Cookies, deadline for the adaptation to the Guarantor's new guidelines
There are now only a few weeks to go, until the deadline granted for the adaptation of systems and treatments to the principles expressed by the new Guidelines on cookies of the Privacy Guarantor.
In fact, the resolution entitled "Guidelines for cookies and other tracking tools" (Provision no. 231) published in the Official Gazette on 9 July 2021, dates back to 10 June 2021. The time to adapt is in fact 6 months from the publication of the Guidelines Guide in the Official Gazette.
The Guarantor considered it necessary to express these guidelines to strengthen the decision-making power of users, regarding the use of their personal data when they browse online.
What do the new guidelines of the Guarantor mean for those who have a website?
What adjustments should be made? A great help to answer this question, is given by the Summary Sheet published as Annex 1 to the guidelines.
This article will present some points that should be taken into consideration during the adaptation procedures, but given the importance and delicacy of the topic, we invite anyone who is about to carry out an intervention on their sites to refer to the official documentation present on the website of the Guarantor.
Let's start with some basic theory.
What are cookies?
Cookies are usually text strings that the websites visited by the user, websites or different web servers (so-called "third parties"), place and store on a device terminal in the user's availability.
What technical cookies are
"Technical cookies" are defined as cookies used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service, explicitly requested by the contractor or user to provide this service".
Is the acquisition of consent for technical cookies required?
The summary sheet states that technical cookies do not require the acquisition of consent, but must be indicated in the information.
Are first and third party analytics cookies comparable to technical cookies?
First and third party analytics cookies are comparable to technical cookies only when:
- they are used only to produce aggregate statistics and in relation to a single site or a single mobile application;
- for those of third parties, at least the fourth component of the IP address is masked.
- third parties refrain from combining analytics cookies, thus minimized, with other processing (for example statistics of visits to other sites) or from transmitting them to other third parties.
However, third parties are allowed to produce statistics with data relating to multiple domains, websites or apps that can be traced back to the same publisher or business group.
In case of doubts as to whether all the requirements to be able to consider analytics cookies as technical cookies are verified, we suggest to treat them separately from the first, and to ask the visitor for explicit consent.
So what are cookies and non-technical tracking identifiers?
Cookies and non-technical tracking identifiers are those used to trace specific actions or recurring behavioral patterns to specific, identified or identifiable subjects in the use of the functionalities offered by the site or by an app for various purposes: grouping of different profiles inside homogeneous clusters of different size, so that it is also possible to modulate the provision of the service in an increasingly personalized way, as well as to send targeted advertising messages, i.e. in line with the preferences expressed by the user in the context of surfing the net.
What characteristics should the information have?
The information must be written in simple and accessible language, and must be usable, without discrimination, even by those who, due to disabilities, require assistive technologies or particular configurations.
If only technical cookies are used, how should the information be shown?
In this case, the information can be placed on the home page of the site or in the general information.
What if non-technical cookies are also used instead?
If you also use other "non-technical" cookies and identifiers, you can use a pop-up banner in immediate appearance of adequate size that contains:
- the indication that the site uses technical cookies and, with the user's consent, profiling cookies or other tracking tools, indicating the related purposes (short information);
- the link to the privacy policy containing the complete information, including any other recipients of the personal data, the data retention times and the exercise of the rights referred to in the Regulations;
- the warning that closing the banner (e.g. by selecting the appropriate command marked by the X inside it, at the top right) entails the persistence of the default settings and therefore the continuation of navigation in the absence of cookies or other tracking tools other than technical ones.
What should the pop-up banner contain if there are also non-technical cookies?
For the purpose of acquiring consent, in the event that non-technical cookies are also present, the banner must contain:
- the aforementioned command (e.g. an X at the top right) to close the banner without giving consent to the use of cookies or other profiling techniques while maintaining the default settings;
- a command to accept all cookies or other tracking techniques;
- the link to another area in which you can analytically choose the features, third parties and cookies you want to install and be able to give consent to the use of all cookies if not previously given or revoke it, even in a single solution, if already expressed. In this regard, it is good practice to use a graphic sign, an icon or other technical device that indicates, even in an essential way, for example. in the footer of each page of the domain, the status of the consents previously given by the user allowing any modification, modification or updating. This area dedicated to the detailed choices must also be accessible via an additional link placed in the footer of any page of the domain.
How often should the consent request be repeated?
The request for consent should not be reiterated in the presence of a previous failure to provide it, except:
- if the conditions of the treatment change significantly;
- if it is impossible for the site to know if a cookie has already been stored in the device;
- if at least 6 months have passed since the previous presentation of the banner.
Is scrolling allowed as a consent request?
No, unless this is included in a more complex process in which the user is able to generate a recordable and documentable event.
If you are not sure if your website complies with the latest guidelines of the Guarantor, we are at your disposal to support you in the adjustment operation, contact us!