Legal information

Some help with legal information about GDPR and other laws

Legal information

In this article we will discuss how GDPR (General Data Protection Regulation) and ePR (e-Privacy Regulation) affects cookie usage on your website and how Cookie-Script helps your website to get compliant with GDPR.

First things first, here are some quick FAQ about GDPR and ePR.

What is GDPR? 

GDPR stands for General Data Protection Regulation: new regulation that is created to improve data privacy

 

What is ePR?

ePR stands for e-Privacy Regulation: a regulation for electronic communications and the right of confidentiality

 

When is GDPR enforced?

25th of May 2018

 

When is ePR enforced?

Nobody knows yet

 

Will this affect my business?

Depends on what you do and what information you collect from your customers. Check out this nice infographics for more info.

 

What organizations do GDPR apply to? 

If your visitor/customer is from EU, GDPR is applied to your organization

 

Are there fines? 

Yes, but there are 3 more steps before you get a fine (see link above). Fines can go up to €20 million or 4% of global annual turnover (whichever is higher)

Regulation vs Directive

It is important to understand difference between directive and regulation.

  • Directive is a legal act of the European Union, which requires member states to achieve a particular result without dictating the means of achieving that result.
  • Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States.

Regulation is same for all member states, while with e-Privacy Directive was created as a set of rules for every Members State to create its own laws. Previously we had Directives, now we are starting to follow Regulations.

It's not about cookies!

Main goal of GDPR is to regulate how personal information is collected, stored and erased. The e-Privacy Regulation isn’t just about cookies, it concerns electronic communications and the right of confidentiality, data/privacy protection and more.

In fact, cookies are mentioned in GDPR only once:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In other words: if cookies can be used to identify an individual - they are considered personal data (before ePR is enforced).

  Cookies are only small part of personal data that is managed by organizations. This is why you should review how and what personal information you collect and store in order to comply with GDPR.

IMPORTANT: Using Cookie-Script (or any other cookie-related solution) does not mean your website is automatically compliant with GDPR. There are many other aspects of this GDPR, so please read through all of them. There are plenty of information online on how to comply with all GDPR points, we will only focus on cookies here.
Another important thing to note - not all cookies are considered as personal data. If you have a simple website, cookies that you set are not used to identify a person and you do not collect any personal information from your visitors - there is a high chance you do not need to worry about GDPR at all.

ePR and GDPR

Ok, so this one is pretty tricky and is usually not explained on other websites that offer cookie banner solutions.

The ePrivacy Regulation is lex specialis to the GDPR. That’s a legal principle, which essentially means that the  lex specialis, in this case the ePrivacy Regulation, overrides the lex generalis, in this case the GDPR, with the ePrivacy Regulation covering the mentioned specific areas. In other words, wherever ePR and GDPR overlap (for example, cookies) - ePR should be used.

Basically you only care about ePR when it comes to cookies since GDPR does not focus on cookies and digital communications. ePR is specifically designed to explain how privacy and cookies should work together. e-Privacy Regulation also replaces e-Privacy Directive that forces websites to show banners, also known as "Cookie Law".

Now comes the interesting part:

ePR and GDPR were both designed to get applied at the same date (25th of May 2018) since they both are designed to work together. However due to different reasons ePR got delayed and will not come in force on the same date as GDPR. So what we have after 25th of May is quite a tricky situation - regulation that is designed to control how cookies are used (e-Privacy Regulation) is still in development, old directive (e-Privacy Directive) is still in the air and we just use GDPR and consider cookies as private data (not all of them, only ones that can be treated as personal data). Not sure how strict regulators will look at this having in mind that GDPR is not designed to regulate cookies in the first place. Once ePR is enforced, new changes will apply and most of GDPR changes (see below) regarding cookies will no longer be valid.

So what exactly will change from 25th of May 2018 and until ePR is enforced?

Here are some key changes you should know when it comes to cookies:

1 Implied consent won't work anymore. This means you cannot set cookies (at least personalized cookies, which are now personal data) before user gave you permission. We will keep it as an option, but will show warning message if user selects this option.

2 An option to withdraw consent should be always available.

3 Consent not needed for "non-privacy intrusive cookies". Examples include e-commerce cookies, remembering shopping cart histories, cookies for Google Analytics and many others.

4 Consent should be unambiguous, which means a positive action by a visitor.

5 Strictly necessary cookies can be still set up in order for website to operate properly.

Changes we are making

We do our best to make sure Cookie-Script stays up to date with the latest EU Regulations. We also try to keep it nice and simple. Many solutions require you technical knowledge, others are simply overkill with some functionality leftovers from e-Privacy Directive which is not relevant after 25th of May 2018. We focus on simplicity and user-friendliness. Here are the key changes we are implementing to Cookie-Script in order to get it compliant with GDPR:

  • Implemented New design option that covers whole page (to make sure clear affirmative action was taken by user to navigate on the website).
  • Implied consent will remain, but will not be selected by default. Also a warning message will appear if Implied consent is selected.
  • Implemented New option - Show cookie icon - (allows user to withdraw consent at any time). More designs are in progress
  • Implemented A button to decline all cookies - Saves user choice not to set any cookies except strictly necessary cookies.
  • Implemented New piece of code (checkbox) to use on privacy policy page - Withdraw consent (allows user to withdraw consent on cookie policy page).
  • Implemented New option - strictly necessary cookies (to keep website functioning even without user consent, like webshop cart cookie).
  • Implemented Functionality to record and store visitor consent in an encrypted way (this record is not considered a personal data).
  • Implemented A set of articles to better explain how and when new options should be used.
  • Implemented AWS cashing - we are switching to Amazon Web Services in order to provide you one of the fastest and most reliable code delivery available on the market.

Once every change is implemented - it will be posted in the news and Facebook page. You can follow Facebook page to stay updated with latest changes.

Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of any law.

Please note that this article might be outdated. We are working on updating it to the latest version

italy-flag

On 3rd of June 2014 Italian Data Protection Authority (DPA) have published official instructions for websites on how users should be informed about cookie usage (also known as "Cookie Law"). Deadline for implementation of those instructions is 12 month, which is 3rd of June 2015. Below you will find summary of those instructions and a checklist to make sure your website is compliant with Italian Cookie Law.


Summary of Italian Cookie Law

First-party cookies

First-party cookies are cookies that are installed by website publisher, in other words - it's cookies that are saved under same domain/subdomain as website itself. According to DPA, first-party cookies can be separated in two groups:

  • Technical cookies. Do not require user consent. Basically all cookies needed to show your website correctly: session cookies, analytics cookies, functionality cookies.
  • Profiling cookies. User consent is required. Cookies aimed to create user profiles (do not mix with user accounts). They are used to send ads messages targeted for this particular user or group of people where user belongs.

Third-party cookies

Third-party cookies are cookies that are placed by the managers of another website ("third-party") via the publisher's website. Due to technical reasons, website publisher (manager/owned/editor) is not responsible for any third-party cookies.  Website at this point acts as technical intermediary and must only provide a link to the information notices and consent forms of the third parties. Third-party cookies do not require user consent

Technical requirements

DPA requires to have two layers of user notification:

  • Banner with the short  information notice and consent request
  • Extended Privacy Policy page with detailed description of Cookie Policy and cookies used on the website

Banner (popup message) requirements

On accessing the home page (or any other landing page) of a website, the user must be shown immediately a suitably sized banner. The banner must include the following information:

  • That the website uses profiling cookies to send advertising messages in line with the user's online navigation preferences (if any profiling cookies are used)
  • That the website allows sending third-party cookies as well (if third-party cookies are used)
  • A clickable link to the extended information notice
  • That on the extended information notice page the user may refuse to consent to the installation of whatever cookies
  • That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.
Note that Cookie Script is not responsible if your banner text does not meet the requirements above since it is website publisher who is required to create the text.

Italian Cookie Law also describes a possibility to add "I disagree" button (not required), which will remember user's choice not to use cookies and will not show the banner anymore. We are currently working on adding this functionality. User consent can be saved as a technical cookie.

Extended Privacy Policy page

Extended Privacy Page should include:

  • all items required by Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE, that is (but not limited by) describe the detailed features and purposes of the cookies installed by the website
  • tools available to select the cookies to be enabled
  • possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website, including at least a reference to the procedure to be followed to configure those  settings;
  • updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website (if third-party cookies are used)

Extended Privacy Policy Page must be linked from a short notice and from all website pages as a link (possibly in the bottom of the page).

Notifying DPA

According to the instructions, profiling cookies, which are persistent in nature, have to be notified to the Italian Data Protection Authority. Technical cookies do not have to be notified to DPA.

Fines

Fines for not following the instructions:

  • failure to provide information about cookies as well as other parts of Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE : 6.000 - 36.000 EUR
  • installing cookies without users' prior consent (applies only for first-party profiling cookies): 10.000 - 120.000 EUR
  • failure to notify processing operations to the DPA or the provision of an incomplete notification to the DPA under the terms of Section 37(1), letter d) of the Code : 20.000 - 120.000 EUR

Full version of Italian Cookie Law

You can find full description of requirements here: English version / Italian version.


Italian Cookie Law and Cookie Script

Cookie Script is compliant with Italian Cookie Law if used properly. It is website manager's responsibility to make sure he used correct settings and that his website complies with Italian Cookie Law.

Consent mode (Explicit or Implied)

First of all, website manager/publisher has to find out what cookies are used on his website and choose Explicit or Implied mode. Depending on cookies used, Cookie Script can be configured to be used in Explicit or Implied mode:

  • Explicit : must be used if you have first-party profiling cookies. Also can be used if you are not sure about what cookies do you have (just to be on the safe side).
  • Implied : can be used if you don't have first-party profiling cookies, that is if you are only using technical and/or third-party cookies.
Note that cookie script is a simple user-friendly solution where you don't have to configure each individual cookie settings. This means that in case of explicit consent all first-party cookies will be blocked (both technical and profiling cookies) just to be sure website complies with Cookie Law requirements.

Banner settings

Depending on cookies used, website manager has to make sure he has proper text used in banner (see checklist below). Italian Cookie Law provides a possibility to use "I disagree" button (not required), which will be implemented in Cookie Script soon.

DPA instructions also describe possibility of automatic consent - meaning that clicking any link to another page on the website will make user automatically accept cookies. However, this is only mentioned in banner text requirements and doesn't say anywhere that it can actually be used. Cookie Script has this functionality implemented, but use it on your own risk.

Privacy Policy Page

Extended Privacy Policy Page is important and website manager must make sure it meets all requirements (see checklist below), otherwise a fine of 6.000-36.000 EUR might be issued. Privacy Policy page is individual for each website and Cookie Script is not involved in this part, however you can use some of the Cookie Policy templates we provide (note that Cookie Policy is only part of bigger Privacy Policy Page).

DPA requires to have "tools" to disable individual cookies on the website. Full integration of such tools into your website workflow is usually quite pricy and requires a solid technical knowledge in order to work properly, so obviously not everyone can afford them. In most cases it's an overkill and a waste of time.

Luckily, Italian Cookie Law does not describe exactly how "tools" should work, so providing any "Tools available to select the cookies to be enabled" would work, for example links to browser extensions that makes it possible to block individual cookies. We will soon make a list of such browser extensions which you can use on your Privacy Policy Page as a "Tools to select the cookies to be enabled".

Checklist to comply with Italian Cookie Law  

Banner text must include information:

  •   that website uses profiling cookies to send advertising messages (if first-party profiling cookies are used)
  •   that the website allows sending third-party cookies (if third-party cookies are used)
  •   a clickable link to the extended Privacy Policy Page (also known as "Read more" Button)
  •   that on the extended Privacy Policy Page the user may refuse to consent to the installation of whatever cookies
  •   that if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.

Extended Privacy Policy must be accessible from every website page and include:

  •   all items required by Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE, also describe the detailed features and purposes of the cookies installed by the website
  •   tools available to select the cookies to be enabled
  •   possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website, including at least a reference to the procedure to be followed to configure those settings;
  •   updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website (if third-party cookies are used)

Consent mode to use:

  •   Explicit : must be used if you have first-party profiling cookies. Also can be used if you are not sure about what cookies you are using (just to be on the safe side).
  •   Implied : can be used if you don't have first-party profiling cookies, that is if you are only using technical and/or third-party cookies.

cookie-policy-templatesShowing cookie pop-up message is just part of the deal. Each website must also have a Cookie Policy page in order to comply with EU Cookie Directive.

Luckily, Cookie Script users do not have to worry about this. We have published Cookie Policy page template and it is available in 23 languages. This is an official Cookie Policy template from European Commission website.

Make sure you change middle section according to your website cookies before publishing your Cookie Policy.

Hey, we have also updated our Terms and Conditions and Privacy Policy and Disclaimer, so it could be a good idea to through them.

Get my Cookie Policy page text