On June 5, 2015, the Italian Data Protection Authority (“DPA”) issued Doc 4006878 clarifying specific issues concerning the implementation of the law on cookies (Individuazione delle modalità semplificate per l’informativa e l’acquisizione del consenso per l’uso dei cookie – Means to inform and obtain consent for the use of cookies, dated May 8, 2014 [3118884]).
In light of the duty to inform about the use of cookies implemented according to Directive 2009/136/EC, the DPA specified that:
- websites that do not use cookies do not have to inform users;
- websites that use cookies for their proper functioning only have the duty to inform users, without having to use banners;
- websites that use analytical cookies can consider them as necessary for their functioning only if created by the first-party;
- if the cookies are third-party’s cookies, the website owners are not subject to duties (e.g. notification to the DPA) if: (i) the cookie tracking capabilities are reduced (for example by blocking part of the IP); (ii) the third party agrees not to cross the information recorded through the cookie with others already in its possession;
- if the website contains links to other sites (e.g. commercial banner, social networks) that do not require cookies, there is no need to inform the data subject;
- in an “extended” privacy policy the consent to the use of cookies can be requested for categories (e.g. travel, sport);
- it is allowed to provide only one privacy policy for multiple websites managed within one domain;
- the provisions apply to all websites that feed cookies to users, without regard to whether they have a place of business in Italy.
For more information, Francesca Giannoni-Crystal
Follow us on& Like us on