Cookies and collecting personal data
Cookies are essential tools for website to operate, allowing you to manage certain basic functions (for example, recognising a user or managing a shopping cart in e-commerce activities). But they also have great potential for collecting personal information on how people browse websites, enabling you to deploy highly effective direct marketing campaigns. Thanks to cookies, for example, you can offer a person targeted advertising, based on their searches on other sites they visited before entering a new webpage. They also let you implement marketing actions that reproduce the same message when browsing the various websites people visit (so-called retargeting).
Cookies (or the mechanisms based on the same principle) let you know if an email marketing campaign was successful, if an email message has been read, how many times it was opened or it was forwarded to other people.
Cookies, data protection legislation in Europe and the impact on the rest of the world
For a long time, these tools were used essentially unknowingly by most web users, but things changed in 2009 when several countries (particularly in the EU) issued regulations that imposed rules for the collection of personal data through cookies, based on providing the person with a disclosure and obtaining their consent.
Those who are send the content of their websites to European residents are therefore required to know these rules to prevent any disputes from the European Authority.
The rules at a glance
In a nutshell, the essential rules stipulate that when accessing the home page or another page of a website, a clearly visible banner must appear, clarifying some basic elements.
- it must be specified whether the site uses profiling cookies to send targeted advertisements;
- it must be specified whether the site also uses “third-party cookies”, i.e. cookies that collect data which will be used by a site other than the one being visited;
- it must provide a link that allows the browser to read a more extensive disclosure, indicating how cookies sent by the site are used, and specifying that the option is available to refuse to consent to their direct installation either directly or by connecting to the various websites in the case of “third-party cookies”;
However, the use of technical cookies is still allowed, so that the short disclosure does not reappear on the user’s second visit, keeping track of their consent provided on the previous visit.
Finally, it must ensure that the user retains, in any case, the ability to change their choices regarding cookies by using the extensive disclosure, which must be available on every page of the website.
Specific aspects of the rules on cookies
From a practical point of view, it is worth bearing these practical aspects in mind to have an accurate overview of the legislation:
a) Scope of application
- Analytical cookies are treated as technical cookies only when made and used directly by the first-party website to improve its usability.
- If analytical cookies are made available by third parties, the holders are not subject to the obligations where:
- A) tools are adopted that reduce the cookie’s identifying ability (e.g. by concealing large parts of the IP address);
- B) the third party agrees not to match the information contained in the cookies with other information it already has in its possession.
- If the website contains links to third-party websites (e.g. advertising banners, links to social networks) that do not require the installation of profiling cookies, there is no need for the disclosure and consent.
- In the extensive disclosure, the consent to the use of profiling cookies can be requested by category (e.g. travel, sport).
- You can display a single notification for all the other websites that are managed with the same domain.
- The obligations apply to all websites that install cookies on users’ terminals, regardless of whether they have a base in Italy.
b) Using analytical third-party cookies
In line with the Authority’s simplification approach, the regulation already clarifies how analytical cookies – which are used to monitor how the website is used by browsers for optimization purposes – can be treated as technical cookies when they are manufactured and used directly by the first-part website (therefore with no third-party intervention).
In many cases, however, websites use analytical cookies produced and made available by third parties merely for statistical purposes. In these cases, the websites mentioned above are not subject to the requirements and formalities required by the legislation if suitable tools are adopted to reduce the identifying ability of the analytical cookies they use – for example, by concealing large parts of the IP address.
Moreover, the use of these cookies must also be subject to contractual links between websites and third parties, in which express reference is made to the third party’s commitment to use them solely for the provision of the service, to keep them separate, and not to “enrich” or “match” them with other information they may have.
c) Using platforms that install cookies
In some requests, it has been pointed out that it is difficult to make the changes necessary to implement the cookie legislation to platforms, widely used to create websites, which sometimes already contain preconfigured tools to manage cookies or widgets.
d) Individuals required to display the banner: the role of first-party websites
In terms of the responsibility of managers of first-party websites regarding the installation of profiling cookies from “third-party” domains, such individuals play the role of mere technical intermediary for the installation of such cookies.
It is worth noting, however, that due to the “distributed nature” of such treatment, which in any cases involved the first-party website in the process, the consent to the use of third-party cookies involves two elements that are both necessary. Firstly, the presence of the banner, which produces the appropriate event to provide documented consent (responsibility of the first party). Secondly, the presence of the updated links to websites operated by third parties where the user can make their own choices on the categories and individuals from whom they will receive profiling cookies.
It is also made clear that if the website’s banner ads or links to social networks are basic links to third-party websites that do not install profiling cookies, there is no need for the disclosure and consent.
e) Procedures for obtaining consent
The solutions for acquiring consensus based on the “scroll” method, i.e. continuing to browse the same webpage – widely used and particularly significant in the case of mobile devices – are considered to be in line with the legal requirements as long as they are clearly indicated in the disclosure and are able to generate a recordable and documentable event in the server of the website operator (first party), which may be classed as a positive action by the user.
How data can be processed using cookies in practice
Let’s look at some practical examples of how a banner can be structured for cookies, also given the experience already gained abroad.
1) Example of banner or pop up on entering a website
The text in the banner can vary in length. A thorough and descriptive text is more reassuring and explains the essential terms of a subject that many people are not at all familiar with. Here of course everyone has to make their own assessments and weigh up the solution they find most suitable, taking into account the type of website and characteristics of those visiting it.
For example, a concise text to be placed in a banner could be:
A choice of two buttons should then be provided:
- “Set up Cookies” which allows you to access a section of the website to enable or disable the various types of cookies used by the website;
- “Accept and continue”, which gives instant access to the website.
2) Example of a disclaimer to be placed in email messages in the case of an email marketing campaign
As for the tools that allow you to collect the data on whether an email is opened, read, and forwarded, it is good to include some useful information within the message.
Space for this disclaimer can be found in the email footer:
Email and Cookies
These specific examples give you an idea of the choices you need to make to manage the impact of these rules most effectively.
We recommend not using the “copy and paste” technique. What might be suitable for one site might not work for another. Everyone is faced with this issue of ensuring that cookies are properly presented to users of every website, allowing you them to make a conscious choice of whether to accept or reject them. This is the only way of complying with the basic principle, according to which all users can have control over their own information, even if it is collected as a result of their browsing behaviour.