What is a “cookie”?
Cookies are small text files that are sent to the user’s terminal equipment (usually to the user’s browser) by visited websites; they are stored in the user’s terminal equipment to be then re-transmitted to the websites on the user’s subsequent visits to those websites. When navigating a website, a user may happen to receive cookies from other websites or web servers, which are the so-called “third party” cookies. This happens because the visited website may contain items such as images, maps, sound files, links to individual web pages on different domains that are located on servers other than the one where the page being visited is stored. In other words, these third-party cookies are set by a website other than the one the user is visiting at that specific time.
Cookies are used for IT authentication, to monitor browsing sessions and store specific information on users that access a given server; as a rule, they are present in substantial numbers in each user’s browser.
Certain operations could not be performed without cookies, which in some cases are therefore necessary for technical reasons. For instance, it would be much more complex and less secure to access home banking services and check one’s bank statement, transfer money, pay bills, etc. without using cookies that allow identifying the specific user and keeping such identification throughout the web session.
In some cases, cookies may stay in an IT system for quite long and contain a unique ID. This enables a website using such cookies to track a user’s navigation within the website for statistical or advertising purposes – that is, the website can create a customized user profile starting from the pages the user visited, to then serve targeted ads to that user (this is the so-called “behavioural advertising”).
The e-privacy directive (Directive 2002/58/EC) was amended in 2009 by another directive (Directive 2009/136/EC) which introduced the “opt-in” principle for all those cases in which one plans to access or store “information” (including cookies) in the user’s/subscriber’s terminal equipment. This means that cookies may be stored in the terminal equipment of a user navigating the Internet only if that user has given his prior consent, after being informed clearly and in full on the mechanisms and purposes of the processing – as provided for in Article 5(3) of the e-privacy directive.
However, the directive still allows using cookies (or similar devices) without the user’s prior consent if they are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” Holder of the treatment under the current legislation is TaeSpeed Company based in Italy.