Did someone say cookies?!
First, let’s take a minute to refresh our memory about the magic world of cookies and tracking tools.
The two most important macro categories are:
- First-party cookies, directly stored by the visited website and don’t require user consent;
- Third-party cookies, stored by different domains and require user consent unless they:
- Prevent direct identification of the data subject;
- Are used in relation to an individual website or mobile application;
- Do not forward the data to other third parties;
- Do not match the data with any other information.
Both first-party and third-party cookies can also be:
- Technical cookies, for the correct functioning of websites. Providing specific information about them will be sufficient; user consent won’t be necessary here.
- Profiling cookies, used to trace actions and user behavior, enabling controllers to level up on the customization and targeting of their advertising. User consent? Cannot miss!
- Analytical cookies, used exclusively for anonymous, statistical purposes and not shared with third-party tools.
Golden rules for legally acquiring user consent
Okay, now that we master theory, let’s kill practice!
Positive news: the Garante confirmed the use of banners as valid means for user consent acquisition. However, you should make sure to put a little bit of makeup on them.
Consent will be valid only if considered “the result of an affirmative, conscious action by the user”, to be appropriately identified and demonstrated by websites. Practically speaking, the banner shall contain:
- An ‘X’ at its top right end. If a user clicks it, browsing can continue without cookies or other tracking tools (technical ones excluded, of course);
- A minimal information notice about the use of technical cookies or other technical tools and their functioning;
- A command (which sounds way cooler than “button”), through which users can accept the storage of all cookies or the use of other tracking tools;
- A second link to a specifically designated area with all the functionalities, third parties and cookies to which the user chooses to consent. Grouping cookies into categories will make you evolve to a higher level.
No more scrolling or cookie walls
- Okay, we see why scrolling cannot represent an “affirmative, conscious action by the user”, don’t we? Thus, it no longer equals valid consent.
- Bad bad cookie walls. Exactly, the Garante took it out on them as well: if the website does not allow user navigation without cookie consent, cookie walls will have to be broken down.
Repetita not always iuvant
A banner showing up every single time a user accesses a website after already having given or denied cookie consent can turn out to be an irritating repetition. That’s when the Garante steps in to protect the user’s peace of mind, recording his or her choice and not asking for consent any longer unless:
- One or more of the circumstances of the processing changes significantly;
- It is impossible for the website to keep track of the user’s previous choices;
- At least six months have passed since the banner was last shown.
Noncompliance phobia? We got this!
If you made it here but you realized that you are still missing a few pieces to please the Garante, don’t panic. We are here to help you find your way out of the labyrinth of cookie policies, implementing compliant and high-performing cookie banners!