The Privacy Garante – following the public consultation completed in 2020 – has released the new guidelines on cookies that update those of 2014 following the changes made by the GDPR.
Although they come out in the middle of the negotiation of the trilogue between the legislative institutions of the Union on the proposed ePrivacy Regulation, and their entry into force (ie 9 January 2022) could coincide with the final approval of the latter by Parliament and EU Council, the new guidelines interpret the current regulations of directives 2002/58/EC and 2009/136/EC on confidentiality in electronic communications, in light of the innovations introduced by the GDPR, without making anticipations with respect to the topics of the future ePrivacy regulation.
These are the main aspects addressed in the 2021 guidelines.
Cookies and other trackers – The guidelines and the relevant discipline are addressed indiscriminately to cookies and to any other “active” (such as pixel, clickcommand) or “passive” (e.g. fingerprinting) tracking technique.
Privacy notice – The full notice – pursuant to articles 13 and 14 GDPR – must also indicate the recipients of personal data and the data retention times; different channels and methods may be used (e.g. pop-up, video, chat).
Consent – The user must have the freedom to: (a) not making any decision (b) accept cookies and trackers (c) refuse them. For case (a) the banner must be able to close, meaning the maintenance of the initial default setting (i.e. the impossibility to place any cookie or tracker on the user’s device); for hypothesis (b) the banner will contain an “Accept all” button; for option (c) the banner will show a link to an underlying level area in which the user will have the possibility to consent only to some cookies or trackers (also aggregated by categories), to refuse them all or to revoke the consent previously granted. The user’s choice must be recorded both to document it as proof and to avoid re-showing the banner to the returning user. The banner can be re-proposed under certain conditions or after 6 months.
Scrolling – It is not an appropriate manifestation of consent except that it is part of a mechanism capable of being perceived as a positive and unambiguous action of the user’s willingness to consent.
Cookie wall – It must be considered illegitimate except that the owner of the site makes it possible to access equivalent content or services that do not require the use of trackers.
Technical cookies – That is, those essential for the functioning of the website or for the provision of the service requested by the user, if they are the only ones used, the banner is not required but they must be mentioned in the full notice.
Analytics – They are comparable to technical cookies provided that they are used only for statistical purposes and, moreover: if first-party analytics, they can also be used in clear text; if third party analytics, the fourth component of the IP address must be masked and third parties must refrain from combining them with other processing operations.
Status of consents – The Garante deemed it is good practice to provide an area containing the status of the consents given by the user, where they can be modified or revoked, accessible via a link located in the footer of any web page of the domain.