are installed on devices by third parties other than the editor of the visited website.
This distinction is essential since it draws a line between the liability of publishers, whose work is limited to the processing of personal data related to the installation of his own cookies – no matter if technical or profiling – and the liability of other subjects which use, as a part of advertising contracts, the pages of the editor of the website to install their own cookies on users’ devices.
On this point the DPA is clear: as for the to third parties cookies, the editor acts as a mere technical intermediary and does not have any responsibility for privacy infringements.
Taking into account the difficult technical implementation of the new rules, the DPA has postponed for 12 months the deadline to comply with the new measures.
The full text is available here.