The user experience and navigation in the online world have gradually become more straightforward, more intuitive and faster thanks to the introduction of additional functionalities and settings and the creation and delivery of targeted advertising. Profiling, in particular, has largely favoured the development and evolution of online advertising and has enabled advertisers to reach their ‘desired’ audience in a much more selective and efficient manner.
But how do these activities take place in practice, with a particular focus on profiling?
The leading tracking technology used to profile users in online services is represented by ‘cookies’.
In general, cookies are lines of text or small files that are sent by the website being browsed (so-called “publisher” or “first party”) or by a website other than the one visited (so-called “third-party”) and stored on the user’s terminal device. The purpose is to have access to and collect data concerning these individuals, to create profiles and behavioural patterns (clusters) to allow the same websites to use them, at a later stage, to convey advertising messages to those who match or (better) fit these profiles. The data collected may include, among many others, the time and place of connection of devices, IP addresses, WIFI access points, browsing and purchasing history, likes and shares and, more generally, the behaviour and browsing habits of consumer users.
Cookies can thus be classified into different categories
Tracking technologies allow ad network providers to monitor and track users’ behaviour across a vast number of websites, thus posing some data protection problems.
On this point, the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘ePrivacy Directive’), Article 5(3) which states that ‘the storage of personal data in the electronic communications sector shall be subject to the provisions of this Directive, is of primary importance. Three of which state that “the storage of information or access to information already stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his or her consent in advance, after having been provided with clear and comprehensive information under Directive 96/46/EC, among other things, about the purposes of the processing. This does not prohibit any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such a service.”
Therefore, while concerning technical cookies (which allow browsing and providing the service requested by the user), there is only an obligation to provide information, in the case of the use of profiling cookies (first or a third party), the user’s consent is required, obtained after informing him of the installation and purposes of such cookie.
In a subsequent measure, the Garante approved new guidelines on cookies and other tracking tools, through which, among the most relevant interventions
Moreover, the new Guidelines extend their scope beyond cookies to other tracking tools, such as fingerprinting, i.e. the recognition of the fingerprint provided by a set of unique and specific technical parameters of a device that consists in combining a bunch of information that can identify, correlate or infer a user or a particular device over time.