On June 13, 2015 the Italian Data Protection Authority (DPA) published a chart detailing types of cookies and necessary actions that the owner of a website must take.
Particularly interesting is the part in which the chart lists the third-party (TP) analytical cookies (like Google Analytics). It is clear from the chart that the website owner only needs to disclose those cookies in the privacy policy but does not need either to obtain consent or notify those cookies in a banner provided that (i) the website owner implements tools that reduce the identification capability of those cookies and (ii) the TP does non cross the information that are collected with other information that the TP already has. However, if the website owner does not implement at least a partial anonymization (and the TP does not cross the data collected), then these cookies are to be considered like first-party profiling cookies. On converse, if the third-party cookies are profiling cookies, then the notification must be done by the profiling TP.
Google Analytics itself grants using websites the possibility to conceal a portion of the url — this is the “partial anonymization” referred to by the DPA. Also consider that Google Analytics discloses that the collected data can (or cannot depending on the settings that the using website chooses) be shared with Google personnel and staff and to advertise other products and services of Google. Remember to choose the right settings when suing Google Analytics for your website.
See chart here
We thank Giampietro Malusa’, of counsel privacy professional to Studio Legale SIB, in Florence, Italy, for the explanations and illustrations of the chart that he published in LinkedIn.