Provision of the privacy guarantor – n. 229/2014
Cookies are small text files that are sent to the user’s terminal equipment (usually to the user’s browser) by visited websites; they are stored in the user’s terminal equipment to be then re-transmitted to the websites on the user’s subsequent visits to those websites. When navigating a website, a user may happen to receive cookies from other websites or web servers, which are the so-called “third party” cookies. This happens because the visited website may contain items such as images, maps, sound files, links to individual web pages on different domains that are located on servers other than the one where the page being visited is stored.
Cookies are present as a rule in substantial numbers in each user’s browser and at times they remain stored for long. They are used for several purposes ranging from IT authentication to the monitoring of browsing sessions up to the storage of specific information on user configurations in accessing a given server, and so on.
In order to appropriately regulate these devices, it is necessary to distinguish them by having regard to the purposes sought by the entities relying on them, as there are no technical features that allow differentiating them.
From this standpoint and for the purposes of this decision, cookies may be distinguished into two major group: “technical” cookies and “profiling” cookies.
Technical cookies are those used exclusively with a view to “carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service.”
They are not used for further purposes and are usually installed directly by the data controller or the website manager. They can be grouped into browsing or session cookies, which allow users to navigate and use a website (e.g. to purchase items online or authenticate themselves to access certain sections); analytics cookies, which can be equated to technical cookies insofar as they are used directly by the website manager to collect aggregate information on the number of visitors and the pattern of visits to the website; functional cookies, which allow users to navigate as a function of certain pre-determined criteria such as language or products to be purchased so as to improve the quality of service.
Users’ prior consent is not necessary to install these cookies.
Profiling cookies are aimed at creating user profiles. They are used to send ads messages in line with the preferences shown by the user during navigation. In the light of the highly invasive nature of these cookies vis-à-vis users’ private sphere, Italian and European legislation requires users to be informed appropriately on their use so as to give their valid consent.
“Third parties” profiling cookies are, for instance: Google Analytics (which studies web surfing data), Google Adsense and linked platforms, advertising agencies, social sharing buttons as for social networks, affiliation platforms banners, Google APIs, images. These cookies are generally disabled and are activated whenever the user clicks on the “I agree” button of the banner.
Regarding “third parties cookies”
There are several reasons why it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties”.
In the first place, a publisher would be required to always be equipped with the tools and the legal and business skills to take upon himself the obligations of third parties – thus, the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies.
This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he know the logic underlying the respective processing. Furthermore, it is not seldom the case that licensees step in between a publisher and the said third parties, which makes it ultimately highly difficult for the publisher to keep track of the activities of all the stakeholders.
Secondly, third parties’ cookies might be modified by the third parties with time, and it would prove rather dysfunctional to require publishers to keep track also of these subsequent changes.
Furthermore, one should also consider that publishers – a category including natural persons and SMEs – are often the “weaker” party in this context. Conversely, third parties are usually large companies of substantial economic import that work as a rule with several publishers, so that one publisher may often have to do with a considerable number of third parties.
For all of the above reasons, this DPA is of the opinion that publishers may not be required to include, on the home page of their websites, also the notices relating to the cookies installed by third parties via the publishers’ websites.