THE ITALIAN DATA PROTECTION AUTHORITY
Having convened today, in the presence of Mr. Antonello Soro, President, Ms. Augusta Iannini, Vice-President, Ms. Giovanna Bianchi-Clerici and Prof. Licia Califano, Members, and Mr. Giuseppe Busia, Secretary General;
Having regard to Directive 2002/58/EC of 12 July 2002, of the European Parliament and of the Council, concerning the processing of personal data and the protection of privacy in the electronic communications sector;
Having regard to Directive 2009/136/EC of 25 November 2009, of the European Parliament and of the Council, amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;
Having regard to legislative decree No. 69 of 28 May 2012 concerning “Amendments to legislative decree No. 196 of 30 June 2003, containing the personal data protection Code, in pursuance of Directives 2009/136/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and 2009/140/EC concerning electronic communications networks and services and of Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws” as published in the Official Journal No. 126 of 31 May 2012;
Having regard to the personal data protection Code (legislative decree No. 196 of 30 June 2003, hereinafter the “Code”), in particular to Sections 13(3) and 122(1) thereof;
Having regard to the previous resolution by this DPA concerning “Start of a public consultation under Section 122 to devise simplified arrangements for providing the information mentioned in Section 13(3) of the personal data protection Code” (No. 359 of 22 November 2012, published in Italy’s Official Journal No. 295 of 19 December 2012);
Taking account of the guidance provided by the Article 29 Working Party, in particular via its Opinion 4/2012 on Cookie Consent Exemption as adopted on 7 June 2012 as well as via its Working Document 2/2013 providing guidance on obtaining consent for cookies as adopted on 2 October 2013;
Taking account of the contributions submitted to the Garante by the main electronic communication service providers as well as by the consumer associations and the industry sectors involved that have participated in the aforementioned public consultation;
Considering the additional inputs provided on the occasion of the meetings held in September 2013 and February 2014 at the Garante within the framework of the working group started by the Garante in order to foster further, more direct exchanges of views with the above stakeholders as well as with representatives from academia and research dealing with the topics at issue;
Whereas it is necessary to adopt, under the terms of Section 13(3) as applied jointly with Sections 122(1) and 154(1)c) of the Code, a decision of a general nature to set out the simplified arrangements to inform users online regarding the storage of cookies on their terminal equipment by the websites they visit as well as to provide appropriate guidance on the mechanisms to obtain the users’ consent where this is required under the law;
Having regard to the considerations by the Office as submitted by the Secretary General under Article 15 of the Garante’s Rules of Procedure No. 1/2000;
Acting on the report submitted by Mr. Antonello Soro;
1. Preliminary Remarks
Cookies are small text files that are sent to the user’s terminal equipment (usually to the user’s browser) by visited websites; they are stored in the user’s terminal equipment to be then re-transmitted to the websites on the user’s subsequent visits to those websites. When navigating a website, a user may happen to receive cookies from other websites or web servers, which are the so-called “third party” cookies. This happens because the visited website may contain items such as images, maps, sound files, links to individual web pages on different domains that are located on servers other than the one where the page being visited is stored.
Cookies are present as a rule in substantial numbers in each user’s browser and at times they remain stored for long. They are used for several purposes ranging from IT authentication to the monitoring of browsing sessions up to the storage of specific information on user configurations in accessing a given server, and so on.
In order to appropriately regulate these devices, it is necessary to distinguish them by having regard to the purposes sought by the entities relying on them, as there are no technical features that allow differentiating them. This is actually the approach followed by Parliament, which provided for the obligation to obtain the users’ prior informed consent to the installation of cookies for purposes other than those of a merely technical nature – pursuant to EC directive 2009/136 (see Section 1(5), letter a), of legislative decree No. 69 of 28 May 2012, which amended Section 122 of the Code).
From this standpoint and for the purposes of this decision, cookies may be distinguished into two major group: “technical” cookies and “profiling” cookies.
a. Technical Cookies
Technical cookies are those used exclusively with a view to “carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service.” (see Section 122(1) of the Code).
They are not used for further purposes and are usually installed directly by the data controller or the website manager. They can be grouped into browsing or session cookies, which allow users to navigate and use a website (e.g. to purchase items online or authenticate themselves to access certain sections); analytics cookies, which can be equated to technical cookies insofar as they are used directly by the website manager to collect aggregate information on the number of visitors and the pattern of visits to the website; functional cookies, which allow users to navigate as a function of certain pre-determined criteria such as language or products to be purchased so as to improve the quality of service
Users’ prior consent is not necessary to install these cookies, whilst information under Section 13 of the code has to be provided in the manner considered to be most appropriate by the website manager – if only such cookies are relied upon
Profiling cookies are aimed at creating user profiles. They are used to send ads messages in line with the preferences shown by the user during navigation. In the light of the highly invasive nature of these cookies vis-à-vis users’ private sphere, Italian and European legislation requires users to be informed appropriately on their use so as to give their valid consent.
These cookies are referred to in Article 122(1) of the Code where it is provided that “Storing information, or accessing information that is already stored, in the terminal equipment of a contracting party or user shall only be permitted on condition that the contracting party or user has given his consent after being informed in accordance with the simplified arrangements mentioned in section 13(3).”
2. Entities involved: Publishers and “Third Parties”
An additional element to be taken into account in order to put this issue against the appropriate backdrop has to do with the entities involved. That is to say, account should be taken of the entity installing cookies on the user’s terminal, which may be the manager of the website visited by the user – which can be referred to as the “publisher” for the sake of convenience – or the manager of another website that installs the cookies by way of the former – which is a so-called “third party”.
Based on the contributions from the public consultation, it is considered necessary for the above distinction to be taken into due account also in order to appropriately outline the respective roles and responsibilities as for providing information to and obtaining consent from users online.
There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”.
In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.
Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes.
Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.
For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites. In fact, this would make the information notice provided by a publisher highly ambiguous and would make it difficult for users to read and understand the information contained in such a notice – which would be ultimately prejudicial to the simplification objective set out in Section 122 of the Code.
A similar reasoning applies to the consent required for profiling cookies. Being it necessary to keep separate – for the above reasons – the roles played by publishers and third parties, this DPA is of the opinion that publishers’ role cannot but be two-fold as users are directly in contact with them when they visit the respective websites.
Indeed, publishers are, on the one hand, data controllers in respect of the cookies installed directly by their websites; on the other hand, they may be regarded more appropriately as a sort of technical intermediaries between third parties and users since they may hardly be considered to act as joint controllers with the said third parties in respect of the cookies the latter install by way of the publishers. It is accordingly in this capacity that they are called upon to step in pursuant to this decision (see below) regarding information to and consent from online users as for third parties’ cookies.
3. Impact of Cookie-Related Measures on the Net
Cookies perform several important functions on the Internet. Any decisions on regulating information and consent online will concern practically every website and are bound to impact substantially on a huge number of entities, which are actually (as shown above) very much different from one another.
Being aware of the import of this decision, the Garante considers it necessary for the measures set forth herein under Section 122(1) of the Code to be, on the one hand, such as to allow users to make fully informed choices on cookies installation by giving their explicit as well as specific consent (pursuant to Section 23 of the Code) and, on the other hand, as low-impact as possible in terms of interfering with users’ seamless navigation experience and the provision of IT services.
These two opposing requirements were highlighted quite clearly also by the public consultation and the meetings held by the DPA and will be taken into account first and foremost in determining the mechanisms for providing simplified information notices.
In fact, the Garante is convinced that these two issues, i.e. information and consent, have to be tackled jointly to prevent the use of excessively complex online consent mechanisms from ultimately voiding the benefits of a simplified information notice.
4. Providing Information Via Simplified Mechanisms and Obtaining Consent Online
With a view to simplifying information arrangements, the DPA considers that an effective solution – i.e. one that leaves unprejudiced the requirements of Section 13 of the Code including the description of the individual cookies – consists in envisaging a two-tiered approach.
On accessing a website, users must be shown an initial “short” notice in an overlay banner on the home page (or on any other landing page). This short notice must be supplemented by an “extended” notice to be accessed via a clickable hyperlink.
4.1. The banner containing the short information notice and the consent request
More specifically, on accessing the home page (or any other landing page) of a website, the user must be shown immediately a suitably sized banner – that is to say, the size of the banner must be such as to cause a perceptible discontinuity in the user’s experience of the visited webpage. The banner must include the following information:
a) That the website uses profiling cookies to send advertising messages in line with the user’s online navigation preferences;
b) That the website allows sending third-party cookies as well (of course, if this is actually the case);
c) A clickable link to the extended information notice, where information on technical and analytics cookies must be provided along with tools to select the cookies to be enabled;
d) That on the extended information notice page the user may refuse to consent to the installation of whatever cookies;
As well as being of a sufficient size to accommodate the information notice, short as it may be, the banner in question must be an integral part of the action through which the user signifies consent. In other words, the banner must give rise to a discontinuity, albeit a minimal one, in the browsing experience: the banner will only cease being displayed on screen if the user takes action – by selecting any item on the page underneath the banner.
Publishers are obviously free to rely on other mechanisms in order to obtain users’ consent to online cookies, providing such mechanisms can ensure compliance with the requirements of Section 23(5) of the Code.
In line with the general principles of data protection, the publisher must in any case keep track of the user’s consent. To that end, an ad-hoc technical cookie might be relied upon, which would not appear to be especially privacy-intrusive as a tool – in this connection, see also Recital 25 in Directive 2002/58/EC.
The availability of this type of “documentation” of the user’s preferences will enable the publisher not to display the information notice on subsequent visits made by that user to the website. This is without prejudice to the user’s right to refuse consent and/or change the relevant cookie options at any time and in accordance with user-friendly mechanisms – for instance by accessing the extended information notice, which must be linkable from every website page.
4.2 Extended Information Notice
The extended information notice must include all the items mentioned in Section 13 of the Code, describe the detailed features and purposes of the cookies installed by the website, and allow users to select/deselect the individual cookies. It must be linkable from the short version notice as well as from a hyperlink in the bottom section of each website page.
The notice must also contain an updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website. If the publisher is not directly in touch with third parties, he will have to include the links to the websites of the intermediaries or brokers between him and those third parties. It is conceivable that these links with third-party websites can be collected in a single website managed by an entity other than the publisher, for instance a licensee’s website.
In order to keep publishers’ responsibilities separate from those vested in third parties as regards the information provided and the consent obtained via the publishers’ websites for the said third parties’ cookies, it is considered necessary for the publishers to acquire the aforementioned links from the third parties (including licensees, if any) at the time of entering into the respective agreements.
5. Notification of Processing
Based on the above premises, it can be concluded that profiling cookies, which are persistent in nature, have to be notified to the DPA; conversely, the cookies pursuing different purposes and falling within the scope of technical cookies, including analytics cookies (see paragraph 1, letter a), of this decision), do not have to be notified to the DPA.
6. Deadline for Compliance
As already pointed out, the Garante is aware of the impact – not only in financial terms – that cookie-related measures are bound to produce on the whole IT services sector; this includes the need for substantial resources and time to implement the measures set out herein.
This is why it is considered appropriate to lay down a one-year term as from publication of this decision in the Official Journal in order to enable the entities concerned to avail themselves of the simplified arrangements described herein.
7. Consequences in Case of Non-Compliance with Cookie-Related Measures
It should be recalled that the failure to provide information or the provision of inadequate information, i.e. information that does not include the items specified in this decision as well as in Section 13 of the Code, carry administrative sanctions consisting in payment of a fine ranging from six thousand to thirty-six thousand Euro (Section 161 of the Code).
Conversely, installing cookies on users’ terminal equipment without the users’ prior consent carries an administrative sanction consisting in payment of a fine ranging from ten thousand to one hundred and twenty thousand Euro (Section 162, paragraph 2 a of the Code).
Finally, the failure to notify processing operations to the DPA or the provision of an incomplete notification to the DPA under the terms of Section 37(1), letter d) of the Code carry an administrative sanction consisting in payment of a fine ranging from twenty thousand to one hundred and twenty thousand Euro (Section 163 of the Code).
BASED ON THE ABOVE PREMISES, THE ITALIAN DATA PROTECTION AUTHORITY
1. Under Section 122(1) and Section 154(1), letter h), of the Code and in order to determine the simplified arrangements for the information to be provided to users by website managers (as defined in the Preamble) regarding cookies and other devices installed by or through their websites, provides that a suitably sized banner is to be displayed on screen immediately a user accesses the home page or any other page of a website, and that such banner is to contain the information listed below:
a. That the website uses profiling cookies to send advertising messages in line with the user’s online navigation preferences;
b. That the website allows sending third-party cookies as well (of course, if this is actually the case);
c. A clickable link to the extended information notice, where additional information must be available on the following:
i. Use of technical and analytics cookies;
ii. Tools available to select the cookies to be enabled;
d. That on the extended information notice page the user may refuse to consent to the installation of whatever cookies;
2. Under Section 154(1), letter c), of the Code and in order to keep the responsibilities vested in website managers (as defined in the Preamble) separate from those vested in third parties, requires the said managers to acquire the links to the webpages containing the information and consent forms relating to third parties’ cookies (including licensees, if any) at the time of entering into the respective agreements.
A copy of this decision shall be transmitted to the Ministry of Justice in order for it to be published in the Official Journal of the Italian Republic under the responsibility of the Ufficio pubblicazione leggi e decreti.
Done in Rome, this 8th day of the month of May 2014
THE SECRETARY GENERAL