Getting analytical about cookies
Websites have been using Cookie Consent Banners that appear to comply with GDPR but use subtle ways to make it more likely that users will agree to the Cookies. Regulators from various jurisdictions have been promoting stricter requirements to obtain clear, unambiguous freely-given consent.
The Italian DPA, the Garante, recently (June 2021) released a new set of guidelines on cookies. The guidelines require website owners to obtain unambiguous consent form users before placing profiling and analytical cookies. There is an exception from the consent requirement for analytical cookies that are used solely for aggregate statistics of a single website.
Websites are required to give users information that is clear and easily accessible and the banner must not prevent the user from browsing the website (no ‘cookie wall’, as clarified in the CJEU’s ruling in the Planet49 case).
In particular, the banner must contain the following information:
a button (usually an “X” in the top right-hand corner) that allows the banner to be closed. When users press this, only technical cookies may be placed on their browsers;
a warning that closing the banner means only technical cookies will be used;
a minimum information advising the user that the site may implement profiling cookies after obtaining his/her consent;
a button allowing the user to accept the implementation of all cookies;
a link to a specific area where it is possible to analytically select only some cookies including third party cookies and where it is also possible to modify the choices made.
Users must also be made aware that they can change their cookie choice at any time and there must be an easy link for them to do this.
Whilst the new Guidelines are only mandated by the Italian DPA, the other authorities are moving towards this level of information too and companies would be advised to amend their Cookie Banners accordingly. Most cookie management tools have not yet, to our knowledge, amended their tools to reflect this advice, and since most organizations rely on a provider and have not developed their own cookie management tools, it may take some time before cookie tools in the market reflect this guidance.