Cristina Vicarelli, Cookies: ten things to consider

Nowadays in Italy there is a big debate on “cookies”. Starting on June 3, 2015, data controllers shall implement the requirements issued by the Italian Data Protection Authority (Garante) with  Decision no. 229 of 8 May 2014 “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” (Published in the Official Journal no. 126 of June 3, 2014). http://www.garanteprivacy.it…

Taking for granted the knowledge of the decision and maintaining a pragmatic perspective, I want to focus the attention on ten aspects that may appear problematic and that frequently emerge during the implementation of this DPA’s decision.

1. Mobile

First, it is worth remembering that the Italian privacy legislation (art. 122 Privacy Code) and the decisions of the Italian DPA apply also to users surfing the web on mobile devices.

 2. Identification of Cookies

The decision of the Italian DPA differentiates between technical cookies and profiling cookies and between first-party cookies and third-party cookies. The “Garante”, in order to make this distinction avoided direct reference to the URL of the website. It merely observed that “when navigating a website, a user may happen to receive cookies from other websites or web servers, which are the so-called “third party” cookies. This happens because the visited website may contain items such as images, maps, sound files, links to individual web pages on different domains that are located on servers other than the one where the page being visited is stored”.

The Chrome browser tool for developers can help to get an idea of which cookies does a website use: select the Chrome menu at the top-right of the browser window, then select Tools > Developer Tools.

The distinction between technical cookies and profiling cookies attains to their technical functions. Simply put: what is the cookie’s purpose? If it is to build a user’s profile, tracking habits and preferences to send him behavioral advertising, the cookie is a profiling cookie. If it improves the functionality of the website or it is necessary to allow communication on the network, then it is a technical one.

3. Social buttons and cookies

An aspect that creates some practical problems with reference to third-party cookies concerns social buttons. As a matter of fact, social buttons may use cookies to merely link the page to the user’s profile or to facilitate sharing (“share buttons”), or show appreciation: for example this is the case of the “like” buttons that generally use profiling cookies to track users’ choices.

Attention shall also be paid to the use of “social button widget” designed to facilitate the sharing of content. These services – often free and added without paying much attention to their terms and conditions – may frequently use cookies, including profiling cookies. Consider that they finance themselves through advertising.  The site manager is perhaps not even aware of profiling cookies. The distinction is not negligible because if a website uses only first part technical cookies it is not required to obtain users’ consent, even though it shall provide the relevant privacy information. However, if a website uses third-party or profiling cookies, it is required to obtain the user’s consent, for example, by inserting a banner.

4. Discretion in the content of banner

To this respect, it is worth noting that the Italian DPA has expressly provided that the banner (or other similar solution) must contain the following information:

1. a) that the website uses profiling cookies to send advertising messages in line with the user’s online navigation preferences;
2. b) that the website allows sending third-party cookies as well (of course, if this is actually the case);
3. c) a clickable link to the extended information notice, where information on technical and analytics cookies must be provided along with tools to select the cookies to be enabled;
4. d) that on the extended information notice page the user may refuse to consent to the installation of whatever cookies;
5. e) that if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.

It’s true that there are alternative solutions, and that the content of the banner shown in the Italian DPA’s example must not be slavishly reproduced. Some variations on the theme are allowed. However, if the site uses profiling cookies, the first information provided can not be replaced by claims that the use of cookies improves browsing experience or website functionality. The user must be informed of the profiling and can not be diverted – with false statements or information about functions that do not require consent – from the primary purpose of the entire regulatory framework: the user’s protection from invasive processing related to behavioral advertising.

5. Storing choices through a cookie

The Italian DPA pointed out that user’s choices can be stored and registered through cookies for which it is not necessary to obtain the consent. “In line with the general principles of data protection, the publisher must in any case keep track of the user’s consent. To that end, an ad-hoc technical cookie might be relied upon, which would not appear to be especially privacy-intrusive as a tool – in this connection, see also Recital 25 in Directive 2002/58/EC.

The availability of this type of “documentation” of the user’s preferences will enable the publisher not to display the information notice on subsequent visits made by that user to the website. This is without prejudice to the user’s right to refuse consent and/or change the relevant cookie options at any time and in accordance with user-friendly mechanisms – for instance by accessing the extended information notice, which must be linkable from every website page.”

As for the permanence of this type of cookie in the user’s terminal, the DPA – in the Italian version of the decision refers only to the “second visit” (“alla seconda visita” rather than to any “subsequent” visit, like in the English official translation).

However, I do believe that this provision can be interpreted as “from the second visit”, in order to recognize the utility of storing.  With regard to the length of the cookie’s storage on the user’s terminal The Working Group under Art. 29, in the Opinion 2/2010 on online behavioral advertising, concluded that it is necessary to limit the temporal scope of the consent. “Consent to be monitored should not be ‘forever’ but it should be valid for a limited period of time, for example, to one year. After this period, ad network providers would need to obtain a new consent. This could be achieved if cookies had a limited lifespan after they have been placed in the user’s terminal equipment (and the expiry date should not be prolonged).” The opinion is available at: http://ec.europa.eu…

6. Cookies: if not now, when?

One element that seems rather overlooked is that the website shall not store cookies on the user’s terminal until she has given her consent; or at least they should not be activated until then.

7. Analytic cookies

Another aspect that causes some implementation issues concerns analysis services cookies. Pay attention not to misinterpret the Italian DPA statement – reported below for convenience – equating this type of cookies to technical cookies “analytics cookies, which can be equated to technical cookies insofar as they are used directly by the website manager to collect aggregate information on the number of visitors and the pattern of visits to the website”. Cookies generally used for analysis services may not fall under the consent exemption. To clarify any doubt about the kind of cookies associated with the analysis service used, it can be very useful to read the kit, as described in the next step.

8. Cookies Implementation kit

A valuable help to block or activate cookies until the consent is obtained and to distinguish which services require consent (and which don’t) may come from the kit di implementazione (implementation kit, a sort of operational guidance). The kit was presented on May 5, 2015 by the main trade associations, DMA Italy, Fedoweb, IAB Italy, Netcomm, Upa, in the presence of the Italian DPA.

The kit moves from a practical point of view and contains many suggestions that are more “technical” compared to the measures of the Authority, which it complements. Although the authors specify that the kit “can not be construed as a legal opinion on the adoption of the rules of cookies, or in any way substitute the guidelines issued by the Italian DPA,” it appears a useful tool “because it brings together the various solutions discussed with the Authority in order to allow different companies to apply in the best way the cookie law”.

Its genesis suggests further caution: according to the kit (see p. 12), cookies used to save preferences and for optimization(for instance, FlashPlayer cookies if they expire at the end of each session; “shopping cart” session cookies or customization cookies such as language preference cookies / currency cookies) shall be qualified as technical cookies.

This provision is similar to that used by the Italian Data Protection Authority insofar as it refers to the hypothesis of consent exemption identified by the Working Party Article 29 (WP194) “Faq on cookies” Doc-Web 2146935 – 2012 December 8. It suggests to carefully evaluate the use of Flash Player cookies that do not expire at the end of the session, given that a longer duration does not appear necessary to users’ needs.

9. Cookies and notification of processing

For ease, in this post I did not mention the duty to notify the Italian DPA (Art. 37 Privacy Code – punishable under Article 163 of the Code), but be aware: the Italian DPA clarified that while profiling cookies, which are permanent in time, are subject to notification, cookies with different purposes, and which fall within the category of technical cookies, should not be notified. This includes analytic cookies, whose use shall not be notified as long as they are similar to technical cookies.

Notification is normally provided for first party profiling cookies, but close attention shall be paid to the mentioned kit where it underlines that in specific conditions notification for third-party cookies may be required. This could be the case when the website manager (data controller) accesses information collected by cookies in disaggregated form (also because of possible agreements with third parties). Paraphrasing the DPA’s findings on the consent’s acquisition, –there could be joint, or even independent control of data processing.

Based on the above premises, it can be concluded that in some cases also analytic cookies may have to be notified to the DPA.

10. Only cookies?

Least but not last, please note that the rules on the use of cookies also cover other similar tools (such as web beacons / web bugs, clear GIFs or other), which allow for the identification of the user or terminal and therefore must be included within the provision of the Italian Data Protection Authority n. 229/2014 herein discussed.

 

This article was first published on by Cristina Vicarelli (in Italian) at http://www.cristina-vicarelli.it…. Thanks to Avv. Federica Romanelli for the help with the translation

 

Avvocato Cristina Vicarelli

Italian attorney

http://www.cristina-vicarelli.it/