How to use cookies in compliance with data protection regulations
Thanks to cookies, for example, you can offer a person targeted advertising, based on their searches on other sites they visited before entering a new webpage. They also let you implement marketing actions that reproduce the same message when browsing the various websites people visit (so-called retargeting).
Cookies (or the mechanisms based on the same principle) let you know if an email marketing campaign was successful, if an email message has been read, how many times it was opened or it was forwarded to other people.
From developing integrations to strategic support, from creating creative concepts to optimizing results.
Cookies, data protection legislation in Europe and the impact on the rest of the world
For a long time, these tools were used essentially unknowingly by most web users, but things changed in 2009 when several countries (particularly in the EU) issued regulations that imposed rules for the collection of personal data through cookies, based on providing the person with a disclosure and obtaining their consent.
Some countries (the UK and Netherlands in particular) have addressed the issue with a particularly pro-active approach, imposing pop ups and banners to highlight the “cookie policy” of websites and requiring express consent for them to be used. Others opted to hold off and not to make any great changes to consolidated browsing experience, which didn’t fit well with these “notices to browsers”.
Those who are send the content of their websites to European residents are therefore required to know these rules to prevent any disputes from the European Authority.
The rules at a glance
In a nutshell, the essential rules stipulate that when accessing the home page or another page of a website, a clearly visible banner must appear, clarifying some basic elements.
Specifically:
- it must be specified whether the site uses profiling cookies to send targeted advertisements;
- it must be specified whether the site also uses “third-party cookies”, i.e. cookies that collect data which will be used by a site other than the one being visited;
- it must provide a link that allows the browser to read a more extensive disclosure, indicating how cookies sent by the site are used, and specifying that the option is available to refuse to consent to their direct installation either directly or by connecting to the various websites in the case of “third-party cookies”;
- lastly, it must indicate that by continuing to browse (e.g., by accessing another area of the site or by selecting an image or link), the user is consenting to the use of cookies.
However, the use of technical cookies is still allowed, so that the short disclosure does not reappear on the user’s second visit, keeping track of their consent provided on the previous visit.
Finally, it must ensure that the user retains, in any case, the ability to change their choices regarding cookies by using the extensive disclosure, which must be available on every page of the website.
Specific aspects of the rules on cookies
From a practical point of view, it is worth bearing these practical aspects in mind to have an accurate overview of the legislation:
a) Scope of application
It remains understood that websites that do not allow information to be stored in the user’s terminal equipment or access to information already stored – and therefore that do not use cookies – are not subject to the obligations required under the regulations. For the use of exclusively technical cookies, the disclosure only needs to be provided in the form deemed to be most suitable mode (e.g. by referring to it in the website’s privacy policy) without having to display the banner required under the regulation.
- Websites that do not use cookies are not subject to any obligation
- To use technical cookies, information only has to be provioded in the website’s privacy policy for example. It is not necessary to display a specific banner.
- Analytical cookies are treated as technical cookies only when made and used directly by the first-party website to improve its usability.
- If analytical cookies are made available by third parties, the holders are not subject to the obligations where:
- A) tools are adopted that reduce the cookie’s identifying ability (e.g. by concealing large parts of the IP address);
- B) the third party agrees not to match the information contained in the cookies with other information it already has in its possession.
- If the website contains links to third-party websites (e.g. advertising banners, links to social networks) that do not require the installation of profiling cookies, there is no need for the disclosure and consent.
- In the extensive disclosure, the consent to the use of profiling cookies can be requested by category (e.g. travel, sport).
- You can display a single notification for all the other websites that are managed with the same domain.
- The obligations apply to all websites that install cookies on users’ terminals, regardless of whether they have a base in Italy.
b) Using analytical third-party cookies
In line with the Authority’s simplification approach, the regulation already clarifies how analytical cookies – which are used to monitor how the website is used by browsers for optimization purposes – can be treated as technical cookies when they are manufactured and used directly by the first-part website (therefore with no third-party intervention).
In many cases, however, websites use analytical cookies produced and made available by third parties merely for statistical purposes. In these cases, the websites mentioned above are not subject to the requirements and formalities required by the legislation if suitable tools are adopted to reduce the identifying ability of the analytical cookies they use – for example, by concealing large parts of the IP address.
Moreover, the use of these cookies must also be subject to contractual links between websites and third parties, in which express reference is made to the third party’s commitment to use them solely for the provision of the service, to keep them separate, and not to “enrich” or “match” them with other information they may have.
c) Using platforms that install cookies
In some requests, it has been pointed out that it is difficult to make the changes necessary to implement the cookie legislation to platforms, widely used to create websites, which sometimes already contain preconfigured tools to manage cookies or widgets.
d) Individuals required to display the banner: the role of first-party websites
In terms of the responsibility of managers of first-party websites regarding the installation of profiling cookies from “third-party” domains, such individuals play the role of mere technical intermediary for the installation of such cookies.
It is worth noting, however, that due to the “distributed nature” of such treatment, which in any cases involved the first-party website in the process, the consent to the use of third-party cookies involves two elements that are both necessary. Firstly, the presence of the banner, which produces the appropriate event to provide documented consent (responsibility of the first party). Secondly, the presence of the updated links to websites operated by third parties where the user can make their own choices on the categories and individuals from whom they will receive profiling cookies.
It is also made clear that if the website’s banner ads or links to social networks are basic links to third-party websites that do not install profiling cookies, there is no need for the disclosure and consent.
e) Procedures for obtaining consent
The solutions for acquiring consensus based on the “scroll” method, i.e. continuing to browse the same webpage – widely used and particularly significant in the case of mobile devices – are considered to be in line with the legal requirements as long as they are clearly indicated in the disclosure and are able to generate a recordable and documentable event in the server of the website operator (first party), which may be classed as a positive action by the user.
How data can be processed using cookies in practice
Let’s look at some practical examples of how a banner can be structured for cookies, also given the experience already gained abroad.
1) Example of banner or pop up on entering a website
The text in the banner can vary in length. A thorough and descriptive text is more reassuring and explains the essential terms of a subject that many people are not at all familiar with. Here of course everyone has to make their own assessments and weigh up the solution they find most suitable, taking into account the type of website and characteristics of those visiting it.
For example, a concise text to be placed in a banner could be:
We use cookies to improve your browsing experience and to help us improve our website. For further details, see our cookie policy here. By continuing to browse, you consent to the use of cookies. Otherwise, you have the option to leave the website.
A choice of two buttons should then be provided:
- “Set up Cookies” which allows you to access a section of the website to enable or disable the various types of cookies used by the website;
- “Accept and continue”, which gives instant access to the website.
A specific and extensive text must then be provided, the so-called “Cookie policy” to outline the cookies in detail and allow them to be disabled by each type.
2) Example of a disclaimer to be placed in email messages in the case of an email marketing campaign
As for the tools that allow you to collect the data on whether an email is opened, read, and forwarded, it is good to include some useful information within the message.
Space for this disclaimer can be found in the email footer:
Email and Cookies
* The sender of this message uses cookies and similar technology (collectively called cookies) in this email. If you have enabled the images, you can configure your cookies settings on your computer or mobile device. Cookies will also be set up if you click on any link within this email. If your email settings have disabled the links in this email, you can paste the address in your browser without activating or accepting cookies: ____________________________.
These specific examples give you an idea of the choices you need to make to manage the impact of these rules most effectively.
We recommend not using the “copy and paste” technique. What might be suitable for one site might not work for another. Everyone is faced with this issue of ensuring that cookies are properly presented to users of every website, allowing you them to make a conscious choice of whether to accept or reject them. This is the only way of complying with the basic principle, according to which all users can have control over their own information, even if it is collected as a result of their browsing behaviour.