1. What are cookies?

These are small text files that sites visited by users send to their terminals, where they are stored in order to be retransmitted to the same sites on the next visit. Third-party cookies, on the other hand, are set by a website other than the one the user is visiting. This is because on each site there may be elements (images, maps, sounds, specific links to web pages of other domains, etc.) that reside on servers other than that of the site visited.

2. What are cookies used for?

They are used for different purposes: performing computer authentication, session monitoring, storing information on specific configurations concerning users accessing the server, storing preferences, etc.

3. What are ‘technical’ cookies?

These are cookies that serve to carry out navigation or to provide a service requested by the user. They are not used for any other purpose and are normally installed directly by the website owner.

Without their use, certain operations could not be carried out or would be more complex and/or less secure, such as home banking activities (displaying account statements, bank transfers, paying bills, etc.), for which cookies, which make it possible to carry out and maintain user identification within the session, are indispensable.

4. Are analytics cookies also ‘technical’?

No. The Garante (cf. provision of 8 May 2014) has specified that they can only be assimilated to technical cookies if they are used for site optimisation purposes directly by the site owner, who may collect information in aggregate form on the number of users and how they visit the site. Under these conditions, the same rules on information and consent apply to analytics cookies as to technical cookies.

5. What are ‘profiling’ cookies?

They are used to track the user’s navigation on the web and create profiles on their tastes, habits, choices, etc. By using them, advertising messages may be sent to the user’s terminal in line with the preferences already expressed by the user when surfing online.

6. Is user consent necessary for the installation of cookies on the user’s terminal?

It depends on the purposes for which they are used and, therefore, whether they are ‘technical’ or ‘profiling’ cookies.

Users are not required to give their consent for the installation of technical cookies, whereas they must provide information (Article 13 of the Privacy Code). Profiling cookies, on the other hand, can only be installed on the user’s terminal if the user has given his consent after being informed in a simplified manner.

7.  How does the site owner have to provide simplified information and request consent for the use of profiling cookies?

As established by the Garante in the measure indicated in question 4, the information notice must be set up on two levels.

When the user accesses a website (on the home page or any other page), a banner must immediately appear containing an initial ‘brief’ information notice, a request for consent to the use of cookies and a link to access a more ‘extensive’ information notice. On this page, the user can find more detailed information on cookies and choose which specific cookies to authorise.

8. How should the banner be designed?

The banner must be large enough to partially cover the content of the web page the user is visiting. It must only be able to be removed through active intervention by the user, i.e. by selecting an element from the page below.

9. What information must the banner contain?

It must specify that the site uses profiling cookies, possibly even ‘third-party’ cookies, which allow it to send advertising messages in line with the user’s preferences.

It must contain the link to the extended information notice and the indication that, through that link, it is possible to refuse consent to the installation of any cookie.

It must specify that if the user chooses to continue by ‘skipping’ the banner, he/she consents to the use of cookies

10. How can the acquisition of consent through the use of the banner be documented?

In order to keep track of the consent acquired, the site owner can make use of a special technical cookie, a system that is not particularly invasive and does not in turn require further consent.

In the presence of such ‘documentation’, it is not necessary for the short information notice to be re-proposed at the user’s second visit to the site, without prejudice to the latter’s possibility of denying consent and/or modifying, at any time and in an easy manner, his or her options, for instance by accessing the extended information notice, which must therefore be linkable from every page of the site.

11. Can online consent to the use of cookies only be requested through the use of a banner?

No. Site owners always have the option of resorting to modalities other than the one identified by the Garante in the above-mentioned provision, provided that the chosen modalities meet all the requirements for the validity of consent required by law.

12. Does the obligation to use the banner also apply to owners of sites that only use technical cookies?

No. In this case, the owner of the site may provide information to users in the manner he or she considers most appropriate, for example, by including the relevant indications in the privacy policy indicated on the site.

13. What must the ‘extended’ information sheet indicate?

DIt must contain all the elements required by law, describe analytically the characteristics and purposes of the cookies installed by the site and allow the user to select/deselect individual cookies.

It must include an updated link to the notices and consent forms of third parties with whom the owner has entered into agreements for the installation of cookies through its site.

Finally, it must recall the possibility for the user to express his/her options on cookies also through the settings of the browser used.

14. Who is required to provide information and request consent for the use of cookies?

The owner of the website that installs profiling cookies.

For third-party cookies installed through the site, the information and consent obligations rest with the third parties, but the site owner, as technical intermediary between them and users, is required to include in the ‘extended’ information notice the updated links to the third parties’ information notices and consent forms.

15. Does the use of cookies have to be notified to the Garante?

Those of a profiling nature, which usually persist over time, are subject to the obligation of notification, while those that have a different purpose and fall into the category of technical ones, do not have to be notified to the Garante.

16. When do the measures prescribed by the Garante in the order of 8 May 2014 come into force?

The Garante has provided for a transitional period of one year from the publication of the measure in the Official Journal to allow those concerned to comply. This period will end on 2 June 2015.