This article provides an overview of the guidelines on cookies and the GDPR updated in 2021. However, since privacy and data protection regulations are subject to changes, we invite you to check for any updates or legislative modifications that may have occurred from 2021 until now. The information reported might not reflect the most recent developments, so we advise you to consult official sources to ensure you are always in line with current regulations.
On June 10, 2021, the Data Protection Authority approved the provision n. 231 concerning “Guidelines on cookies and other tracking tools” (web doc n. 9677876), published in the Official Gazette no. 163 of July 9, 2021. The previous regulation dates back to 2014, but did not take into account the latest European regulatory updates (GDPR).
The good news? There are still 6 months to comply.
This moratorium should be seen as an invitation to action from the Supervisor, urging all parties to activate themselves to review their own operational practices as data controllers, ensuring they comply with the provided instructions and modifying them so that they conform to the new guidelines.
From today developers have the official “black and white” documents in hand to adapt their web platforms to the new rules, which were already under discussion in 2020 and were defined mid-June 2021.
Table of contents
- What are the important new developments for cookie management in 2021
- The applicable rules and the need for updating the Guidelines for GDPR and Cookies
- Tracking, consent and Cookie Wall in 2021
- Cookie banner, Privacy by design and Privacy by default
- Cookies and other tracking instruments in 2021
- Cookies Analytics
What are the important new developments for Cookie management in 2021
- At the first access to the site, only technical Cookies can be saved in the user’s device. For all others, explicit consent is required.
- The consent request screen must be displayed on first access always, and must contain at least:
- The default duration of Cookies should be 6 months, unless conditions change or the site is unable to save Cookies on the user’s device.
- The text must be clear and simple and must contain a link to the full privacy policy.
- The scrolling cannot anymore be considered an expression of user consent.
- No ‘Cookie Wall’: the site must be navigable even if the user has refused consent to Cookies.
The applicable regulations and the need for updating the Guidelines for GDPR and Cookie
All the new regulations have been integrated into the GDPR, so today the manifestation of consent from the interested party must not only be free, specific, and informed, but also unambiguous.
The Authority states that given the behavioral evolution of users online (think Internet of Things), the risk for individuals to be subject to extremely specific and detailed profiling has increased, thanks to the cross-referencing of data collected across multiple terminals.
For this a rethink of the use of Cookies and tracking tools centered on user protection in a increasingly digitalized and interconnected society is necessary.
The use of Cookies and other tracking tools was already regulated by the ePrivacy Directive of 2002, as implemented in Italy by articles 122 and following of the Privacy Code (d.lgs. n. 196/2003).
The relationship of this regulation with the GDPR is clarified by Article 95 of the Regulation, which states that it “does not impose additional obligations on natural or legal persons in relation to processing within the context of the provision of electronic communication services accessible to the public via Union public communications networks, as regards matters for which they are subject to specific obligations having the same objective set by Directive 2002/58/EC.”
The ePrivacy Directive thus sets itself as lex specialis with respect to the GDPR, integrating and clarifying its provisions that serve as a general regulatory framework.
Tracking, Consent and Cookie Wall in 2021
As previously stated, for technical cookies the website owner will have to provide the personal data processing information, inserting it also in the general website terms. For profiling cookies and for all non-technical tracking tools consent from the user will instead be required.
Indeed with Article 122, the Authority clarified that it is not lawful to invoke the legitimate interest of the data controller as a condition of合法性 of processing, a practice that was instead very common on the web, as noted by the Authority during its checks.
Instead the so-called ‘Cookie Wall’ was dismissed, i.e. that binding mechanism whereby the user must necessarily grant consent to the processing of personal data through Cookies in order to access the site.
In these cases, the manifestation of the interested party results from the lack of alternatives, for which it cannot be said with certainty that it is a free choice. Theoretically, the site owner may try to prove that they offered the interested party the possibility of accessing equivalent content or services without providing consent; in reality, such a situation seems rather unlikely.
Finally, regarding the possibility of postponing the choice, the Supervisor identifies only some cases in which it is possible to reiterate the request, namely when there is a specific and necessary informational purpose due to significant changes in one or more processing conditions, when it is impossible for the controller to keep track of whether a Cookie has already been installed on the user’s terminal (for example, when the user has deleted stored Cookies), or when at least 6 months have elapsed since the previous banner presentation.
The suggested storage times by the guarantor are therefore a maximum of 6 months.
Cookie banner, Privacy by design and Privacy by default
The GDPR Article 25 has codified the principles of Privacy by design and Privacy by default, from which derives an obligation for data controllers to incorporate personal data protection as a default setting from the design of processing.
In substance, Privacy by default is when upon first access, no Cookie or tracking tool that is not technical is used. Only in this way can the owner ensure that, by default, only strictly necessary data for the functioning of the website are processed.
Deve essere poi data all’interessato la possibilità di prestare il consenso all’utilizzo dei Cookies di profilazione o altri strumenti di tracciamento non tecnici, attraverso l’apposito banner con l’informativa breve.
The banner must constitute a “perceptible discontinuity in content consumption”, and therefore closing it via the click on the ‘X’ should prevent its representation for at least 6 months. In this way, excessive requests are avoided that would risk undermining the perception of value of the banner content.
Oltre al banner, dovrà essere presente nel footer delle varie pagine del sito web un link che consenta di accedere a un’area tramite cui l’utente potrà modificare, in qualsiasi momento, le scelte compiute in relazione ai Cookies e agli altri strumenti di tracciamento.
Cookies and other tracking tools in 2021
The new regulation concerns the processing of personal data carried out through Cookies and other tracking tools.
The Supervisor highlights that, while in the case of Cookies or ‘active’ tracking tools the interested party still has the practical possibility to directly remove Cookies from their terminals, such an option does not exist when passive tracking tools are used. In this latter case, therefore, users have less control over the processing of their data and often also a lesser awareness.
The Authority states that there is no universally accepted system for semantic encoding of Cookies and other tracking tools, hence the distinction between various categories remains, in fact, entrusted to the determination of individual data controllers, despite the fundamental consequences that inclusion in one category or another entails from the perspective of user protection regulations.
Cookies Analytics
The Authority dedicates a specific paragraph of the Cookie Guidelines to Analytics cookies, i.e. those used for evaluative purposes regarding the site’s performance and its design, through statistical analysis of user traffic.
The multiplication of digital identities has made it simpler to identify a given user, seeing the possibility of cross-referencing different data to factually track their behavior on the same platform. Therefore, policies regarding third-party Analytics Cookies need to be revisited, as when combined with information collected from other sites or devices used by the same user, they can enable such identification.
In the old Guidelines of the Supervisor it was necessary to distinguish between First-party Cookies (comparable to technical cookies and therefore usable without consent) and Third-party Cookies (equivalent to technical cookies only where data were anonymized). Similarly, the same rule is reiterated in the new Guidelines, with the exception of any potential data aggregation that could thus compromise the anonymization.
