DLP Insights

Cookies and other tracking tools: the Guarantor launches a public consultation

Categories: DLP Insights, Practice | Tag: privacy policy, Garante Privacy, Cookies

27 Jan 2021

On 10 December 2020, the Italian Data Protection Authority (“Guarantor“) launched a public consultation on the “Guidelines on the use of cookies and other tracking tools (the “Guidelines“) drafted on 26 October.

The Guarantor follows indications provided by the European Data Protection Board (“EDPB“) in the “Guidelines 5/2020 on consent under Regulation (EU) 2016/679” of 4 May 2020.

Cookies are small strings of text that websites (publishers or “first parties”) visited by the user or different websites or web servers (“third parties”) place and store on the used device (e.g. Smartphone, PC or Tablet). Cookies allow to collect information and improve the user/data subject’s navigation.

Regulation (EU) 2016/679 on personal data protection (“GDPR“), while not directly modifying the rules on such tracking tools, regulates the personal data processing consent. It established that the consent must be provided by data subjects through a “free, specific, informed and unequivocal manifestation of will (see Article 4, GDPR).

Under the accountability principle”, this focuses on implementing data protection principles by design and by default, making it necessary to analyse the correct way of issuing online privacy policies to users/data subjects and acquiring their consent, where required.

The Guidelines, implementing what was stated by the EDPB, clarify that:

  • “simple scrolling (i.e. “the action consisting in letting the page scroll to show on the screen the part underneath the banner containing the short information”) would never be suitable to fully express the data subject’s expression of will”; or
  • the reiteration of the collection of consent, if no changes have been made to the data processing, through a continuous repetition of the banner (short information notice) at each access, is “redundant and invasive.”

The Guidelines clarify that each data controller must provide data subjects/users with timely information on the processing of their data. This information must be provided on two levels: (i) short information notice or banner containing a link (ii) to the extended privacy policy.

After the public consultation directed at entrepreneurs, consumers, users and operators in the sector, and the analysis, followed by the possible implementation, of the comments received, the Authority will issue the final measure.

Other insights related:

More insights