Key points from the Guidelines

Internet of Things

Internet of Things ('IoT') are terminal devices for the purpose of the Directive 2002/58/EC on Privacy and Electronic Communications ('the ePrivacy Directive').

Fingerprinting

Passive identifiers, such as fingerprinting, are included in the scope of the Guidelines. This is because they can be used to achieve the same profiling purposes, including the display of customised behavioural advertising and the analysis and monitoring of the behaviour of website visitors, as well as to customise the nature and mechanisms of the offered services to the behaviour of a monitored user.

Unlike with cookies, with fingerprinting and any other 'passive' identifier the user does not have tools that can be relied on independently to refuse consent or avoid being profiled. That is so because the controller uses a reading technique that does not require the storage of information within the user's device. The outcome is ultimately a 'profile' that remains in the controller's sole possession, to which the data subject obviously has no free and direct access and of which the data subject might actually be totally unaware.

Consent

• To acquire consent, you must use specific configurations of software or devices that are user-friendly, as well as unambiguous vis-à-vis the contracting party or user.
• Under no circumstances will it be permitted to rely on the controller's legitimate interest to justify the use of cookies or other tracking tools.
• Controllers are free to implement different approaches, where appropriate, to achieve compliance with the rules whilst safeguarding data subjects.
• Controllers should apply stringent criteria in assessing all possible solutions, including technical ones, that are suitable for being interpreted and recorded as the user's explicit consent to the installation of cookies and/or the use of other tracking tools.
• In order for consent to be obtained lawfully, a controller will also be required to make sure that any mechanisms for giving one's consent online other than those proposed in these Guidelines are implemented in such a way as to make the effect produced by each action unambiguous for the user as well. This is intended to limit the occurrence of so-called 'false positives', i.e. random actions that are misinterpreted as indications of the user's informed choice.
• If the action performed by the user does not correspond in the specific case to any unambiguous, recordable IT event having the aforementioned characteristics - also in terms of that user's awareness - then that action will in no way be liable to be considered valid consent within the meaning of the legislation in force.
• Silence, pre-ticked boxes, or inactivity do not constitute consent.
• Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
• If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise, and not unnecessarily disruptive to the use of the service for which it is provided.

Scrolling

• Mere scrolling is never capable, in itself, of fully signaling the data subject's intention to accept the reception of cookies other than technical ones within his or her terminal, and therefore does not amount per se to consent under any circumstances.
• However, scrolling can be part of the procedure to obtain consent and thus be one, rather than the only, component of a more complex process that allows the user to flag his or her informed choice unambiguously, i.e., the choice to consent to the use of such cookies or other tracking tools, in a manner that can be recorded and thus documented in line with the applicable legislation, by generating a precise pattern.

Cookie walls

What it is: A 'take it or leave it' mechanism in which the user is obliged to give his or her consent to the reception of cookies or other tracking tools - since failing to do so will prevent him or her from accessing the site.

This mechanism is to be regarded as unlawful except where the website controller provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools – which will have to be verified on a case-by-case basis.

At all events, an essential condition to be fulfilled is that the proposed alternative complies with the principles of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') as laid down in Article 5(1), and above all with letter (a) thereof whereby personal data shall be processed lawfully, fairly, and in a transparent manner - that is to say, compliance with the principle of 'lawfulness, fairness and transparency' is paramount. Failing this, a cookie wall may not be deemed to be in line with the legislation in force.

Repetition of the request for consent after consent initially failed to be given

What it is: The often redundant, intrusive repetition by website operators of the presentation of the banner each time the user accesses the given website including after that user has made his or her free choice.

The over-repetitive presentation of the banner to obtain the consent a user had previously withheld is liable to impact that user's freedom by leading him or her to consent to the processing in order to continue browsing without being plagued by the appearance of a banner containing a short information notice and the request to give one's consent.

Where a user sticks to the default configuration and does not consent to the use of cookies or other tracking tools, as well as where a user has only consented to the installation of certain cookies or tracking tools, such choice will have to be duly recorded and the user's consent will not be solicited any longer unless:

• one or more of the circumstances of the processing changes significantly, so that the banner also serves the specific as well as necessary purpose of informing exactly about the changes;
• It is impossible for the website operator to be aware that a cookie has already been stored on the device in order to be re-transmitted to the site that generated it, on the occasion of a subsequent visit by that user; this is the case, for instance, where the user chooses to delete the cookies lawfully stored in his/her device and the controller is unable to keep track of the user's intention to stick to the default settings and accordingly to continue browsing without being tracked; or
• at least six months have elapsed since the banner was last presented.

Privacy by Design and by Default as related to cookies and other tracking tools

• Obtaining consent online via presentation of a banner is essentially valid.

• Principle: The controller shall ensure that, by default, only such personal data is processed as is necessary in relation to each specific purpose of the processing and that, in particular, the amount of collected data and the duration of their storage do not exceed the minimum necessary to achieve the intended purposes.

• Application: By default, no cookies or tools other than technical ones, are placed on the user's device when that user first accesses a website, and that no other active or passive tracking technique is used at that time.
• You need to deploy a mechanism whereby the user, on first accessing the website's home page (or another page), is immediately shown an area or a banner of a size that is sufficient to perceptibly interrupt the experience of browsing the contents of the relevant web page whilst preventing the risk for a user to activate commands and therefore make uninformed and/or unwanted choices:
  • In determining whether the banner size is adequate and appropriate consider different devices a data subject may be using. The banner will have to be an integral part of a mechanism that, while not preventing the retention of default settings, also allows for an affirmative action such as to reflect the indication of the data subject's consent.
• The mechanism to enable continued browsing without giving any consent has to be as user-friendly and accessible as the one in place for giving one's consent:
  • If the user chooses to keep the default settings and therefore not to give his or her consent to the storing of cookies or the use of other tracking techniques, that user could therefore simply close the banner by clicking the 'X'.
  • 'X' needs to be normally positioned at the top right end of the banner area - without having to access other ad-hoc areas or pages.
  • The command has to be as visible as any other commands or buttons that may be used to flag other choices available to the users.
  • After this choice you need to stop presenting the banner on the occasion of subsequent accesses by that user – subject to the exceptions listed above.

In addition to the 'X' at its top right end, the banner must contain at least the following information and options:

• A warning that if the banner is closed by clicking on the 'X' at its top right end, the default settings are left unchanged browsing can continue without cookies or other tracking tools other than technical ones.
• A minimal information notice that the website uses, if any, technical cookies or other technical tools and may, only after obtaining the user's consent according to the mechanism to be specified in this short information notice, also use profiling cookies or other tracking tools in order to send advertisements and/or customise its services beyond what is strictly necessary for the provision of those services, in line with the preferences expressed by the user in the context of his/her use of functionalities and web browsing and/or for the purpose of analysing and monitoring the behaviour of website visitors.
• A link to the privacy policy, or to a second-layer extended information notice – which should be one-click away through a link to be placed in the footer of any page of the domain accessed by the user - where at least all the information referred to in Articles 12 and 13 of the GDPR is provided clearly and thoroughly including with regard to the technical cookies or tools (see, in this regard, paragraph 8 below).
• A command (button) through which consent can be given by accepting the storage of all cookies or the use of other tracking tools.
• A link to an additional dedicated area where the user can select, individually, the functionalities, the so-called third parties - whose list must be kept up-to-date whether they can be reached through ad-hoc links or via links to the websites of intermediaries representing them - and the cookies - possibly grouped into homogeneous categories - to which the user chooses to consent. If cookies are grouped into homogeneous categories and the list of the third parties changes as reflected by the links placed in this area, i.e., if additional third parties are included in the said list, it shall be for the first party (i.e., the website operator) to accurately select them and carry out the necessary supervision to ensure that the inclusion of these new entities and the resulting processing operations continue to be in line with the grouping by homogeneous categories.

Where only technical cookies or similar tools are implemented, their presence may be referred to on the home page or else in the general information notice without the need to display ad-hoc banners that users will then have to remove/deactivate.

Stakeholders (academia, industry, trade associations, decision-makers, stakeholders, etc.), need to adopt a standardised codification of the types of controls, colours, and functions to be implemented on websites in order to achieve the widest possible uniformity - for the sake of transparency, clarity, and enhanced compliance.

Whenever the banner containing the short information notice and user options is displayed again, as well as whenever the user changes his or her initial choices under the terms described above, any options selected on the occasion of subsequent accesses will have to override and supersede the previous ones. Commands and characters should be of the same size, emphasis, and colours and all such commands and characters should be equally easy to view and use.

The Garante suggested the following best practice: placing a graphical sign, an icon, or any other technical tool on each page of the relevant domain, also close to the link to the area for selecting one's options, so as to flag – also summarily – the consent configuration applying to the given user and thus allowing the changing or updating of such configuration at any time.

First-party and third-party analytics cookies

• In order for analytics cookies to be treated on a par with technical cookies, it is essential to prevent direct identification – i.e., singling out - of the data subject through their use, which is tantamount to preventing the use of analytics cookies that can work as direct, unique identifiers on account of their features.

• Analytics cookies will have to be structured in such a way as to enable the same cookie to relate to several devices, which will create reasonable uncertainty as to the IT identity of the cookie recipient. This is usually achieved by masking out appropriate portions of the IP address in the cookie. (e.g. the last 4 digits of a 32 bit IPv4 IP address and similar procedures for IPv6)

• Analytics cookies to be only used for the production of aggregated statistics and in relation to an individual website or mobile application, so as not to allow tracking an individual's navigation across different applications or websites.
• Third parties providing web measurement services to the publishers shall not match the data, even if minimised in the manner described above, with any other information (such as customer records or statistics concerning visits to other websites) nor will they forward such data to other third parties since this will result into unacceptably increasing user identification risks.
• Statistical analyses concerning several domains, websites or apps that can be traced back to one single controller can be considered lawful even in the absence of the aforementioned minimisation measures – on condition such analyses are performed by way of the controller's own resources and do not turn into activities that go beyond statistical counting and take on ultimately the features of processing operations aimed to enable business-related decision-making.

Privacy notices

• Present using several channels and arrangements, for example video channels, information popups, voice interactions, virtual assistants, telephone messages, and chatbots, etc.

• Information contained in the banner should be accessed without any discrimination by disabled persons who need assistive technologies or specific configurations.

• Controllers need to disclose, by means of an integration to the information provided, at least the coding criteria of the identifiers implemented by them. Alternatively, controllers might consider placing the said coding also within their privacy policies.

Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
[email protected]
Fox Rothschild LLP, Philadelphia

1. See: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9677876#english