On 10 January 2022, new instructions entered force as to the acquisition, management, use, and storage of personal data in terms of privacy policies and cookie policies.
Every website will have to take them into account or suffer penalties.
Il fatto oggettivo
The privacy supervisory authority updates the guidelines
Il Garante per la protezione dei dati personali ha pubblicato (Gazzetta Ufficiale n. 163 del 9 luglio 2021) le Linee Guida sui cookies e altri strumenti di tracciamento adottati sui siti internet (10 giugno 2021), con l’obiettivo di rafforzare il potere di decisione degli utenti riguardo all’uso dei loro dati personali quando navigano on line. ll documento è volto ad aggiornare le indicazioni contenute nel provvedimento n. 229/2014 alla luce delle novità introdotte dal GDPR 679/2016 (in considerazione dell’evoluzione comportamentale degli stessi utenti della rete sempre più orientati alla moltiplicazione delle proprie identità digitali come risultanti dall’accesso a plurimi servizi e funzioni disponibili e, in primo luogo, ai social network), delle Linee guida dell’European Data Protection Board (EDPB) del maggio 2020 e delle indicazioni che sono emerse dalla consultazione pubblica promossa alla fine dello scorso anno.
L’oggetto del problema
Cookies and the GDPR: them again!
We’re talking about those “famous” cookies that each of us, whether we like it or not, has become acquainted with for some years now. The reason is simple: every website we visit shows us a banner saying something like: “This site uses cookies… accept!”.
Well, for some time these cookies have been subject to regulation: Europe, and therefore Italy as well, has drawn up laws to regulate them.
For anyone living in a digital bubble who has yet to understand what cookies are, here’s your answer: cookies are pieces of code that are saved on your device when you visit any website, in order to identify you and, in the best cases, to offer you benefits.
To recap, cookies allow more or less in-depth information to be obtained on the user and on the activities carried out when navigating a website: for example, where the user is coming from, where the user is going, what he or she does, how often he or she returns, where he or she connects from, and so on.
Clearly, this potential Big Brother does not jibe well with the concept of privacy, and lawmakers have by necessity had to seek a regulation.
The nature of Cookies
Technical cookies, analytics cookies, targeting cookies
In philosophy, we might wonder what these cookies’ ontology and phenomenology might be, or more simply ask ourselves: now that I understand what they are, strings that store my information, I should now wonder what use they make of that information. In other words, are all these cookies the same?
The answer is no. Cookies are not all created equal. Depending on their type they can have different functions, and this is why we can divide them into two macro-categories: technical cookies and targeting cookies.
Technical cookies
Technical cookies, while necessary and not requiring the acquisition of consent, do have to be indicated in the disclosure. These are cookies that are not stored in a persistent way on the user’s computer, and are deleted when the browser is closed. Would you like a few examples of technical cookies? They are the ones that allow you to log onto a website, or to transmit data from one page to another, for example in e-commerce.
Targeting cookies
Targeting cookies, on the other hand, are used to refer to specific identified or identifiable subjects, specific actions, or behavioural schemes recurring in the use of the offered functionalities.
In practical terms, targeting cookies allow website managers to offer increasingly customized services, and to send advertising messages in line with the preferences shown by the user in his or her online navigation.
We have a clear example of what targeting means when, after navigating a t-shirt or shoe website, we begin to see advertising for similar products on our social media or on other sites.
Analytics cookies
For a complete picture, we must not forget “analytics cookies” (which include, for example, the famous Google Analytics). These are cookies used to assess a service’s effectiveness by helping measure the traffic a website receives, which is to say the number of visitors broken down by geographic area, time frame of connection, or other characteristics. These cookies should be in anonymous form, which is to say they should be set to limit certain functions. Therefore, while not seen as excessively problematic cookies, they should still be declared, because this information, although generic, does not stay with the website manager, but is sent to Google’s servers (which is why they are called third-party cookies).
Conclusions
It should now be clear how problematic targeting cookies can be. In the best of cases, they may be useful and beneficial, because they help show offers and products that a user was actually looking for; but they in fact identify a user.
And as Shakespeare put it: “there’s the rub” – because there is a fine line between benefit and abuse.
The guidelines
What changes with the new Guidelines?
To recap: cookies allow websites to store information on our behalf; there are different types of cookies, each with different functions; the Privacy Supervisory Authority has reordered this landscape with the stringent regulations that took a decisive change of direction starting January 2022.
To be compliant, a website must meet these requirements:
-
Cookie Preferences Log:
Among the new elements of the new 2022 version, the Supervisory Authority has introduced the requirement to log the user’s preferences regarding the use of cookies. Therefore, all website and/or app owners must log the cookie preferences expressed by the users visiting a website, by activating a Mandatory Cookie Preference Log. In other words, user consent information must be stored in a log timestamped with the date when the user granted his or her consent and also containing his or her IP address and the various types of cookies he or she has selected, with some browser details.
-
Cookie prior blocking:
A system to request prior consent to store cookies is now mandatory. In other words, cookies cannot be installed on the user’s device until the user has accepted them expressly and in granular fashion (that is, he or she can choose whether to accept only technical cookies, or statistical ones, or targeting ones).
-
Unambiguous consent:
Consent must be expressed by a positive and unambiguous act; the user’s action must be active: pre-ticked boxes are never suitable; nor is acceptance by scrolling suitable for the valid expression of consent.
-
Well delineated warning banner:
The famous “Cookie wall” is no longer compliant; that is, a banner that invades the entire screen, impeding navigation of the site, is no longer allowed. This technique required the user to choose a banner option; otherwise he or she was not free to navigate the website.
Furthermore, the banner must have a particular implementation: it must have an X or “close” button at the top right, which equals closing, and consists of refusing all types of cookies.
-
Reiteration of the banner:
The user who has made his or her choice must no longer be shown any banner for six months. The user, then, is not to be disturbed with the banner’s display whenever he or she attempts to access the site, unless he or she has deleted his or her cookies, or new ones have been added.
-
Adequate disclosure:
To allow the user to decide whether or not to accept the installation of the cookies, the website’s owner must provide adequate disclosure allowing the data subject to make a free and conscious choice as to whether or not to grant his or her consent. There must always be a link to the page with the complete disclosure.
For more in-depth discussion, consult the official lines here:
The solution
Adjusting to the GDPR: Seocrate’s proposal
Seocrate.it has contacted all the experts dealing with digital law and privacy.
In the sector there are two major international companies that have been dealing with these issues for years: Cookiebot and Iubenda.
In detail, both these services require an initial configuration and have a monthly fee: Cookiebot starting from € 9/month, and Iubenda from € 22/month. The main problem we’ve found is that customer care is not always very quick in answering you, and especially that, since they are international parties, they have to adapt to Italian regulations (which are among the most stringent among the European countries), and lastly are not quite clear.
Iubenda: the unsettling details
Proof of this is the wording that closes all Iubenda pages, which reads as follows: Iubenda che recita così:
“Content available on iubenda.com and documents generated using the Service are intended for general information purposes only. Although all clauses and provisions inside the generator database have been drafted by a team of highly qualified legal experts and regularly undergo reviews and updates, documents are generated in a fully automated manner and therefore do not constitute or substitute the rendering of legal advice, nor does any assistance and customer support provided by iubenda establish an attorney-client relationship. This is why, despite all efforts in offering the best possible service, iubenda cannot guarantee generated documents to be fully compliant with applicable law. Users should therefore not rely upon documents generated using iubenda without seeking legal advice from an attorney licensed in the relevant jurisdiction(s).“.
Reassuring, right? In translation: pay us, but if something happens it’s your (objective) problem!
The Wiesbaden (Germany) Administrative Court declared Cookiebot illegal
In an innovative decision, the Wiesbaden Administrative Court declared Cookiebot illegal. At trial, RheinMain University of Applied Sciences was prohibited from using the provider on its website.
In detail: the proceeding before the Wiesbaden Administrative Court (Case 6 L 738/21.WI) related basically to whether or not RheinMain University of Applied Sciences was using a cookie banner compliant with the GDPR on its website www.hs-rm.de. Ultimately, it is in particular the question of whether a website can even become compliant with the GDPR if the “Cookiebot” tool is used.
The court said no: the RheinMain University website is not authorized to use the Cookiebot cookie banner – the court declared the Cookiebot provider illegal. The university is required to cease integrating the “Cookiebot” service on its website, since it involves the unlawful transmission of the personal data of the website’s users, and therefore of the plaintiff.
Source: Declaration by Cookiebot CMP on the Wiesbaden preliminary ruling
Seocrate’s proposal
Could we at Seocrate.it propose something of this kind to our clients?
It’s a rhetorical question with an honest answer: no.
We therefore made an agreement with a major Italian law firm that has been dealing with digital law and privacy since 2011, whose owner teaches at “Euroconference per le tematiche connesse al diritto dell’e-commerce” (“Euroconference on issues connected to e-commerce law”) and promotes numerous workshops on digital law and privacy.
Our job will be
- to allow you to create an account on their site,
- to make sure that your own site’s configuration is correct.
What’s more
- you will have no restriction: in the future, you’ll pay this firm directly, without Seocrate.it being the middleman,
- if you are already Seocrate.it clients, this initial setup will cost you only € 25 instead of € 50,
- the yearly fee will be as shown below.
What could be cheaper and easier than that?
