Data Protection & CybersecurityPrivacy & Cybersecurity

Cookies cannot be processed on the basis of legitimate interest according to the Garante

The Italian data protection authority, the Garante, ruled that profiling through cookies by a famous social network cannot be based on the legitimate interest of users.

The Garante’s recent decision, adopted as a matter of urgency, is the result of the investigation initiated following the social network’s announcement about the future modification of its privacy information notice concerning the use of personalized advertising through profiling exclusively aimed at users over 18 years of age and based on “information you provide us, automatically collected information and information from other sources,” having the purpose of showing advertisements tailored to the personal interest of users; such data processing activities, in the social network’s opinion, would find the legal basis in the legitimate interest referred to in Art. 6(1)(f) of the GDPR.

However, in light of the critical issues that emerged, the Garante held that it would have been difficult to prove age verification by the social network.  The well-known social network, moreover, had pledged to resolve the issue of age ascertainment.  However, given the manner and mechanisms by which such ascertainment occurs, the Italian data protection authority considered that the risk of profiling even those between the ages of 13 and 14 could not be ruled out.  In this sense, for those under the age of 14, the consent of those exercising parental authority is required to access the platform, while for those under the age of 13, access is precluded altogether.

Besides, the Garante identified a violation of the ePrivacy Directive 2002/58/EC and Article 122 of the Italian Privacy Code implementing the aforementioned directive, according to which it is legitimate to use profiling cookies only after acquiring the consent of the person concerned.  According to the social network’s privacy information notice, they refer to the use of “cookies and similar tracking technologies to manage and provide[ti]e our services. For example, we use cookies to remember your language preferences, to make sure you don’t see the same video more than once, and for security purposes. We also use these technologies for marketing purposes” as well as “device information [—] which includes your device model, operating system, typing patterns or rhythms, IP address and system language…” as well as “service, diagnostic and performance information, including crash reports and performance logs.

The Italian data protection authority deemed that legitimate interest, as a legal basis for the data processing, cannot justify user profiling through cookies.  However, it is equally relevant to point out that according to the decision, this principle does not apply to all profiling but only to cookie-based profiling.  Furthermore, the ePrivacy Directive states that information stored on the device (also used in the context of profiling) can only be processed with the consent of the data subject.  Thus, the Garante adopted a decision that does not need the approval of other European privacy authorities, since the latter mechanism does not apply within the scope of the ePrivacy Directive.

Following the measure, the social network followed Garante’s indications by postponing the modification of the information notice and, therefore, the shift to legitimate interest as the legal basis for “personalized” advertising aimed only at adults.

On a similar topic, the article “Infographic – New obligations on cookies under Italian data protection law” may be of interest.

Photo by American Heritage Chocolate on Unsplash

Don't miss our weekly insights

Show More

Related Articles

Back to top button