Sul consenso preventivo di embed e cookies di terze parti

In Italia si parla di intermediario tecnico. La ICO spiega il problema in termini pratici. AGGIORNAMENTO: Naturalmente a livello europe l'approccio e' identico, senza affermare una responsabilità dell'intermediario tecnico quando un ragionevole suo comportamento attivo qualora non sia evidente la raccolta del consenso preventivo da parte del terzo, con una presunzione, di fatto, che il trattamento avvenga anche senza informare. Sono echi del noto tracciamento di parte del wifi mondiale da parte delle Google Car.




What if we use third-party cookies?

Your online service may allow third parties to set cookies on a user’s device. For example, if you include content from a third party (eg from an advertising network or a streaming video service) this third party may read and write their own cookies onto users’ devices.

Where your website sets third-party cookies, both you and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. In practice, it is obviously considerably more difficult for a third party who has less direct control on the interface with the user to achieve this. It is also important to remember that users are likely to address any concerns or complaints they have to the person they can identify or have the relationship with – in this case you, as the company running the website. It is therefore in both parties’ interests to work together.

If you are a third party wanting to set cookies, or you want to provide a product that requires the setting of cookies, you should include a contractual obligation into your agreements with web publishers. This can provide assurance that appropriate steps will be taken to provide information about the third party cookies and to obtain consent. However, you may need to take further steps, such as ensuring that the consents were validly obtained.

If you design and develop websites or similar technologies for other people you must also carefully consider the requirements of PECR and make sure the systems you design allow your clients to comply with the law. You must also ensure that when you design and develop new online services, or upgrade software, that you take into account both the requirements in PECR and broader data protection requirements, particularly in respect of Article 25 of the GDPR on data protection by design.

This is an approach whereby privacy and data protection compliance is designed into systems and services right from the start, rather than being bolted on afterwards or ignored.

In poche parole:

  • il terzo che offre embed, dovrebbe prevedere la raccolta del consenso a norma
  • chi sviluppa un sito può più facilmente raccogliere il consenso preventivo all'uso di parti terze (e relativi cookies)
  • terzo e sviluppatore dovrebbero collaborare
  • si applica ai cookies profilanti, non a quelli tecnici

19.07.2019 Spataro


