The new guidelines on privacy consent of the European Data Protection Board challenged a practice on cookies validated by the Garante in Italy and adopted by most of the websites.
The position of the Garante on cookies privacy consent in Italy
Back in 2014, the Italian data protection authority had issued a decision providing for simplified rules on privacy information notice and cookies consent. Such a decision provided that
- A short-form privacy information notice has to be placed in a banner that opens up when the user accesses to the site and a more detailed long-form privacy information notice available on the website that shall also deal with third parties’ cookies, allowing users to deactivate one-by-one each cookie that shall be listed therein; and
- The need to obtain consent that can be given by clicking on the short-form privacy information notice, but also by continuing the navigation on the site or scrolling the webpage, provided that such modality of acceptance is expressly indicated in the privacy information notice.
When these rules were adopted they required a considerable amount of work by companies running websites. Indeed, at that time, most of the sites were not asking any consent, and their privacy information notice was not listing each cookie, and allowing their specific deactivation. Therefore, the issue was whether, after the effective date of the GDPR, such a decision was still applicable.
The rules adopted in Italy to integrate the EU General Data Protection Regulation provide that the decisions of the Italian privacy authority remain applicable, provided that they are not “incompatible” with the GDPR. But the Garante never clarified which of its decisions are compatible with the GDPR. Therefore companies were left in a sort of limbo since it was more convenient for them to comply with the Garante’s decision, but they were concerned as to whether it could meet the requirements prescribed by the GDPR.
The position of the EDPB on cookies privacy consent
The European Court of Justice had already challenged the approach mentioned above in the so-called Planet49 decision where it held that
- placing of cookies requires the active consent of the Internet user and cannot be provided through a pre-checked checkbox which the user must de-select to refuse his/her consent;
- Consent must be specific. The fact that a user selects the button to participate in an online promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies;
- The circumstance on whether information stored or accessed on the user’s equipment is personal data is not relevant. EU law aims to protect the user from any interference with his/her private life. In particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge; and
- Users must be informed about the duration of the operation of cookies and whether or not third parties may have access to those cookies.
And the position of the European Data Protection Board in its guidelines on consent are along the same lines as the Planet49 decision since it held that
- Cookie walls are not compliant with the GDPR when there is a banner that blocks content from being visible, and there is no possibility to access the content without clicking on the “Accept cookies” button since the data subject is not presented with a genuine choice, and therefore its consent is not freely given; and
- Actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action required to grant cookie consent.
What are the consequences of the new position of the EDPB?
The Garante did not issue a new decision after the publication of the guidelines on consent by the European Data Protection Board. This circumstance creates an even higher level of uncertainty. It will be necessary to keep the contents of the previous decision of the Italian data protection authority, which requires a high level of transparency in the privacy information notice. But, at the same time, companies shall implement the more stringent requirements on cookies consent and cookie walls provided by the European Court of Justice in the Planet49 decision and now by the EDPB in its guidelines.
The matter is relevant since the data protection law compliance of websites is one of the first elements that is assessed by the Garante before running a dawn raid. On the topic, you can find interesting the article “Top 5 immediate actions to get ready for Italian privacy dawn raids“.