Tag Archives: consent

Check Your Website’s Compliance with New Rules on Cookies

Legal news, , , , , , , , ,

The Italian Data Protection Authority’s new guidelines for the processing of cookies are in force. Does your website comply? Find out if the answer is yes (or if you need adjustments) through the Q&A below.

On January 9, 2022, the new guidelines for processing of cookies and other online tracking instruments issued by the Italian DPA have officially entered into force. Take this test to check if you are already compliant.

Q: What kind of cookies are you currently using on your website?

A: The Italian DPA has divided the cookies currently in use in 3 categories:

  • Technical cookies: these cookies are the ones strictly necessary to a service provider for the dispensing of a service requested by users.
  • Profiling cookies: these cookies are the ones used to create clusters of users, by associating them with specific actions or behavioral patterns. Such cookies are mainly aimed at modulating the delivery of services provided to the user in an increasingly personalized way, as well as to carry out targeted advertising activity.
  • Analytic cookies: these cookies are the ones which are aimed at evaluating the effectiveness of the services offered or to measure user “traffic” on the website, by memorizing users’ online activities within the website. These cookies are mainly provided by third party suppliers.

Q: What should I do in case I use TECHNICAL COOKIES?

A: Technical cookies are not subject to any prior consent by the users. This means that you just need to provide the users with a specific cookie policy information, having the details set forth by article 13 of the GDPR. Such policy may also be contained on a specific section of your general privacy policy information.

Q: What should I do in case I use PROFILING COOKIES?

A: Profiling cookies may be used only upon prior consent by the users. You may obtain users’ consents by implementing a cookie banner that will pop up on your website as soon as users log your online page.

Q: What should I do in case I use ANALYTIC COOKIES?

A: Analytic cookies can be processed without any consent by users only if they do not allow any identification (direct identification – i.e. “singling out” – of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized.

Usually, analytical cookies are provided by third parties. In such case, you must provide, within your cookie policy notice, an updated list of all the third party cookies that are implemented within your website.

Q: How do I collect consent by users, when mandatory?

A: You may set up a cookie bannerthat will pop up on your website when users log your online page.

Q: How to draft a cookie banner?

A: First and foremost, cookie banners must be user-friendly and immediately visible. The dimensions of the banner must be neither too small nor too big, if compared with the kind of device used. Their wording must also be simple and easy to understand. In addition, cookie banners must contain a link to the cookie policy notice. No profiling cookies can be implemented before consent by the user. Only technical cookies may be pre-implemented.

Q: Do I have to grant users the possibility to modify their choices?

A: Yes, a specific section on the website must always be included to the end of consenting users to modify their first decisions.

Q: Can I obtain consent by users in other ways?

A: Consent by the user must be free and unambiguous, but there is no mandatory way to obtain consent by the users: you may implement your own system, in accordance with accountability principles set forth by the GDPR so long as consent is unambiguous and through a positive act of the user (“opt in”). No form of implicit consent is acceptable.

Q: Can I propose the banner again in case the user has declined consent?

A: The excessive and redundant use of banners requesting consent is not allowed – except for certain specific exceptions – since this may bring the user to give consent for the sole purpose of interrupting the pop-up of the banner.

Q: What about “cookie walls” and “scroll down”?

A: Don’t use them! A “cookie wall” is a mechanism by virtue of which the denial of the consent by users prevents them from accessing the website entirely. A “scroll down” system assumes the implied consent of the user when browsing of the website without expressing any choice with regard to cookies consent is continued. Neither cookie walls nor scroll down systems are compliant, since they are not aimed at obtaining an express consent by the user.

All clear? If not, reach out to us!

Is Your Cookie Policy Right?

Legal news, , , , , , , ,

In a recent decision by the Court of Justice of the European Union in case C-673/17 against Planet49 GmbH, the issue of consent was analyzed on the basis of the ePrivacy Directive and the GDPR.

The case regarded a preliminary question by the German Federal Court of Justice on the validity of consent given through a pre-ticked checkbox, which the user must deselect to refuse his or her consent.

The Court analyzed the features of consent under the ePrivacy Directive (“freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” by reference to the Data Protection Directive) and in the GDPR (“any freely given, specific, informed and unambiguous indication of the data subject’s wishes”).

The Court concluded that the user is required to “give” consent and to provide an “indication”, which “points to active, rather than passive, behavior.” Therefore, an opt-out consent is not validly given.

You may want to check if your website has a passive mechanism to accept cookies (including a mechanism whereby “continuing to browse the website means acceptance of these cookies”): under the Court’s decision described above, it is possible that such a passive consent would be regarded invalid.

This conclusion would appear to contradict the previous guideline by the Italian Data Protection Authority providing that “if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.”

Further, the Court set forth that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.