Italian Cookie Law explained

italy-flag

On 3rd of June 2014 Italian Data Protection Authority (DPA) have published official instructions for websites on how users should be informed about cookie usage (also known as "Cookie Law"). Deadline for implementation of those instructions is 12 month, which is 3rd of June 2015. Below you will find summary of those instructions and a checklist to make sure your website is compliant with Italian Cookie Law.


Summary of Italian Cookie Law

First-party cookies

First-party cookies are cookies that are installed by website publisher, in other words - it's cookies that are saved under same domain/subdomain as website itself. According to DPA, first-party cookies can be separated in two groups:

  • Technical cookies. Do not require user consent. Basically all cookies needed to show your website correctly: session cookies, analytics cookies, functionality cookies.
  • Profiling cookies. User consent is required. Cookies aimed to create user profiles (do not mix with user accounts). They are used to send ads messages targeted for this particular user or group of people where user belongs.

Third-party cookies

Third-party cookies are cookies that are placed by the managers of another website ("third-party") via the publisher's website. Due to technical reasons, website publisher (manager/owned/editor) is not responsible for any third-party cookies.  Website at this point acts as technical intermediary and must only provide a link to the information notices and consent forms of the third parties. Third-party cookies do not require user consent

Technical requirements

DPA requires to have two layers of user notification:

  • Banner with the short  information notice and consent request
  • Extended Privacy Policy page with detailed description of Cookie Policy and cookies used on the website

Banner (popup message) requirements

On accessing the home page (or any other landing page) of a website, the user must be shown immediately a suitably sized banner. The banner must include the following information:

  • That the website uses profiling cookies to send advertising messages in line with the user's online navigation preferences (if any profiling cookies are used)
  • That the website allows sending third-party cookies as well (if third-party cookies are used)
  • A clickable link to the extended information notice
  • That on the extended information notice page the user may refuse to consent to the installation of whatever cookies
  • That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.
Note that Cookie Script is not responsible if your banner text does not meet the requirements above since it is website publisher who is required to create the text.

Italian Cookie Law also describes a possibility to add "I disagree" button (not required), which will remember user's choice not to use cookies and will not show the banner anymore. We are currently working on adding this functionality. User consent can be saved as a technical cookie.

Extended Privacy Policy page

Extended Privacy Page should include:

  • all items required by Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE, that is (but not limited by) describe the detailed features and purposes of the cookies installed by the website
  • tools available to select the cookies to be enabled
  • possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website, including at least a reference to the procedure to be followed to configure those  settings;
  • updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website (if third-party cookies are used)

Extended Privacy Policy Page must be linked from a short notice and from all website pages as a link (possibly in the bottom of the page).

Notifying DPA

According to the instructions, profiling cookies, which are persistent in nature, have to be notified to the Italian Data Protection Authority. Technical cookies do not have to be notified to DPA.

Fines

Fines for not following the instructions:

  • failure to provide information about cookies as well as other parts of Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE : 6.000 - 36.000 EUR
  • installing cookies without users' prior consent (applies only for first-party profiling cookies): 10.000 - 120.000 EUR
  • failure to notify processing operations to the DPA or the provision of an incomplete notification to the DPA under the terms of Section 37(1), letter d) of the Code : 20.000 - 120.000 EUR

Full version of Italian Cookie Law

You can find full description of requirements here: English version / Italian version.


Italian Cookie Law and Cookie Script

Cookie Script is compliant with Italian Cookie Law if used properly. It is website manager's responsibility to make sure he used correct settings and that his website complies with Italian Cookie Law.

Consent mode (Explicit or Implied)

First of all, website manager/publisher has to find out what cookies are used on his website and choose Explicit or Implied mode. Depending on cookies used, Cookie Script can be configured to be used in Explicit or Implied mode:

  • Explicit : must be used if you have first-party profiling cookies. Also can be used if you are not sure about what cookies do you have (just to be on the safe side).
  • Implied : can be used if you don't have first-party profiling cookies, that is if you are only using technical and/or third-party cookies.
Note that cookie script is a simple user-friendly solution where you don't have to configure each individual cookie settings. This means that in case of explicit consent all first-party cookies will be blocked (both technical and profiling cookies) just to be sure website complies with Cookie Law requirements.

Banner settings

Depending on cookies used, website manager has to make sure he has proper text used in banner (see checklist below). Italian Cookie Law provides a possibility to use "I disagree" button (not required), which will be implemented in Cookie Script soon.

DPA instructions also describe possibility of automatic consent - meaning that clicking any link to another page on the website will make user automatically accept cookies. However, this is only mentioned in banner text requirements and doesn't say anywhere that it can actually be used. Cookie Script has this functionality implemented, but use it on your own risk.

Privacy Policy Page

Extended Privacy Policy Page is important and website manager must make sure it meets all requirements (see checklist below), otherwise a fine of 6.000-36.000 EUR might be issued. Privacy Policy page is individual for each website and Cookie Script is not involved in this part, however you can use some of the Cookie Policy templates we provide (note that Cookie Policy is only part of bigger Privacy Policy Page).

DPA requires to have "tools" to disable individual cookies on the website. Full integration of such tools into your website workflow is usually quite pricy and requires a solid technical knowledge in order to work properly, so obviously not everyone can afford them. In most cases it's an overkill and a waste of time.

Luckily, Italian Cookie Law does not describe exactly how "tools" should work, so providing any "Tools available to select the cookies to be enabled" would work, for example links to browser extensions that makes it possible to block individual cookies. We will soon make a list of such browser extensions which you can use on your Privacy Policy Page as a "Tools to select the cookies to be enabled".

Checklist to comply with Italian Cookie Law  

Banner text must include information:

  •   that website uses profiling cookies to send advertising messages (if first-party profiling cookies are used)
  •   that the website allows sending third-party cookies (if third-party cookies are used)
  •   a clickable link to the extended Privacy Policy Page (also known as "Read more" Button)
  •   that on the extended Privacy Policy Page the user may refuse to consent to the installation of whatever cookies
  •   that if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.

Extended Privacy Policy must be accessible from every website page and include:

  •   all items required by Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE, also describe the detailed features and purposes of the cookies installed by the website
  •   tools available to select the cookies to be enabled
  •   possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website, including at least a reference to the procedure to be followed to configure those settings;
  •   updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website (if third-party cookies are used)

Consent mode to use:

  •   Explicit : must be used if you have first-party profiling cookies. Also can be used if you are not sure about what cookies you are using (just to be on the safe side).
  •   Implied : can be used if you don't have first-party profiling cookies, that is if you are only using technical and/or third-party cookies.