Who: Italian Data Protection Authority
Where: Italy
When: 3 June 2015
What happened:
The Italian DPA’s guidelines on the use of cookie have entered into force.
According to these guidelines if targeting cookies are used to send marketing messages, the user must be shown immediately on accessing the home page (or any other landing page) of a website a suitably sized banner containing the following information:
a) That the website uses profiling cookies to send advertising messages in line with the user’s online navigation preferences;
b) That the website allows sending third-party cookies as well (of course, if this is actually the case);
c) A clickable link to the extended information notice, where information on technical and analytics cookies must be provided along with tools to select the cookies to be enabled;
d) That on the extended information notice page the user may refuse to consent to the installation of whatever cookies;
e) That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.
The banner must be of a sufficient size and must be an integral part of the action through which the user signifies consent. In other words, the banner can only cease being displayed on screen if the user takes action – by selecting any item on the page underneath the banner.
In line with the general principles of data protection, the publisher must in any case keep track of the user’s consent. To that end, an ad-hoc technical cookie might be relied upon.
Why this matters:
The failure to provide information or the provision of inadequate information, i.e. information that does not include the items specified in the guidelines as well as in Section 13 of the Italian Data Protection Code, carries administrative sanctions consisting of payment of a fine ranging from six thousand to thirty-six thousand Euro.
Installing cookies on users’ terminal equipment without the users’ prior consent carries an administrative sanction consisting in payment of a fine ranging from ten thousand to one hundred and twenty thousand Euro.
The failure to notify processing operations to the DPA or the provision of an incomplete notification to the DPA under the terms of Section 37(1), letter d) of the Italian DP Code carry an administrative sanction consisting in payment of a fine ranging from twenty thousand to one hundred and twenty thousand Euro.