The new guidelines on website cookies, presented by the Privacy Guarantor in July, are in force since 9 January. Companies that have not yet complied with law now risk sanctions. “Inspections will start in the coming weeks”, let the Privacy Guarantor know. The penalties are those, steep, of the GDPR: up to 4 percent of the company’s annual turnover. In short, the Guarantor asks companies to make life easier for users who browse their sites, with the now known (and infamous) cookie banners. Among other things, it must be possible to refuse all cookies by closing the banner, by clicking on the X; and no longer suffer the nagging re-proposition, after rejection. Until July, however – and even now with non-compliant sites – the user was often taken for exhaustion: accepting all cookies was by far the most convenient choice; refusing some or all cookies required a few more clicks, on various boxes, sometimes impractical on the small screen of the mobile phone. And who had managed to refuse cookies, with a good test of patience, then had to have as many later: because the same site could ignore that choice and continue to ask to accept them.
What companies have to do
From a legal point of view, the novelty is that companies will no longer be able to use cookies and other tracking tools on the basis of “legitimate interest”; in other words, they must always ask for the user’s consent. The only exception: cookies that do not track and do not profile. The technical ones and similar to them, here also including the analytical ones (analytics) as long as they only provide aggregate statistics, so they do not in any way track the individual user or computer, mobile phone (no IP address). However, the use of these cookies must be communicated on the home page or in the general information of the site. For profiling and tracking cookies, the new rules require information in simple language, also rendered in multilayer and multi-channel mode. The user must be able to close the information banner by clicking on a beautiful, clearly visible X and this click is equivalent to rejecting all cookies and other profiling techniques. It must be a command to accept cookies and a link to analytically choose what to accept and what to refuse. And, as mentioned, the company must memorize this information and never re-submit the consent request for at least six months.
Exception: it can re-propose earlier if the conditions of the processing have changed significantly and it is impossible for the manager to know if the cookie has been stored on the user’s device (this can happen if extensions or methods are used to “anonymize” navigation). Some practices, however disused, are prohibited, such as scrolling (when the sites consider cookies accepted if the user scrolls down the page) and cookie walls (the sites force the user to accept cookies to provide him with information or services) .
«It is necessary to adapt quickly. You really risk penalties for cookies, as happened in France where at the end of the year the privacy authority sanctioned Facebook and Google for 60 and 150 million euros “, says Rocco Panetta, lawyer.” In our experience, some Italian companies have adapted in full, others not at all and many others only in part. Partial adaptation is often the result of the use of ready-made solutions », he adds.
How companies must adapt
In short, the advice of the experts is to manually check the adjustment to the individual requests of the Privacy Guarantor; do not rely entirely on automated solutions or software. However, they can be useful. As the lawyer Antonino Polimeni says, «The fastest and cheapest way to adapt is to buy a tool. There are many around, all of quality, but be careful not to fall into the most common misunderstanding: the tools must be configured, they do not work magic ». “There are some companies that sell their tools as if they were legal consultancy, or they sell upgrades that add excessive features that go beyond what is necessary, playing a little with marketing and with the perception of the companies they buy. It is not so. The plugins, the saas, are very useful and indispensable tools for the adaptation, but they must always be submitted to the trusted lawyer or the DPO for the configuration and for the subdivision of cookies into categories. That then turning to lawyers also means making them assume responsibility for any non-compliance, ”says Polimeni.