The user experience and navigation in the online world have gradually become more straightforward, more intuitive and faster thanks to the introduction of additional functionalities and settings and the creation and delivery of targeted advertising. Profiling, in particular, has largely favoured the development and evolution of online advertising and has enabled advertisers to reach their ‘desired’ audience in a much more selective and efficient manner.
But how do these activities take place in practice, with a particular focus on profiling?

The leading tracking technology used to profile users in online services is represented by ‘cookies’.

In general, cookies are lines of text or small files that are sent by the website being browsed (so-called “publisher” or “first party”) or by a website other than the one visited (so-called “third-party”) and stored on the user’s terminal device. The purpose is to have access to and collect data concerning these individuals, to create profiles and behavioural patterns (clusters) to allow the same websites to use them, at a later stage, to convey advertising messages to those who match or (better) fit these profiles. The data collected may include, among many others, the time and place of connection of devices, IP addresses, WIFI access points, browsing and purchasing history, likes and shares and, more generally, the behaviour and browsing habits of consumer users.

Cookies can thus be classified into different categories

  • from a subjective point of view – i.e. depending on the subject placing the cookie in the user’s terminal equipment and, therefore, on the subject acting as the controller of the personal data collected through such cookie – it is possible to distinguish between
    1. first-party cookies: these are cookies installed on the device by the same operators of the website on which the user is browsing;
    2. third-party cookies: these are cookies installed on the device by a third-party website other than the one the user is visiting through the latter;
  • depending on the purpose, it is possible to distinguish between:
    1. technical cookies: these are those cookies that are used to optimise website navigation and to enable the operator to provide the requested services, which can be further distinguished into
      • strictly necessary cookies, i.e. essential to enable navigation on the site and for it to function correctly; they do not store personal information and are set in response to user actions (such as, for example, setting privacy preferences, logging in or filling in forms)
      • functionality cookies, which allow additional functionality and personalised settings to be offered to the user (they are usually used to store specific preferences and information – such as language, country of origin, and products selected for purchase – without the user having to re-enter them on subsequent visits); and
      • performance or analytical cookies, which allow the operator to access, track and collect statistical information in an anonymous and aggregate form (such as, for example, the number of visitors to the site, their usage and interaction patterns) to improve products and services.
    1. profiling cookies: these cookies track users’ browsing movements to profile them according to their interests, habits, preferences and purchasing choices and group them into homogeneous clusters. These are the ones used in online behavioural advertising, i.e. targeted advertising, personalised according to the interests and preferences of profiled users.
  • based on the duration, it is possible to distinguish between:
    1. session cookies, i.e. cookies that are automatically removed when the browser is closed; and
    2. persistent cookies, i.e. cookies that are stored in the user’s terminal device until they expire or the user decides to delete them.

Tracking technologies allow ad network providers to monitor and track users’ behaviour across a vast number of websites, thus posing some data protection problems.

On this point, the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘ePrivacy Directive’), Article 5(3) which states that ‘the storage of personal data in the electronic communications sector shall be subject to the provisions of this Directive, is of primary importance. Three of which state that “the storage of information or access to information already stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his or her consent in advance, after having been provided with clear and comprehensive information under Directive 96/46/EC, among other things, about the purposes of the processing. This does not prohibit any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such a service.”

Therefore, while concerning technical cookies (which allow browsing and providing the service requested by the user), there is only an obligation to provide information, in the case of the use of profiling cookies (first or a third party), the user’s consent is required, obtained after informing him of the installation and purposes of such cookie.

On this point, the Garante per la Protezione dei Dati Personali (the Italian Data Protection Authority) has stipulated the obligation to provide on the home page or other page of a website that uses cookies a visible banner, clearly indicating

  • that the site uses profiling cookies to send targeted advertising messages;
  • That the site also allows third-party cookies to be sent;
  • A link to a more extensive information notice, where information is also provided on the use of technical and analytical cookies, and the possibility is given to choose which specific cookies to allow; and
  • An indication that on the extended information page, it is possible to refuse consent to installing any cookie.

In a subsequent measure, the Garante approved new guidelines on cookies and other tracking tools, through which, among the most relevant interventions

  • analytical cookies (first or third-party) are equated with cookies or other technical identifiers under certain stringent conditions (e.g. when they are only used to produce aggregate statistics and with a single site or a single mobile application, when at least the fourth component of the IP address is masked for third-party ones, etc.)
  • it is specified that the use of the banner that appears immediately and of adequate size in the case of cookies and other non-technical identifiers must contain a command (e.g. an X in the top right-hand corner) to close the banner without giving consent to the use of cookies or other profiling techniques
  • the reiteration of the request for approval in the presence of a previous failure to provide it is prohibited, except in exceptional circumstances;
  • the inappropriateness of specific methods of collecting support is sanctioned and in particular
    • – scrolling, i.e. scrolling the home page of the site, is in itself deemed unsuitable for the collection of a suitable consent, except in the sole hypothesis that it is included in a more articulated process in which the user can generate an event, which can be recorded and documented at the site’s server, which can be qualified as a positive action suitable to manifest the will to give consent to the processing unequivocally; and
    • – the cookie wall, which would de facto prevent access to the website (or service) by users who do not consent to all cookies and similar tracking technologies present on the domain, is considered unlawful, except in the hypothesis – to be verified on a case-by-case basis – in which the website offers the interested party the possibility of accessing, without consenting to the installation and use of cookies, an equivalent content or service, to be assessed in light of the principles of the GDPR.

Moreover, the new Guidelines extend their scope beyond cookies to other tracking tools, such as fingerprinting, i.e. the recognition of the fingerprint provided by a set of unique and specific technical parameters of a device that consists in combining a bunch of information that can identify, correlate or infer a user or a particular device over time.