Privacy and Cookies Rules

2) No to personal data processing for marketing purposes without prior acquisition of consent (opt-in)

Data processing for marketing purposes is allowed only on the basis of opt-in, or prior consent of the recipient to the processing of data for marketing purposes.

Sending commercial communications without opt-in is considered as spam. It's unlawful to send promotional communications without the recipient's prior consent, even if they warn of the possibility to object to future mailings; only prior acquisition of consent ensures that these communications are lawfully made.

3) Providers must install spam filters to prevent phishing

In terms of spam, one of the most dangerous threats is Phishing, or sending fake emails, even with logos or names of banks, institutions, Post Office etc., designed to steal passwords of bank account or credit card of the recipient.

He is deceptively induced to click on a link, through which phishing actions take place.

When you receive emails of this nature, in addition to not click on any link in the email and not to provide any personal information for any reason nor the keys to access your bank account, it is also recommended to report it as phishing through your Provider.

Providers such as Google show in the email account the option to report the message as phishing or as spam, this in order to facilitate users.

The Privacy Authority establishes that Providers take care to have special filters installed that allow to recognize spam ("mutual authentication of the respective servers, while respecting technological neutrality").

4) Mandatory to publish Privacy Policy on websites

Websites - whether they include the option to register, contain a simple contact form, or use cookies - collect information about users.

This is why websites must contain a Privacy Policy where it's specified what use is made of data collected and is provides the additional information required by art. 13 of the Privacy Law 196/2003 (data controller, methods for cancellation requests or modification of data etc.).

5) No to marketing communications without prior release of privacy policy to the recipients

Recipients of marketing emails must be previously informed in a clear and complete way (in accordance with art. 13 of the Privacy Code) regarding the treatment of data.

Communications that merely warn of the possibility to object to any emails are unlawful, as consent to receive e-mail for marketing purposes must be acquired before sending them.

6) Mandatory to provide in the Privacy Policy an email address to exercise the rights under Art. 7 of the Code (request of data cancellation, modification etc.).

Ways to ask about the origin of the data, on their acquisition, to request their modification or cancellation must be "informal" (see Art. 8 of the Code); thus, it can not be required to send a registered letter, but it must be provided a valid email address.

7) Mandatory separate checkbox, in order to acquire consent to data treatment for marketing purposes

In websites, when you acquire personal data that you want also to use for marketing purposes, you must set up a special checkbox that the user can optionally tick to give consent to receive marketing communications.

Generic consent to data processing doesn't enable to send marketing emails, but there must be the acquisition of consent to data treatment for marketing purposes.

8) Yes to acquisition of just one consent for the various marketing purposes (sending advertising, market research, email, SMS, mail on paper, phone calls)

Marketing consists of different activities, such as direct selling, sending advertisements, polls etc. and for all of them it is okay to acquire just one consent, because one is the aim pursued (marketing).

Otherwise, the procedure would be too chaotic, also for users.

9) Consent to marketing communications must be free, informed, specific and documented in writing

Consent for sending marketing communications, to be validly given, must be free, informed and specific; moreover, it must be documented in writing.

"Free": for example, it is not whenever the flag on the checkbox is preset, or if sign up or using the services of the site are subject to the release of consent to data treatment for promotional purposes.

In these cases the consent, as repeatedly made clear by the Privacy Authority, would not be "free", but "needed" as required for using a service and then not validly acquired.

"Informed": it is so if the user has been provided with clear and complete data processing policy (according to the provisions of art. 13 of the Code).

"Specific": for each purpose (marketing, profiling, transfer to third parties) an autonomous consent must be acquired.

You must file the documentation related to the acquisition of the consent, so to show it, if you suffer a claim. In this case it is in fact necessary to produce a documentary evidence.

Processing of data for promotional purposes by automated tools has to be distinguished from treatment using traditional and not automated methods.

Therefore, subject to the acquisition of a single consent for traditional advertising and with automated tools, the Policy must specify that: (i) the consent is provided for both advertising by traditional means and by automated means (ii) and that the right of opposition extends to either forms or even only to sending promotions by automated tools.

11) Transfer to third parties of the data collected is forbidden without acquisition of prior consent for this specific purpose

Please note that if the data controller intends to transfer to third parties the data collected through the contact form, site registration, etc., that purpose must be specified in the policy as well as the name of acquiring third parties or at least their industry.

And the consent collected for transfer to third parties must be separate from that obtained for marketing purposes by the data controller.

Third parties, once acquired data, can send out advertising communications not before releasing to the recipients their privacy policy, unless the original acquisition of consent had already specifically identified the third party transferee.

12) Forbidden to send bulk email leaving the recipients' addresses visible

Advertising through email lists or bulk email (email marketing) is widespread. It must be said that it's forbidden to send multiple emails leaving visible the addresses of recipients, that would otherwise be aware of all other recipients' addresses. This practice constitutes disclosure of personal data to third parties.

It's necessary to keep addresses covered, for example, by sending a blind carbon copy (Bcc) or by using special programs for sending bulk email (they enable you to separately forward the same email to the various recipients, with a single command).

13) Yes to "soft spam" or sending promotional emails to customers who have already purchased similar products

Soft spam is allowed. It consists in sending promotional emails without specific consent to those customers who have already purchased similar products by the Company itself.

It assumes an interest to receive promotions and offers by the supplier. To preserve recipient's freedom, you must always provide in the email the chance to opt out.

14) No to contract of marketing campaigns without making sure that Agents and Subagents don't do any spamming

In email marketing campaigns often the sender does not match with the data controller: you might wonder then if the data controller responds or not for spam eventually made by third parties (Agents).

In this regard, Privacy Authority has undoubtedly given affirmative judge, provided that the Agent is subject to the decisions and data treatment procedures established by the Promoter.

Privacy Authority pointed out that the Promoter is the owner and manager of the treatment.

He is required to make sure that Agents and Sub-agents don't do any spamming and he must always know who marketing campaigns are subcontracted to, in order to always be able and reply to requests about data processing.

The promoter must mention the Agent in the Privacy Policy unless he's merely an executor under his direct control.

15) Yes to commercial offers to Fans or Followers on Social Media

"Social spam" is increasingly widespread; it consists in sending promotional messages and links through Social networks. It's an illegal practice to use data on Social media for making unwanted advertising or phone calls.

The sending is allowed in the case of personal posts and even in case of messages sent for promotional purposes to Fans and Followers of a page.

If the recipient unsubscribes or unfollows, however, his consent to receive promotional messages related to that brand cannot be desumed any more. Then commercial offers to Fans and Followers on Social media can be sent as long as the recipients are following the Company page.

Regarding privacy and the use of Social media, it should be added that it's recommended to carefully read terms and conditions of use, because Social platforms may happen to require the acceptance of data processing for marketing and profiling purposes as a necessary condition for their use; they might even require for their use the acquisition of the data contained in your devices, such as email addresses and contact lists.

The policy of the Social platforms are increasingly simplified, tending to acquire consent for user profiling and for the acquisition of their networks of contacts unifying profiles on different services.

This practice helps "targeted spam" or the sending of commercial communications to targeted users, which lowers the costs of marketing although compresses users' freedom, as their acceptance is needed if they want to use a certain platform.

16) Yes to "word of mouth" to friends

A marketing technique which is spreading more and more is "viral marketing", which consists in the viral spread of a promotional message via the web. In return for different incentives, the recipents forward the message to their contact lists. With this mechanism, the promotional message is the subject to word of mouth, which spreads "like wildfire".

It must be said that it is legitimate to recommend a product to friends, while it is unlegitimate to acquire the data published on the web in order to spread advertisements.

17) No to acquisition of contact details published in the web to spread advertising messages.

Sending commercial communications without opt-in is spam, even if the data of recipients data have been extracted from published websites.

The publication of data itself doesn't imply is not the acceptance to receive advertisements.

Cookies

1) What cookies are

Cookies are small text files sent to your browser from visited sites; they are stored to be transmitted back to the sender when the site is visited by the user. They can be deleted from your browser settings.

2) Third party cookies

Third-party cookies are cookies sent to your browser not directly from the site you visited, but by third parties who use that site (eg. Facebook cookies sent to your browser as you visit a site linked to Facebook through a Social plugin).

3) Cookies purposes

Cookies can be used for different purposes: for user authentication, to monitor browsing sessions, to collect specific information on users who access a given server.

4) Technical cookies

Technical cookies allow to identify the user and they are necessary for the provision of online services such as purchases, home banking, bill payments, authentication, personalization of the language, multimedia contents if they expire at the end of the session, provided that they are not used for additional purposes.

They are used in response to a user's query and only for the intended purpose.

5) Analytic cookies

Analytic cookies collect aggregate data for statistical purposes. In this case the user must be provided with a clear policy, explaining which mechanism is used to ensure that the data remain anonymous.

6) Cookies for marketing purposes

Cookies for marketing purposes require prior opt-in to be released into the user's browser. "Behavioural adv" (targeted advertising based on user behaviour, also known as "remarketing") is now widespread.

In this case, cookies are stored in the system with a unique id, which allows you to track the user's navigation on the site for statistical purposes or advertising. Depending on the user's behaviour, targeted ads can be displayed.

For example, you can show the user interested in the fitness Adwords display ads related to that industry, while he visits sites with Adsense banners or You Tube.

7) Cookies for profiling users

Cookies for profiling purposes require prior opt-in to be released into the user's browser. For this purpose, it's not enough to inform about the use of cookies for advertising. Instead, you must specify that "cookies will enable the site to profile visitors for the purpose of direct marketing activities."

8) Opt-in principle (prior informed consent) for cookies

Except for technical cookies, where consent is made clear by the request of the service, for the use of all other cookies it's necessary to obtain the prior consent of the user.

9) Requirements of consent

The consent required for using cookies is specific (the purpose of cookies must be specified), free (not needed), explicit (can not be inferred). It's necessary to show on the website an appropriate cookie bar, as well as a Policy that indicates which cookies are used by the site and specifies the aims pursued by them.

10) How to disable cookies

Enabling and disabling cookies is possible through your browser settings.

Some browsers allow you to selectively block third party cookies or cookies from specific domains.

There are also plug-in softwares that allow the browser to select the cookies based on the domain from which they come.

Finally, the "do not track" feature, that is not yet considered a standard for browsers though, allows you to decide, whenever you visit each site, if you want to be tracked or not from that site.

11) Who must acquire the consent: can third parties acquire the consent through first party websites?

Managers of each website have to make sure to acquire the consent for using cookies, including those of third parties.

However, the first party can't be bound to specify the manner in which third party cookies operate, nor third parties can delegate to the first party website the acquisition of consent on their behalf.

Any request for consent must be specific, so the user will be able to choose consciously.

Case studies

1) Download of add-on conditioned to the acceptance of data treatment for marketing purposes: illegitimacy

The Italian Data Protection Authority has ruled on the legality of the request for consent to data processing for marketing purposes in order to download a software add-on.

First the existence of the situation alleged by the demandant has been tested through a simulation. It's been proved the presence of a required checkbox for "consent to data processing and to communications also for promotional purposes."

Without flagging the checkbox it wasn't possible to download the add-on. There was a link to the Privacy Policy, which described the procedures for refusing further promotional messages. The defendant argued in its defense that the communications sent, in fact, would be exclusively related to the contract and that it has already taken steps to eliminate the procedure with the consent solicitation.

The Italian Data Protection Authority noted that: (i) for the provision of the service, data processing can be performed without obtaining the consent (implicit in the conclusion of the contract); (ii) for other purposes (eg. Commercial) the prior acquisition of consent is requires; (iii) to be valid, consent must be free and not needed: there can be no provision of consent as a condition to receive the service; (iv) consent must be provided specifically for individual purposes and instead, here, the autonomous opt-in checkbox for marketing communications was not given, but a single consent was captured both for data processing and marketing purposes, with just the chance to opt-out later; (v) the defendant would have been able to acquire only the consent for data processing and he could have done "soft spam"; he instead decided to request a consent that is not freely given.

The decision (of 11/21/2013): the described procedure for obtaining consent covers the case of illegal data treatment; that said, there's the need to adopt a measure prohibiting the processing of data acquired in this manner for sending promotional messages. Any breach of this prohibition is punishable with imprisonment from 3 months to 2 years and penalty by 30 thousand to 180 thousand Euros.

Interested parties can take civil action to claim for damages.

The defendant may object to the measure within 30 days by notification, by appealing to the Court of the place where the data controller has its registered office.

E-Mail Marketing Software

2) Opposition to data collection and complained inadequacy of the response: request rejected

The Italian Data Protection Authority ruled on the response to a data collection opposition: the opponent had submitted a web form. He criticizes the delay and inadequacy of the response received, after having written to the owner of data processing, asking for confirmation and origin of data about him and for their cancellation.

This, as he received promotional emails, but assumed that he had not given any consent. He demands to DPA the reimbursement of litigation costs and the assessment regarding the existence of a possible abuse.

The Company argued they had replied and deleted the data, at the time acquired after the applicant had registered through the site ticking the box to agree to data processing, according to site rules.

The decision (10/10/2002): The Data Protection Authority rejected the request and ordered the sued to pay anyway half the litigation costs because of "reasons related to the content of the reply sent before and after the claim was submitted".

E-Mail Marketing Software

3) Sending promotional emails having acquired consent in a generic form: illegitimacy

Italian Data Protection Authority rules on a case of promotional email sent by Agents, based on a consent that the applicant complains to be ineligible.

A promotional message is the subject of complaint and it appears to have been sent by a Company entrusted to carry out a promotional campaign, which used their own lists of contacts, acquired through subscription to a website newsletter.

Privacy Authority carried out an investigation of its own motion: in order to subscribe to the newsletter, it's required to tick the checkbox with which you agree to "personal data processing", expression that is not detailed enough. The opt-out option, which allows you to unsubscribe from newsletter, is not sufficient. Consent was in fact acquired without specifying that it was meant for promotional purposes and, moreover, it was unduly needed in order to achieve a performance (newsletter).

The decision (of 25/09/2014): The Authority has considered that there was an unlawful processing of data and banned the Company entrusted to send more promotional messages to the newsletter subscribers, requiring the adoption on the site of the correct feature: option to express a specific consent to data processing for promotional purposes.

E-Mail Marketing Software

4) Using an electronic communication network to access information stored in the user's terminal: unlawfulness (informed judicial Authority)

The Italian Data Protection Authority rules about the acquisition with "random procedure" of e-mail addresses through a special software and about using them to send out promotional messages.

Introduction: In the past, the Authority had already blocked the processing of data thus acquired, to prevent further violations. As a result of new complaints, it appeared that the site, with its database, had been transferred to another Company and that another Company had been founded that assumed the obligation to transfer to third parties the database of users registered to the site services.

It is established that: 1) in order to request the site services a general consent is acquired; 2) the policy is inappropriate, as its content leads the average user to underestimate the consequences of his consent, which therefore is not released freely (it's explained that cookies are designed to "store and sometimes track users data"; a third party is authorized to the "data processing for commercial purposes" and other purposes listed on the conditions of use, not mentioned by a link, and by consulting it can be deduced that the data are transferred to third parties for marketing purposes; it's possible to unsubscribe only through record delivery letter with return receipt); 3) for the registration in "newsletter and offers", the checkbox of acceptance of the Privacy Policy is flagged by default; 4) the opportunity to express consent in different ways for the different purposes (analysis, marketing, sale to third parties of data) is not provided; 5) the use of cookies described in the policy violates the right of use of an electronic communications network to access information stored in the user's terminal (art. 122 Code); 6) requiring record delivery letter to unsubscribe is against art. 8 of the Code (which requires the cancellation without formalities).

This said, the Authority finds various provisions about data protection to be violated, data which, acquired in breach of the rules, cannot be used.

The decision (of 10/05/2006): Italian Data Protection Authority prohibits the use of the data both to the Company sued and to the Company which acquired them (identified in the measure).

Any violation is punishable by imprisonment from 3 months to 2 years. Privacy Authority informed the judicial Authorities to ascertain the offense of unlawful processing of data (167 Cod.).

E-Mail Marketing Software