This information is taken from the explanations provided by the Privacy Guarantor, freely reworked.

The main source of this information is the Privacy Guarantor website.

“Natural persons may be associated with online identifiers produced by the devices, applications, tools and protocols used, such as IP addresses, temporary markers (cookies) or other types of identifiers, such as radio frequency identification tags. Such identifiers may leave traces that, in particular when combined with unique identifiers and other information received from servers, can be used to create profiles of natural persons and identify them.”

 

As is known, cookies are usually text strings that the websites visited by the user or different websites or web servers place and store within a terminal device available to the user.

 

The terminals referred to are, for example, a computer, a tablet, a smartphone, or any other device capable of storing information. 

 

Internet navigation software and the operation of these devices, such as browsers, can store cookies and then transmit them back to the sites that generated them during a subsequent visit by the same user, thus maintaining a memory of his previous interaction with one or more websites.

 

The information encoded in cookies may include personal data, such as an IP address, username, unique identifier or email address, but may also contain non-personal data, such as language settings or information about the type of device a person is using to navigate the site.

 

Cookies can therefore perform important and different functions, including monitoring sessions, storing information on specific configurations regarding users who access the server, facilitating the use of online content, etc. For example, they can be used to keep track of the items in an online shopping cart or the information used to fill out an IT form.

 

While on the one hand it is through cookies that it is possible, among other things, to allow web pages to load faster, as well as to route information on a network – in line therefore with obligations strictly connected to the operation of websites themselves -, it is also possible through cookies to convey behavioral advertising (so-called "behavioural advertising") and then measure the effectiveness of the advertising message, or to conform the type and methods of the services provided to the behavior of the user previously observed.

 

Cookies and, to a large extent, other tracking tools may have different characteristics from a temporal perspective and therefore be considered based on their duration (session or permanent), or from a subjective point of view (depending on whether the publisher acts autonomously or on behalf of the "third party").

 

And yet the classification that responds to the rationale of the law and therefore also to the needs of protection of the person, is the one that is based, ultimately, on two macro categories:

 

– technical cookies, used for the sole purpose of “carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or user to provide such service” (see art. 122, paragraph 1 of the Code);

 

– profiling cookies, used to trace back to specific, identified or identifiable subjects, specific actions or recurring behavioral patterns in the use of the features offered (patterns) in order to group the different profiles within homogeneous clusters of different sizes, so that it is possible for the owner, among other things, to also modulate the provision of the service in an increasingly personalized way beyond what is strictly necessary for the provision of the service, as well as send targeted advertising messages, i.e. in line with the preferences expressed by the user in the context of web browsing.

 

Similarly, other identifiers can also be classified according to different criteria, the main one of which, however, remains the purpose for which they are used: of a "technical" nature or of a "non-technical" nature, the latter category being understood in a broad sense, since the current legal provisions, referred to below, aimed at protecting the confidentiality of electronic communications as well as personal information, are unequivocally formulated according to the scheme of a general prohibition of processing of data of the interested parties, except for rigorously and restrictively codified exceptions, not susceptible to analogical extension.

 

 

For the use of cookies and other technical identifiers, by virtue of the function performed and within the limits and conditions referred to, the data controller will be subject to the sole obligation to provide specific information, even if inserted within the general information, their use falling within a codified hypothesis of exemption from the obligation to acquire the consent of the interested party; cookies and other tracking tools for purposes other than technical ones may, however, be used exclusively after acquiring the consent, however informed, of the contractor or user. 

 

For the purposes of expressing the consent referred to in paragraph 1, specific configurations of computer programs or devices that are easy and clear to use for the contractor or user may be used.

 

The methods for acquiring online consent in light of some appropriate clarifications and new recommendations.

 

The Guarantor believes that the system aimed at identifying the technical method for acquiring online consent for tracking by means of cookies (or also implemented by means of other tools) illustrated in the aforementioned provision of May 2014 is to be considered still valid, despite the changed regulatory framework that privileges and requires owners to act in compliance with the new accountability regime (art. 5, par. 2, of the Regulation) allowing them, if necessary, also to adopt different methods through which to ensure compliance with the rules and the protection of the interested parties.

 

The simple “scroll down” of the page cursor is in itself unsuitable for the collection, by the data controller, of an appropriate consent to the installation and use of profiling cookies or other tracking tools.

 

It does not seem to be possible to exclude, however, that scrolling may intervene in the consent acquisition procedure and constitute not the only, but rather one of the components of a more complex process that in any case allows the user to signal to the owner of the site, with the generation of a precise pattern, an unequivocal and conscious choice, which is at the same time recordable and therefore documentable, aimed at giving their consent to the use of cookies or other tracking tools, as required by the regulations in force.

 

This conclusion is, on the other hand, consistent today with the aforementioned regulatory approach aimed at enhancing accountability; therefore, and similarly to what was stated with reference to the power of autonomy of the owner in identifying the most appropriate solutions to achieve compliance with the rules of the personal data processing carried out, the Guarantor invites the owners to evaluate with extreme rigor every possible solution, even of a technical nature, suitable to be interpreted and recorded as a form of consent expressed by the user for the installation of cookies or for the use of other tracking tools.

 

 

 

In order for the same to be legitimately acquired, the same owner must also ensure that any alternative methods to those proposed in these Guidelines for expressing online consent are implemented in such a way as to make the effect of their action unequivocal for the user, equivalent to the manifestation of consent itself. This is to limit the incidence of so-called "false positives", i.e. erroneous interpretations of casual actions as conscious expressions of the user's will.

 

However, if in the specific case the user's action does not correspond to any unequivocal, documentable IT event with the aforementioned characteristics, even in terms of awareness for the user himself, then in no way will it be possible to attribute to such action the validity of consent pursuant to the legislation in force.

 

Further clarifications appear appropriate with reference to the so-called cookie wall, meaning with this expression a binding mechanism (so-called "take it or leave it"), in which the user is obliged, without alternative, to express his/her consent to the receipt of cookies or other tracking tools, under penalty of being unable to access the site.