News & PR

Cookies and privacy: new obligations and opportunities

Written by Kirey Group | Oct 14, 2021 10:06:24 AM

This June, the Guarantor Authority published the new "Guidelines on the use of cookies and other tracking tools" to provide clearer and more precise rules on the use of cookies by site operators.

By Gaia Magrini, Data Protection Officer and Principal Consultant at Kirey Group

There have been several regulatory interventions regarding cookies over the years. The Italian Guarantor has often deepened this matter detailing the required formalities. With EU Regulation 679/16, the authority wanted to identify the correct methods for obtaining consent and for the drafting of the information, emphasizing the increasing importance of full transparency towards the interested parties.

The new context shows companies constantly review the procedures of their websites to verify their conformity due to services’ digitization and new technical developments and the increase of sanction activities by the authorities in the different countries.

In recent months we have seen cases of great clamor such as, for example, the sanction to WhatsApp by the Irish Privacy Authority for over 225 million euros for the sharing of users' personal data with Facebook, or the sanction against Google and Amazon in France, for a sum of 135 million euros for having installed advertising cookies without explicit consent.

The common denominator of all these decisions is the lack of information and transparency to the interested users, who was unable to perceive how the data were being processed or to express appropriate consent.

The risks of incurring sanctions are very high even for smaller companies, that can suffer a much more significant impact unlike the big tech ones. In addition, the consequences on the company’s image are not to be underestimated.

Cookies and legitimate interest

The guidelines clearly define cookies as "active identifiers" through which individuals can be associated with online identifiers obtained from devices, applications or tools and protocols. Such identifiers can leave traces that, especially when combined with unique identifiers and other information received from servers, they can be used to create profiles of natural persons and identify them.

Compared to cookies, the legislation confirms and specifies even better the main difference between technical cookies, used for the sole purpose of "to carry out the transmission of a communication on an electronic communications network, or to the extent strictly necessary to the provider of a service" and "profiling cookies" used to lead to specific, identified or identifiable subjects, specific actions or behavioural patterns recurring in the use of the offered features (patterns).

In the case of the use of mere technical cookies, the owner must provide appropriate information. Instead, in the case of profiling cookies, it is necessary to collect prior and appropriate consent, excluding for the first time explicitly the discriminant of the legitimate interest of the owner to justify the use of cookies or other tracking tools.

The Guarantor also focuses on the issue of the repetition of requests for consent, which must not harm the user. The continuous appearance of the banner containing the brief information can be invasive and it can affect the freedom of the user in the expression of consent, leading him to accept treatments, in order to make the banner disappear. Companies, especially when users reject profiling cookies, must strive not to repeat the same request, avoiding to present the banner to the user again for even six months. Moreover, the user must be able to modify his choices at any time.

The repercussions for the sites of companies will be considerable, starting from the need to review their systems and the data collected and to keep track of all cookies and the timing not to re-propose them.
Furthermore, making it easier for users to refuse will have a significant impact on data collection, for example for marketing activities, given that the new measures, as the ability to express the denial to cookies by simply closing the banner by clicking on the "cross" presumably will lead companies to collect less information.

 

Six months to adapt; Privacy by Design and key role of the DPO 

The period granted by the Authority to adapt to the new guidelines is only six months: a period during which companies will have to work to review their policies in the processing of data collected through cookies.

Companies will have to work very carefully to adapt to cookies from the point of view of compliance and updating. Many companies have already adapted, and we have noticed the spread of an increasing number of tools and services for cookies management.

A key element of this adaptation will be the application of the principle of Privacy by design, which provides that data protection is integrated into the entire life cycle of the technology from the very first stage of design. It will therefore be essential to develop the websites considering from the outset the indications contained in the Authority’s measure in order to identify the most appropriate methods and technologies to ensure the lawfulness of the processing operations carried out.

The omitted evaluation Privacy by design was, among others, the subject of the sanction imposed by the INPS last March. The institution was fined EUR 300,000 by the Guarantor for violating the European regulation on the protection of personal data. Among the breaches it emerged that the INPS, in proceeding to a new processing of data concerning the verifications on the attributions of the indemnities from Covid, had not involved from the beginning in the assessment its Data Protection Officer (DPO). Especially, this new treatment was not preceded by a formal assessment of privacy by design nor an impact assessment.

Companies that have already adopted a strong privacy model will be better able to cope with this adjustment with less effort and will fully respect the deadline of six months.
My advice for all, and especially for those who deal with services such as Kirey Group that are always under the watchful eye of auditors and their customers, is to adopt an attitude that allows them to prevent problems in terms of cookies, involving from the start your own DPO and the other actors involved in the choices.

Even if many consider privacy as a mere cost and an excessive burden, it is equally true that when an organization can harmonize these requirements with other business processes, compliance with the legislation becomes simpler. An effective organizational model of privacy management can also be a useful opportunity to promote better data management by giving a correct and full overview.