PREMISE
1. Preliminary Conditions.
Cookies are small text strings that the sites visited by the user send to its terminal (usually the browser), where they are stored before being transmitted back to the same sites at the next visit to the same user. During the navigation of a site, the user can receive on his terminal, even cookies that are sent from different web sites or servers ("Third Party"), on which some elements may reside (such as, for example, images, maps, sounds, specific links to pages on other domains) that are present on the same site that are visiting.
Cookies, usually present in browsers of the users in very large numbers and sometimes even with characteristics of large temporal persistence, are used for different purposes: running computer authentication, tracking sessions, storing information about specific configurations regarding the users who access the servers, etc.
In order to achieve proper regulation of these devices, it is necessary to distinguish them as long as they do not have technical characteristics that differentiate them from each other precisely on the basis of the objectives pursued by those who use them. In this direction has moved the legislator itself, who in his implementation of the provisions of Directive 2009/136 / EC, has brought the obligation to obtain the prior and informed consent of users to install cookies used for purposes other than purely technical (cfr. art. 1, paragraph 5, letter .a) of the d. lgs. May 28th 2012, n. 69, which amended Article N. 122 of the Code).
In this regard, and for the purposes of this provision, have been therefore identified two main categories: "technical" cookies and "profiling" cookies.
a. Technical Cookies
Technical cookies are those used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or those strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide this service "(cfr. art. 122, paragraph 1, of the Code).
They are not used for other purposes and are normally installed by the owner or operator of the website. They can be divided into the navigation or session cookies, which guarantee the normal navigation and use of the website (allowing for example: to make a purchase or authenticate and to access restricted areas); analytics cookies, similar to the technical cookies when used directly by the site operator to collect information, in aggregate form, about the number of users and how they visit the site; functionality cookies that allow a user the browsing in function of a set of selected criteria (for example the language and the products selected for purchase) in order to improve the service rendered to the same user.
For the installation of these cookies the prior approval of the users is not required, while it remains mandatory to provide the information pursuant to art. 13 of the Code, that the operator of the site, if he uses only such devices, may provide in the manner he deems most appropriate.
b. Profiling Cookies
The profiling cookies are designed to create profiles on the user and are used in order to send advertising messages in line with the preferences expressed by the same part who is surfing the net. Given the considerable invasiveness that such devices may have within the private sphere of the users, the European and Italian legislation requires the user to be properly informed on the use of the them and express his valid consent.
It refers to them in article 122 of the Code where it provides that "the storage of information in the terminal equipment of a contractor or a user or access to information already stored, are only allowed on condition that the contractor or the user has given his consent after being informed through the simplified procedures provided for in Article 13, paragraph 3 "(art. 122, paragraph 1, of the Code).
2. Participants: Editors and “Third Parties”
Another item to consider, for the correct definition of the matter under consideration, is the subjective one. It occurs to take into account the different subjects that install cookies on the user's terminal, depending on whether it is the same site manager that the user is visiting (which can be briefly listed as "publisher") or of another site that installs cookies through the first (so-called "third parties ").
Based on the findings of the public consultation, it is considered necessary that this distinction between the two aforementioned individuals is taken into due account in order to correctly identify their roles and their responsibilities, with reference to the information release and all the acquisition of consent of online users.
There are many reasons why it is not possible to give the editor the obligation to provide information and to obtain the consent to the installation of the cookie as part of its site also for those set up by "third parties."
First, the publisher should always have the tools and the economic and legal capacity to assume the obligations of third parties and should therefore also be able to check from time to time the correspondence between what is declared by the third parties and the purposes they really pursued through the use of cookies. This is made very difficult by the fact that the publisher often does not know directly all the third-party cookies that install through its website and, therefore, even the logic underlying the relative treatments. Moreover, not infrequently between the publisher and third parties stand in the way actors who play the role of dealers, resulting in fact very complex for the editor the control of the activity of all involved parties.
Cookies of third parties may then be modified over time by third party suppliers and would be impractical to ask publishers to also keep track of these amendments.
It should also be kept into consideration that the publishers often include individuals and small businesses, which are the "weakest part" of the relationship. Instead, when third parties are usually large companies with a significant economic weight, normally serve a plurality of publishers and can be, in comparison to the individual publisher, also very numerous.
It is therefore considered that, also because of the above mentioned reasons, we cannot force the publisher to publish on the home page of its website also the text of the information about cookies installed by third parties. This will also lead to a general lack of clarity of the information from the publisher, making the reading of the document and therefore the understanding of the information contained in it very tiring for the user, thereby thwarting even the desire for simplification provided for by the article 122 of the Code.
Similarly, as regards to the acquisition of consent for profiling cookies, having inevitably to keep separate the respective publishers and third-party positions. It is believed that publishers, with which users establish a direct relationship with access to its website, necessarily assume a dual role.
These subjects in fact, on one hand are data controllers as to the cookies installed directly from their site; on the other, they could not discerned a co-ownership with third parties for cookies that these install through them, it is therefore deemed correct to consider them as a kind of technical intermediaries between them and the users. And they are therefore, in that capacity as will be seen below, called to work in the present resolution, with reference to the disclosure of information and acquisition of consent of online users with regard to the third-party cookies.
3. Impact of regulations on cookies on the network
Cookies have several important functions in the network. Any decision on the modalities of disclosure of information and consent online, regarding virtually anyone with an internet site will have a tremendous impact on a huge number of subjects, which also have, as before said, nature and characteristics that are profoundly different between them.
The Guarantor, aware of the scope of this decision, considers therefore necessary that the measures prescribed in the same - under the provisions of article 122, paragraph 1, of the Code- from one side allow users to be aware of the installation of cookies by manifestation of an express and specific consent (according to article 23 of the Code) and, on the other hand, present the least possible impact in terms of interruption of the navigation of such users and of their use of telematic services.
These conflicting requirements emerged clearly during the public consultation and the meetings held by the authority, are taken into account in the first place in determining the manner in which to provide notice in a simplified form.
It is also the belief of the Guarantor that the two issues, disclosure and consent, go necessarily jointed, in order to prevent that the use of a mode of expression of consent online that requires excessively complex operations by users jeopardizes the simplification made in the disclosure of information.
4. The information with simplified modalities and the acquisition of the online consent
For the purpose of simplifying the information, it is believed that an effective solution, which is subjected to the requirements of Article. 13 of the code (including the description of individual cookies), is to set it on two successive depth levels.
At a time when the user accesses a website, an initial "short" information must be submitted to him, contained in an immediate appearance banner on the home page (or other page through which the user can access the site), integrated with an "extended" disclosure of information, which is accessed through a user-clickable link.
In order for simplification to take effect, it is considered necessary that the request for consent of the use of cookies is inserted right in the banner containing the brief statement. Users wishing to get a more detailed information and differentiate their own choices about the different cookie stored by the visited site, can access other pages of the site, containing, in addition to the extended information, the possibility to express more specific choices.
4.1. The banner containing short information and consent solicitation
More precisely, when you access the home page (or any other page) of a website, it must immediately appear in the foreground an appropriately-sized banner that is large enough to constitute a noticeable discontinuity through the contents of the web page you are visiting with the following information:
a) That the site uses profiling cookies in order to send advertising messages in line with the preferences expressed by the user as part of surfing the net;
b) That the site also allows the sending of "third parties" cookies (where this happens);
c) The link to the extended information, where guidance on the use of technical and analytics cookies is provided and it is given the opportunity to choose which specific cookies to authorize;
d) An indication that in the extensive information disclosure page it is possible to deny the installation of any cookies;
e) An indication that the continuation of navigation through access to another area of the site or selecting an item of the same (for example, an image or a link) requires the provision of consent to the use of cookies.
The aforementioned banner, in addition to having to present sufficient size to accommodate the disclosure, albeit brief, must be an integral part of a positive action in which substantiates the manifestation of consent. In other words, it must determine a discontinuity, albeit minimal, of the navigation experience: overcoming the banner to the video presence must be possible only by means of a user's active intervention (precisely through the selection of an element in the page below the banner itself).
It remains of course still possible for publishers to use different ways from that described for the acquisition of the online consent to the use of user cookies, provided that such methods ensure compliance with the provisions of article 23, paragraph 3, of the Code.
In accordance with the general principles, it is necessary in any case, that the acquisition of the user's consent is tracked by the editor, who may for this purpose use a suitable technical cookies, system that does not seem particularly invasive (to that effect, see also the recital 25 of the Directive 2002/58/CE).
The presence of this "documentation" of the user's choices allows the publisher to not repeat the brief information on the second visit of the same user on the same site, without of course prejudice the possibility for the user to refuse consent and/or change, at any time and in an easy manner, his options regarding the use of cookies by the site, for example through access to the extended information, to be linkable from every page of the site.
4.2. The Expanded disclosure
The expanded disclosure must contain all the particulars required by article 13 of the Code, describing in a specific and analytical way features and purposes of cookies installed by the site and allow the user to select/deselect individual cookies. It must be accessible through a link included in the brief information as well as through a reference on each page of the site, located at the bottom of it.
Within this disclosure, the current link to information and to the third party consent forms must also be added in which the publisher has signed agreements for the installation of cookies through its website. If the publisher has indirect contact with third parties, it will link the sites of the entities that act as intermediaries between him and the same third party. It will not rule out the possibility that such links with third parties are collected within a single web site operated by someone other than the publisher, as in the case of dealers.
In order to keep separate the responsibility of publishers from that of the third party in relation to the information made and acquired permission for cookies from the latter through its website, it is considered necessary that the publishers themselves acquire, already under contract, the abovementioned link by third parties (with this also understood the same dealers).
In the same expanded space, the disclosure must be referenced for the opportunity of the user (which is referred to also art. 122, paragraph 2, of the Code) to express his preferences regarding the use of cookies by the site including through the browser settings, indicating at least the steps required to configure these settings. If, then, the technology used by the site is compatible with the browser version that the user is using, the publisher will be able to establish a direct connection to the browser section dedicated to the same settings.
5. Notification of processing operations
Please note that the use of cookies is one of those treatments subject to the obligation to notification to the Guarantor pursuant to article 37, paragraph 1, letter d) of the Code, where this use is aimed to "define the profile or personality, or to analyze habits or consumption choices, or to monitor the use of electronic communications services with the exception of technically essential treatments to provide the same services to users."
The use of cookies is, however, exempted from the obligation to notify on the basis of the provisions of the decision of the Ombudsman of the 31st of March 2004, which expressly included among the treatments exempted from the aforementioned obligation, those "related to the use of markers electronic or similar devices installed or stored temporarily, and not persistent, in the terminal equipment of a user, consisting of the sole transmission of the session identifiers in accordance with the applicable regulations, the sole purpose of facilitating access to the contents of an Internet site "(resolution no. 1 on the 31st of March 2004, published in the Official Journal on the 6th of April 2004 n. 81).
From the above scenario, it emerges therefore that while profiling cookies, which have characteristics of permanence in time, are subject to the notification, cookies that have instead different purposes and that fall within the category of technical cookies, which are also assimilated the analytics cookies (v. point 1, letter a) of this provision), should not be notified to the Guarantor.
6. Adjustment Time
As already noted above, the guarantor is aware of the impact, including economic, that the discipline on cookies will have on the entire sector of the society of information services and, therefore, that the implementation of the measures necessary to implement this measure will require a substantial commitment in terms of time.
For this reason, it is therefore considered appropriate to allow a transitional period of one year from the publication of this decision in the official journal to allow stakeholders in this decision to avail itself of the simplified procedures identified therein.
7. Consequences of failure to comply with rules on cookies
Please note that in the event of failure to give information or of giving inappropriate information, ie which does not have the items described in compliance with the provisions of article 13 of the Code, in this provision, there is the administrative sanction for payment of a sum of six thousand to thirty-six thousand euros (article 161 of the Code).
The installation of cookies on users' terminals in the absence of the prior consent of projects involves however, the payment of a fine of from ten thousand to twenty thousand euros (article 162, paragraph 2- bis, of the Code).
The lack of or incomplete notification to the guarantor, under the provisions of article 37, paragraph 1, lett. d) of the Code, is punished with payment of a sum of twenty thousand to one hundred twenty thousand euros (article 163 of the Code).
GIVEN ALL THE ABOVE THE GARANTOR
1. Pursuant to article 122, paragraphs 1 and 154, paragraph 1, lett. h) of the Code on the purpose of detection of simplified procedures for the information that the website operators, as further specified in the introduction, are required to provide users with regard to cookies and other devices installed by or for the through of their website, states that when anyone access the home page (or any other page) of a website, must immediately appear in the foreground an appropriately sized banner containing the following information:
a) that the site uses profiling cookies in order to send advertising messages in line with the preferences expressed by the user as part of surfing the net;
b) The site also allows the sending of "third parties" cookies (were this to happen of course);
c) The link to the extended information, which must contain the following additional information regarding:
• the use of technical and analytic cookies;
• The possibility of choosing which specific cookies to authorize;
• the ability for the user to express their preferences regarding the use of cookies by the site also through the browser settings, indicating at least the steps necessary to configure these settings;
d) an indication that the extensive disclosure page where you can deny the allowance of installation of any cookies;
e) an indication that the continuation of navigation through access to another area of the site or selecting an item of the it (for example an image or a link) involves the provision of consent to the use of cookies;
2. pursuant to article 154, paragraph 1, lett. c) of the Code for the purpose of maintaining the distinct responsibilities of the website operators, as further specified in the grounds, from that of the third parties prescribes to the same operators to acquire already under contract connections (links) to web pages containing information and modules for the acquisition of consent related to the third-party cookies (also including the dealers).
A copy of this decision must be forwarded to the Ministry of Justice for the purpose of publication in the Official Gazette of the Italian Republic edited by the Publishing Department in order.
