Italian DPA Publishes Decision About Simplified Notice/Consent for Cookies

The Italian Data Protection Authority (Garante) has published a decision regarding “simplified arrangements” companies should follow to provide information about and get consent for the use of cookies in accordance with the EU e-Privacy Directive, as implemented by the Italian Data Protection Code. As with the EU Directive, the DPA differentiates between “technical cookies” which are those used exclusively to allow the website to function (and thus do not need consent), and “profiling cookies” which are those aimed at creating user profiles – in particular, the various types of cookies used to serve users with ads. Companies need to provide notice and obtain consent under the Code for profiling cookies, and the recent Italian decision outlines how that notice can be given and consent obtained. The Italian decision envisages a two-staged notice process (similar to the approach in other regions, including Spain which we wrote about recently). First, when accessing the website, users must be shown an initial “short” notice in a banner. The short notice must inform the user that the website uses cookies, provide a clickable link to an “extended” notice, and explain how the user can signify their consent to the use of cookies. The extended notice must contain more detailed information about the types of cookies used by the website – including information about third party cookies that appear on the site – and how to deselect individual cookies. The decision anticipates that information about third party cookies could be collected and managed by a separate party to whom the site links. The decision reminds companies that if persistent profiling cookies are used, such use needs to be registered with the Italian DPA in compliance with the Code. Fines for non-compliance range from €36,000 (for failure to provide adequate information on cookies) to €120,000 (for using cookies without the user’s consent). In recognition of the resources needed to implement the procedures in the decision, the Italian DPA has given companies until June 2015 to comply with the procedures outlined in the decision (keep in mind, of course, that the Code itself is already in effect, and the decision merely clarifies how to follow the Code with respect to various types of cookies used for online advertising).

TIP: This decision should not be new for those operating in the EU, as like other EU countries, Italy has adopted a two-tiered approach to notice and consent for cookies commonly used to serve users with targeted advertising.