Cookies in Italy finally got more clear rules with the issue of the guidelines by the Italian Data Protection Authority on the matter. These followed a long consultation subsequent to the coming into force of the law setting the boundaries of one of the most relevant data protection issues of the last years.
The Italian data protection authority through its guidelines on the usage of cookies in Italy made a distinction between:
- Technical cookies that are necessary to either transmit a communication on a telecom network or to enable websites to offer a service to their users. These include not only the authentication cookies and those necessary to complete a purchase, but also the analytics cookies which collect aggregate data on users visiting a site
SOLUTION -> the usage of such cookies does not require prior consent from data subjects;
- Profiling cookies that are used to create profiles of users for the purpose for instance of delivering advertising messages or display different information on the site based on their preferences/tastes
SOLUTION -> the usage of such cookies does require the consent from data subjects; and
- Third parties cookies that are cookies installed through a website by third parties other than the manager of the website that the latter does not fully control
SOLUTION -> the usage of such cookies does not require the provision by the manager of the site of a privacy information notice relating to third parties’ cookies and to request a specific consent for this purpose since they operate as mere “technical intermediaries“. However, links to the third party’s privacy information notice and consent form shall be incorporated in the so-called long-form information notice.
As to the modalities through which the consent to the usage of profiling cookies in Italy has to be given, the Italian Data Protection Authority required two layers of privacy information notices:
- A short-form privacy information notice placed in a banner that opens up when the user accesses to the site. Such notice contains some basic information, requires the express consent from the user and the provision of such consent shall be stored for potential subsequent audits, and
- A more detailed long-form privacy information notice available on the website that shall deal also with third parties’ cookies.
Consent can be given by clicking on the short-form privacy information notice, but also by continuing the navigation on the site or scrolling the webpage, provided that such modality of acceptance is expressly indicated in the privacy information notice.
Given that the obligations above are very burdensome, the Italian Data Protection Authority granted a year to comply with its terms. However, since the primary law requiring the consent to the usage of cookies in Italy is already into force and because of the potential sanctions, Internet operators including online gaming operators should hurry up to comply as soon as possible.