When you create a website, you must consider the protection of PII of users accessing the site from its design and by default, in compliance with the principles of Privacy by design and Privacy by default, referred to in art 25 GDPR.
From the beginning it is necessary to make a series of choices: whether to have or not to have cookies, whether to have your own, or to have third-party ones.
Cookies are installed on the user’s PC or other kind of device and have different purposes. The user must be informed and must be able to choose whether to give his consent or not.
• Who is the data controller?
• What are the data being processed?
• What types of cookies does the website use?
• What are the purposes of the treatment?
• To whom is the information transmitted?
• Is there data transfer abroad?
• What are the rights of the data subjects?
The actions to be taken will differ according to the cookies installed on the website. A distinction is made between technical cookies, which are used to make the website work, analytical cookies and profiling cookies.
In the description of the cookies it is correct to indicate the supplier, the type of cookie, the function, the duration timespan.
All other cookies need:
• a notice ……………………..………………………..for anonymised third-party analytical cookies
• a banner, consent and notice ……………… for first and third party analytical cookies that are not anonymised
• a banner, consent and notice ……… … for first or third party profiling cookies
The indications that the Italian DPA had issued on cookies were prior to the GDPR and therefore at the time the first-party technical and analytical cookies were considered together.
The indications that the ICO (Information Commissioner’s Office) issued before Brexit are more rigorous: for the English DPA, consent is also necessary for analytical cookies, as they are not strictly necessary for the website to function.
The guidelines adopted by the EDPB (European Data Protection Board) on 04.05.2020 establish that in order for consent to be freely given, access to services and features must made not be conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)….. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button…. Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
When is consent required, therefore, how should it be given? With an unequivocal action, in accordance with recital 32 GDPR, for example by affixing a flag or by clicking a button inside the banner. The consent given must be tracked. The previous indication that was used in the banners, provided as an implicit form of acceptance of cookies scrolling the page, or closing the banner.
Today, where consent is required, based on the type of cookies used, the unequivocal action (click, flag) by the user is required, which must equally easily be able to withdraw consent. This implies that where there are more consents on the banner that can be ticked, they are set by default on rejection (no, I do not agree, flag not ticked). The user can thus freely choose whether or not to allow his behavior to be profiled.