New Italian privacy cookies rules will come into force on the 2nd of June 2015 requiring relevant technical and content changes to ecommerce, gaming, news, etc. Internet sites.
I had covered in this blog post the approval by the Italian privacy authority of the guidelines on the usage of cookies that granted one year to Internet operators to put them in place. Now the one year term is almost expired and the new cookies rules will come into force on 2 June 2015.
New cookies privacy obligations
I had already discussed in this blog post the main obligations set forth by new Italian cookies regulations that change depending on whether technical, profiling or third parties’ cookies are used. The general principle is that users should give their prior consent to the usage of cookies, but the modalities in which such consent is given have been differently addressed by the privacy authority on the basis of the type of cookies used (e.g. technical cookies vs. profiling cookies) and whether they are operator’s cookies or third parties cookies.
In this respect, it is good to mention that Italian rules on cookies are based on the EU Privacy Directives, but the guidelines from the Italian data protection authority on cookies introduced obligations quite different from those adopted in other jurisdictions.
Additional obligations in case of profiling
I will touch it in more details in another blog post, but the Italian privacy authority also published new guidelines on profiling activities on the Internet which impact also the usage of profiling cookies requiring, among others,
- a much higher level of transparency in the privacy information notice,
- the prior consent from users and
- data retention rules compliant with the principle preventing to store data for longer than necessary to pursue the purposes of the data processing.
But this is not all, since if users’ preferences are somehow profiled through cookies, survays, fingerprinting or other tools, Italian privacy law requires also a prior notification to the privacy authority of such data processing.
Relevant sanctions for breach
Based on our experience, the Italian privacy authority is becoming very active in challenging the lack of compliance with privacy regulations, also running audits and investigations at operators’ premises. And the € 1 million fine issued against Google in 2014 is a further confirmation of that. But privacy compliance will become even more relevant with the new EU privacy regulation that will increase the potential fines up to 5% of the global turnover.
The new approach from the Italian privacy regulator of scrutinizing compliance, but at the same time trying to “negotiate” practical ways of ensuring it is also the basis on which the Internet of Things privacy consultation has been launched.
Online operators have only a few days left to comply and should not waste them!