Skip to main content

Cookie Policy

1. What are cookies?

Cookies are small text files that the websites visited by users send to their terminals, where they are stored to be retransmitted to the same sites on the next visit. “Third-party” cookies, on the other hand, are set by a website other than the one the user is visiting. This happens because elements may be present on each site (such as images, maps, sounds, specific links to web pages of other domains, etc.) that reside on servers different from the one of the visited site.

2. What are cookies used for?

Cookies are used for different purposes: performing computer authentications, monitoring sessions, storing information on specific configurations concerning users who access the server, storing preferences, etc.

3. What are “technical” cookies?

These are cookies used to carry out navigation or to provide a service requested by the user. They are not used for further purposes and are normally installed directly by the website owner.

Without these cookies, some operations could not be performed or would be more complex and/or less secure, such as home banking activities (viewing account statements, bank transfers, bill payments, etc.), for which cookies, allowing the user to be identified and maintained during the session, are indispensable.

4. Are analytics cookies “technical” cookies?

No. The Italian Data Protection Authority (measure of May 8, 2014) clarified that they can be assimilated to technical cookies only if used for site optimization purposes directly by the site owner, who may collect information in aggregate form on the number of users and how they visit the site. Under these conditions, analytics cookies are subject to the same rules, in terms of information and consent, as technical cookies.

5. What are “profiling” cookies?

These are cookies used to track user navigation online and create profiles on their tastes, habits, choices, etc. Through these cookies, advertising messages can be sent to the user’s device in line with the preferences already expressed during online browsing.

6. Is user consent required for the installation of cookies on their device?

It depends on the purposes for which cookies are used and, therefore, whether they are “technical” or “profiling” cookies.

The installation of technical cookies does not require user consent, while it is necessary to provide information (art. 13 of the Privacy Code). Profiling cookies, on the other hand, may be installed on the user’s device only if they have given their consent after being informed through simplified methods.

7. How must the website owner provide simplified information and request consent for the use of profiling cookies?

As established by the Data Protection Authority in the measure referred to in question no. 4, the information must be structured on two levels.

When the user accesses a website (on the home page or on any other page), a banner must immediately appear containing a first “short” notice, the request for consent to the use of cookies, and a link to access a more “extended” notice. On this page, the user can find more detailed information on cookies and choose which specific cookies to authorize.

8. How should the banner be designed?

The banner must be large enough to partially cover the content of the webpage being visited by the user. It must be removable only through an active intervention by the user, i.e., by selecting an element contained in the underlying page.

9. What information must the banner contain?

The banner must specify that the site uses profiling cookies, possibly including “third-party” cookies, which allow sending advertising messages in line with the user’s preferences.

It must contain the link to the extended notice and the indication that, through that link, it is possible to refuse consent to the installation of any cookies.

It must specify that if the user chooses to continue by “skipping” the banner, they consent to the use of cookies.

10. How can the acquisition of consent through the use of the banner be documented?

To keep track of the consent acquired, the website owner may use a specific technical cookie, a system that is not particularly invasive and does not, in turn, require further consent.

In the presence of such “documentation,” it is not necessary to re-present the short notice on the user’s second visit to the site, without prejudice to the possibility for the user to refuse consent and/or modify their options at any time in a simple way, for example by accessing the extended notice, which must therefore be linkable from every page of the site.

11. Can online consent for the use of cookies be requested only through the use of the banner?

No. Website owners may always resort to methods other than the one identified by the Data Protection Authority in the above-mentioned measure, provided that the chosen methods meet all the legal requirements for valid consent.

12. Is the use of the banner also required for site owners who use only technical cookies?

No. In this case, the website owner may provide information to users in the way they consider most appropriate, for example, also through the inclusion of the relevant information in the privacy policy on the site.

13. What must the “extended” notice contain?

It must contain all the elements required by law, describe analytically the characteristics and purposes of the cookies installed by the site, and allow the user to select/deselect individual cookies.

It must include the updated link to the third parties’ privacy notices and consent forms with whom the website owner has entered into agreements for the installation of cookies through their site.

It must also recall the possibility for the user to express their cookie preferences through the settings of the browser used.

14. Who is required to provide the information and request consent for the use of cookies?

The website owner who installs profiling cookies.

For third-party cookies installed through the site, the obligations of information and consent lie with the third parties, but the website owner, as a technical intermediary between these and the users, must include updated links to the third parties’ privacy notices and consent forms in the “extended” notice.

15. Must the use of cookies be notified to the Data Protection Authority?

Profiling cookies, which usually remain over time, are subject to the notification obligation, while cookies with different purposes that fall within the category of technical cookies do not need to be notified to the Authority.

16. When do the measures prescribed by the Data Protection Authority in the provision of May 8, 2014, come into effect?

The Authority provided for a transitional period of one year starting from the publication of the measure in the Official Gazette to allow the parties concerned to comply. This period ended on June 2, 2015.