It’s hard to believe that it has been a few years since the updated cookie “consent” rules came into effect across Europe. At that time, it was pretty much the hot topic in the data privacy world as we all grappled with the rules’ implications and how to implement appropriate compliance mechanisms. However in recent times, one would be forgiven for almost forgetting those days. The early forecasts of intense DPA cookie enforcement activity didn’t quite happen and we’ve also had the minor issue of the new draft Regulation and the Snowden affair (not to mention the on-going daily challenges presented by data security, data processing contracts, BYOD, cloud computing issues etc) to keep us all occupied.
The Italian Data Protection Authority (Garante) has published guidance on complying with the cookie requirements in Italy in order to obtain the express consent of the user. The main points are as follows:
- The requirement to notify the Garante where profiling cookies and related technologies are used.
- Penalties under Italian data protection law can range from €6,000 to €120,000 (for example for serving cookies without obtaining the appropriate consent and failing to notify the Garante of such processing activities).
- Operators shall benefit from a one-year grace period (expiring on 3rd June 2015) to implement the relevant measures.
The Dutch DPA noted that such violations would still exist even if the proposed amendments to the current Dutch cookie rules (currently going through the Dutch Parliament) were applied because such tracking cookies would still require user consent. This investigation follows the Dutch DPA’s earlier announcement that one of its priorities for 2014 is to focus on the profiling, tracking and tracing of internet users.
What this means now
- Audit your cookie use and find out what you’ve got
- Assess the intrusiveness of those cookies
- Adopt a notice and consent strategy
- Implement forward-facing cookie management mechanisms