If you own a website or work as a webmaster, you're likely familiar with the barrage of privacy-related updates coming from all directions.
On one hand, there's the introduction of the new Cookie Law/GDPR regulation, which dictates the handling of cookies, disclosures, and proper behavior concerning cookies and third-party software.
On the other hand, we're witnessing heightened concerns regarding the invalidation of the "Privacy Shield" following the Schrems II Judgment. This ruling prohibits the transfer of data to the United States or U.S. entities with servers/data centers in Europe.
Recent, in fact, an initial ruling by a German court, preventing the use of CookieBot software.
Recent events include a German court's ruling against the use of CookieBot software and actions taken by privacy regulators in Austria and Norway, blocking Google Analytics.
Additionally, the Italian Privacy Guarantor announced its inspection plan for the first half of the year in its January 31, 2022 newsletter. The focus areas include data processing by various entities such as database providers, dating sites, and manufacturers of smart toys.
Here is the summary of the resolution:
The own-initiative inspection activity taken care of by the Office of the Supervisor, including by means of the Guardia di Finanza, is directed:
(a) to assessments within the scope of
-processing of personal data against "database providers"
-processing of personal data with regard to the proper handling of cookies
-video surveillance sector
-Processing of data by dating sites, data monetization operators, manufacturers of smart toys
The Supervisor also makes explicit that the Office may carry out additional investigative activities of an ex officio inspection nature, including in relation to reports or complaints.
This complex and evolving landscape highlights the importance of ensuring compliance. The key questions to consider are:
The question to be asked at this stage is:
"Am I confident in my compliance ?"
"Does the solution I'm using truly meet regulatory requirements, or is it merely cosmetic?"
"What economic and reputational risks do I face if I fail to adapt?"
So let us see in 5 points what features the Software solution to be used for Cookie adaptation should have:
3 buttons + 1
The three buttons in a privacy banner should be "Accept," "Customize," and "Reject" by which the user makes choices. This is valid throughout Europe except in Italy, where the X close button has been added with the same function as the "Reject" button. Theoretically, the X can replace the "Reject" button, but this would expose the site to no longer comply with the rest of the European regulations that require the three buttons. Therefore, when a privacy system is chosen for Cookie blocking, we have to check that it is in compliance with both Europe (presence of the three buttons) and Italy (presence X in the upper right corner in addition to the three buttons).
Regarding wording, at this time we are seeing alternative and very imaginative texts than the canonical "Accept," "Customize," and "Reject."
The question that should be asked is:
"Is it worth the risk with fancy wording ?"
Data location
As you can easily guess, a cookie management software system can be installed directly on your own site hosting, or as an external service, on servers of third-party companies.
This may seem like a negligible detail, although it certainly has an impact in terms of cost, as we may be imposed a monthly limit on page views.
Is that all there is to it ? Unfortunately, no, because these external software often belong to U.S. companies.
With the invalidation of the Privacy Shield in July 2020, that provision, which previously authorized the passage of data between the EU and the U.S., now no longer allows data to be exported to the U.S. and thus use services of U.S. companies.
A clear example of this is what happened in late December 2021 in Germany:
"RheinMain State University is no longer allowed to integrate the Cookiebot service on its website www.hs-rm.de. The Wiesbaden Administrative Court's emergency decision strictly prohibitedits use."
Cookiebot in fact requires, by default, to store cookies on its systems. The problem is that this storage involves transferring data from Web site visitors to the servers of a U.S. company, using those of the cloud company Akamai Technologies.
Although the server is located in the European Union, due to the so-called "Cloud Act," U.S. authorities also have full access to these servers, and to all personal data of users contained therein.
This rule conflicts with the ruling of the European Court of Justice, effectively making the use of such instruments punishable. Sanction, of course, in the hands of the site owner.
The recommended and most protective choice for you, while waiting for the U.S. and European authorities to find a point of agreement on the regulation of data transfer to the U.S., is definitely to give preference to Italian or European companies, and where possible, Solutions that store the data you need in the only place it needs to reside: that is, in your hosting service.
Granular Consent
Granular consent is that power the user has in the ability to express his or her consent to the use of his or her data.
In the June 10, 2021 guidelines, the Garante, implementing the cornerstone principles of the GDPR (privacy by design and privacy by default ), allows the possibility of visually grouping third-party cookies and software by categories.
This does not detract from the fact that consent must be able to be expressed analytically, that is, cookie by cookie, regardless of visual grouping.
In fact, in paragraph "7.1 The mechanism for acquiring consent", under "v", the Guarantor states :
[the banner must contain] the link to a further dedicated area in which it is possible to select, analytically, only the features, the so-called third parties - whose list must be kept constantly updated, whether they can be reached through specific links or also through the link to the website of an intermediary entity representing them - and cookies, also possibly grouped by homogeneous categories, To whose use the user chooses to consent.
In analytical mode then, meaning fully detailed.
The question that should be asked is:
"Does the banner you have chosen for your website allow analytical choice as required by the Guarantor ?
Or is it limited to consent expressed only by categories ?"
Cookie preference log
Regarding the documentation of consent acquisition, the Italian Guarantor clarifies in its FAQ that site owners may utilize a special technical cookie to track gained consent. Therefore, there's no need for a cookie registry. This approach aligns with the principle of "Privacy by default," which emphasizes processing only necessary personal data for specific purposes.
A registry, if created, must adhere to standards by capturing the user's latest choice without retaining previous selections. Failure to do so could result in unauthorized profiling, necessitating specific consent.
Furthermore, the Guarantor emphasizes that the use of a technical cookie for this purpose is non-invasive and does not require additional consent.
Preventive blocking
Preventive blocking refers to the obligation to block all non-technical cookies unless the user provides consent. This applies to every type of software, including Google Maps, Recaptcha, and embedded videos.
Compliance with GDPR and the Cookie Law goes beyond superficial warnings. It requires technical efforts to ensure compliance and avoid significant penalties, especially given the evolving regulatory landscape and increased inspection activities.
Now more than ever, it's crucial to invest the necessary technical effort to ensure compliance and mitigate the risk of substantial financial penalties.
Ignoring these aspects is not an option, especially considering recent developments such as the expiration of the Privacy Shield agreement, which previously facilitated data transmission to the U.S., and the heightened inspection activities conducted by regulatory bodies.
Have you and your clients truly made informed decisions regarding compliance on your websites?
We invite you to share your thoughts and experiences by commenting on our post. Your insights are invaluable as we navigate these complex regulatory landscapes together. Click here to join the conversation.
