Italian Cookie Law explained

On the 3rd of June 2014, Italian Data Protection Authority (DPA) has published official instructions for websites on how users should be informed about cookie usage (also known as "Cookie Law"). Deadline for implementation of those instructions is 12 months, which is 3rd of June 2015. Below you will find a summary of those instructions and a checklist to make sure your website is compliant with Italian Cookie Law.

Summary of Italian Cookie Law

First-party cookies

First-party cookies are cookies that are installed by the website publisher, in other words - it's cookies that are saved under the same domain/subdomain as the website itself. According to DPA, first-party cookies can be separated into two groups:

• Technical cookies. Do not require user consent. Basically, all cookies are needed to show your website correctly: session cookies, analytics cookies, functionality cookies.
• Profiling cookies. User consent is required. Cookies aimed to create user profiles (do not mix with user accounts). They are used to send ad messages targeted at this particular user or group of people where the user belongs.

Third-Party Cookies

Third-Party Cookies are cookies that are placed by the managers of another website ("third-party") via the publisher's website. Due to technical reasons, the website publisher (manager/owned/editor) is not responsible for any Third-Party Cookies.  The website at this point acts as a technical intermediary and must only provide a link to the information notices and consent forms of the third parties. Third-Party Cookies do not require user consent

Technical requirements

DPA requires to have two layers of user notification:

• Banner with the short  information notice and consent request
• Extended Privacy Policy page with a detailed description of Cookie Policy and cookies used on the website

Banner (popup message) requirements

On accessing the home page (or any other landing page) of a website, the user must be shown immediately a suitably sized banner. The banner must include the following information:

1. That the website uses profiling cookies to send advertising messages in line with the user's online navigation preferences (if any profiling cookies are used)
2. That the website allows sending third-party cookies as well (if third-party cookies are used)
3. A clickable link to the extended information notice
4. That on the extended information notice page the user may refuse to consent to the installation of whatever cookies
5. What if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.

Italian Cookie Law also describes a possibility to add an "I disagree" button (not required), which will remember the user's choice not to use cookies and will not show the banner anymore. We are currently working on adding this functionality. User consent can be saved as a technical cookie.

Extended Privacy Policy page

Extended Privacy Page should include:

1. all items required by Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE, that is (but not limited by) describe the detailed features and purposes of the cookies installed by the website
2. tools available to select the cookies to be enabled
3. possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website, including at least a reference to the procedure to be followed to configure those  settings;
4. updated link to the information notices and consent forms of the third parties the publisher has agreed to let install cookies via his own website (if third-party cookies are used)

Extended Privacy Policy Page must be linked from short notice and all website pages as a link (possibly at the bottom of the page).

Notifying DPA

According to the instructions, profiling cookies, which are persistent in nature, have to be notified to the Italian Data Protection Authority. Technical cookies do not have to be notified to DPA.

Fines

Fines for not following the instructions:

• failure to provide information about cookies as well as other parts of Section 13 of the ITALIAN PERSONAL DATA PROTECTION CODE: 6.000 - 36.000 EUR
• installing cookies without users' prior consent (applies only for first-party profiling cookies): 10.000 - 120.000 EUR
• failure to notify processing operations to the DPA or the provision of an incomplete notification to the DPA under the terms of Section 37(1), letter d) of the Code: 20.000 - 120.000 EUR

The full version of Italian Cookie Law

You can find a full description of the requirements here: English version/Italian version.

Italian Cookie Law and Cookie Script

CookieScript is compliant with Italian Cookie Law if used properly. It is the website manager's responsibility to make sure he used correct settings and that his website complies with Italian Cookie Law.

Consent mode (Explicit or Implied)

First of all, the website manager/publisher has to find out what cookies are used on his website and choose Explicit or Implied mode. Depending on cookies used, CookieScript can be configured to be used in Explicit or Implied mode:

• Explicit: This must be used if you have first-party profiling cookies. Also can be used if you are not sure about what cookies do you have (just to be on the safe side).
• Implied: This can be used if you don't have first-party profiling cookies, that is if you are only using technical and/or third-party cookies.

Banner settings

Depending on the cookies used, the website manager has to make sure he has proper text used in the banner (see checklist below). Italian Cookie Law provides a possibility to use the "I disagree" button (not required), which will be implemented in CookieScript soon.

DPA instructions also describe the possibility of automatic consent - meaning that clicking any link to another page on the website will make the user automatically accept cookies. However, this is only mentioned in banner text requirements and doesn't say anywhere that it can actually be used. CookieScript has this functionality implemented, but use it at your own risk.

Privacy Policy Page

The extended Privacy Policy Page is important and the website manager must make sure it meets all requirements (see checklist below), otherwise, a fine of 6.000-36.000 EUR might be issued. The privacy Policy page is individual for each website and CookieScript is not involved in this part, however, you can use some of the Cookie Policy templates we provide (note that Cookie Policy is only part of the bigger Privacy Policy Page).

DPA requires to have "tools" to disable individual cookies on the website. Full integration of such tools into your website workflow is usually quite pricy and requires solid technical knowledge to work properly, so obviously, not everyone can afford them. In most cases, it's overkill and a waste of time.

Luckily, Italian Cookie Law does not describe exactly how "tools" should work, so providing any "Tools available to select the cookies to be enabled" would work, for example, links to browser extensions that make it possible to block individual cookies. We will soon make a list of such browser extensions which you can use on your Privacy Policy Page as "Tools to select the cookies to be enabled".