Italy: Garante's new guidelines on cookies and similar tracking technologies - key takeaways
In addition, the Guidelines note that the Garante's previous guidance on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies2, while maintaining its relevance, need to be integrated with specific reference to certain aspects such as scrolling as a lawful means to collect consent for profiling cookies and the use of cookie walls.
Scope of application - beyond cookies and traditional terminal devices
The Guidelines provide that the concept of terminal device no longer merely comprises traditional tools such as tablets or smartphones, but must be extended to Internet of Things ('IoT') devices, which are designed to connect to the web and among themselves in order to offer various services, not necessarily limited to communication.
'Active' v. 'passive' identifiers
The Guidelines provide a distinction between 'active' and 'passive' identifiers.
With active identifiers, such as cookies, the user has the possibility of directly removing identifiers from his/her device, as well as the possibility of exercising the rights provided by the GDPR to data subjects.
On the other hand, with passive identifiers, such as fingerprinting, the user is not offered autonomously actionable instruments, and has therefore to revert to the data controller. In fact, passive identifiers do not imply the storage and/or access of information on the user's device, but merely the reading of its configuration, which makes it identifiable and results in the creation of a 'profile' that only the controller is allowed to access.
More specifically, the Guidelines outline that fingerprinting is one of the most commonly used passive identifiers, and that it represents a technique through which it is possible to identify the user's device by collecting information on its configuration. For this reason, the Guidelines confirm that fingerprinting is to be included in their own scope.
Scrolling as a lawful means to collect consent
In this regard, the Guidelines note that publishers may in theory make use of more developed means based on the idea of the 'dynamic web,' such as the transmission from the browser of events like the movement of the mouse on the website (so-called 'pattern'). Such means could make it easier than traditional virtual buttons to indicate positive and unequivocal actions of the user. These actions could in fact bring to configuration changes of specific website areas (such as colour, format, or position) and/or of the information provided in those same areas that could be codified by the website and interpreted as an expression of consent. However, the Guidelines recall that these alternative means must always make clear to the user the consequences of his/her actions, with the aim of avoiding 'false positives,' i.e. mistaken interpretation of casual actions as positive expression of consent.
The Guidelines provide that cookie walls are to be considered invalid, with the exception of the case (to be verified on a case by case basis) where the website manager provides the user with the possibility of accessing an equivalent content/service without the need of providing consent to the installation of cookies. In this regard, the Guidelines point out that the alternative will have to be considered equivalent when it is compliant with, among others, Article 5(1)(a) of the GDPR, which provides that personal data must be processed in a lawful, fair, and transparent manner.
Re-collection of consent
The Guidelines acknowledge the existence of the invasive practice of website managers reiterating the request of consent via cookie banner at every user's visit.
In this regard, the Guidelines provide that, according to Article 7 of the GDPR, data controllers using cookies and other tracking technologies must implement a mechanism to be able to record and prove the collection of consent. Therefore, the Guidelines highlight that once they collect consent, controllers will not have to re-collect the same at every user's visit of the website, unless:
- the conditions of collection have changed; or
- it is impossible for the controller to be aware of the fact that a cookie has been already installed on the device in order to be re-transmitted, when the user re-access the website, to the website that generated the cookie itself. This is the case where, for example, the user deletes the cookie installed on his/her device. The Guidelines recall that this action does not amount to the exercise to the right of object, as provided by the GDPR.
Privacy by Design and by Default for cookies
The Guidelines stress the fact that the Garante's previous guidance on cookies maintain its validity in relation to the mechanism for the collection of consent. However, the Guidelines also note that the Garante's guidance must be updated in light of the principles of Privacy by Design and by Default, as provided by Article 25 of the GDPR.
In practice, the Guidelines outline that, when the user merely accesses the website:
- non-technical cookies must not be installed by default; and
- the use of any other active or passive profiling techniques is not allowed.
Moreover, the Guidelines state that the user, when presented with the cookie banner, must be able to deny his/her consent to cookies by closing banner through the use of a top right 'X' button, without accessing any other cookie related webpage.
The Guidelines provide that the cookie banner must include at least the following:
- minimum information in relation to the website's use of technical and profiling cookies;
- the possibility of consenting to the use of all the cookies and other tracking technologies; and
- a link to a webpage where the user will be able to select granularly the functionalities, the third parties (in relation to which an up to date list must be maintained), and the cookies, eventually even grouped by categories, that he/she consents to. In this case all the choices must be de-selected by default. The user must also be provided in this webpage with the possibility of providing/withdrawing the consent to all the cookies.
When designing the 1st layer, the Guidelines recommend data controllers to use buttons of the same size, emphasis, and colour, which have to be equally easy to see and use, in order to ensure that users are not influenced by design choice.
- information on the means through which data subjects can exercise their rights under the GDPR;
- information on the potential recipients of the data subjects' personal data;
- information on the retention periods for information collected through cookies;
- information on the criteria through which cookies are categorised semantically. These criteria could be requested by the Garante as part of an investigation.
Alternative cookie policies
The Guidelines note that analytics cookies may be deemed technical cookies, if certain conditions are met, in accordance with the principle of Privacy by Design.
In particular, the Guidelines outline that data minimisation measures must be adopted in order to reduce the identification power of third-party analytic cookies. In practice, the Guidelines state that it must be impossible to directly identify the data subject through analytic cookies, which means that the use of analytic cookies that, considering their features, act as direct and univocal identifiers, is not permitted.
Therefore, the Guidelines provide that the structure of analytic cookies must ensure that the same cookie can be matched not to just one device, but instead to more devices, in order to obtain a reasonable uncertainty as to the informatic identity of the user. This result is usually obtained by integrating the structure of the IP address within the cookie and masking portions of that same address. In practice, the Guidelines note that one of the measures that can be implemented to consider analytic cookies as technical ones, considering the IP address version 4 ('IPv4'), is to mask at least ¼ of the IP address, which enable an identification uncertainty of 1/256 (approx. 4%). The Guidelines recall that similar procedures can also be implemented with IP address version 6 ('IPv6').
In any case, the Guidelines stress the fact that the data minimised in this way will not have to be combined with other information (such as customer's file and audience measurement) or shared with third parties. Lastly, the Guidelines note that the use of analytic cookies must be limited to the production of aggregated statistics and must also be used in relation to a single website or mobile app, so that the tracking of the user surfing through different applications or websites is not permitted.
The Guidelines have been under public consultation for 30 days from 10 December 2020. The publication of the finalised version is now expected from the Garante.
Matteo Quartieri Privacy Analyst
1. Available, only in Italian, at: https://www.garanteprivacy.it/documents/10160/0/Consultazione+sulle+%E2%80%9CLinee+guida+sull%E2%80%99utilizzo+di+cookie+e+di+altri+strumenti+di+tracciamento%E2%80%9D+-+Allegato+1+-+Linee+guida.pdf/72eab081-e4c4-4500-77c3-8b6957f8cd12?version=2.0
2. Available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3167654