Cookies: Italian Data Protection Authority's New Rules on Information Notice and Consent

On May 8, 2014, the Italian Data Protection Authority (“DPA”) issued a resolution concerning “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” (the “Resolution”). The Resolution has been adopted after a public consultation procedure to request contributions and suggestions on the mechanisms to implement the new provisions on cookies introduced by the Directive no. 2009/136/EC. The first EU regulatory framework on cookies has been set out by Directive 2002/58/EC. According to such Directive, terminal equipment of users of electronic communication networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms.  So-called spyware, web-bugs, hidden identifiers and other similar files/devices can enter the users’ terminal without their knowledge in order to gain access to information or to trace the activities of the users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned. However, such devices, for instance the so-called “cookies”, can be a legitimate and useful tool, for instance in analyzing the effectiveness of website design and advertising and in verifying the identity of users engaged in online transactions. Where cookies are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that the users are provided with a clear and precise information about the purposes of cookies. In addition, users should have the opportunity to refuse to have a cookie stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored. In particular, the Directive 2009/136/EC has replaced Article 5(3) of the Directive 2002/58/EC, stating that “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible and access to specific website content may still be made conditional on the well-informed acceptance of the cookies, if used for a legitimate purpose. Based on the abovementioned “user-friendly” principle, the DPA is entitled to request to the stakeholders the provision of a simplified information notice and requirements for obtaining consent regarding cookies, which are the objects of the Resolution. Giving the strong IT and business impact of the Resolution for the stakeholders, the DPA established a one-year grace period in order to comply with the Resolution, which will end up to June 3, 2015... (segue)