An update on cookies in Italy


On 16 January 2015, The Italian Data Protection Authority (the “Authority”) published a “video tutorial”, a guideline document and a “frequently answered questions list (FAQ)” on its website about information policies and consent requirements for the use of cookies, that further explains the rational for its decision no. 229: “Individualization of simplified modalities for the information and obtainment of the consent in relation to the utilization of cookies” on 8 May 2014.

The intervention of the Authority is part of an awareness campaign on cookies promoted in favour of internet users.

Firstly, the document distinguishes between:

    a) “technical” cookies, which are used in order to perform the navigation or to provide the service requested by the user; and

    b) “profiling” cookies, which are used in order to monitor the navigation and collect information on their preferences, habits and personal choices.

This difference is significant from an operational stand-point, by virtue of the fact that “technical” cookies may be installed on the browser of anyone surfing the internet without previous consent, while “profiling” cookies require not only the consent of the data subjects, but also notification to the Authority.

In other words, any data controller subject to Italian laws shall notify the processing of personal data through profiling cookies to the Authority before commencing any processing.

In addition, the Authority clarified that internet users must be provided with two information notices on cookies:

    a) the “brief” information policy, to be provided when accessing the website through a banner; and

    b) the “extended” information policy (available through a link contained both in the “brief” information policy and in the footnote of each page of the visited website) must contain all elements provided for in Section 13, Privacy Code: a link to the updated information policy, as well as a specific form regarding the use of “third parties’ cookies”.

The instructions are quite straightforward, however they have a practical significance considering that all companies have websites and all websites make use of cookies. By surfing the web it is not common, based on PwC’s experience with businesses based in Italy, to find organisations who are fully compliant with the requirements listed above.

More broadly speaking, it is interesting to note that the Italian regulation on cookies was issued as an implementation of the EU directive, but the obligations demanded by the Authority are not mirrored in all jurisdictions. By way of example, the prior notification for profiling activities is not a requirement in all EU countries.

Will the new regulation help in standardizing the fulfilment on data controllers and, above all, the interpretations and practices of the data protection authorities?