Skip to content

Cookies: new guidelines of the Italian Garante

The House of Data Imperiali bulletins are excerpts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Cookies: new guidelines of the Italian Garante

The Privacy Garante – following the public consultation completed in 2020 – has released the new guidelines on cookies that update those of 2014 following the changes made by the GDPR.

Although they come out in the middle of the negotiation of the trilogue between the legislative institutions of the Union on the proposed ePrivacy Regulation, and their entry into force (ie 9 January 2022) could coincide with the final approval of the latter by Parliament and EU Council, the new guidelines interpret the current regulations of directives 2002/58/EC and 2009/136/EC on confidentiality in electronic communications, in light of the innovations introduced by the GDPR, without making anticipations with respect to the topics of the future ePrivacy regulation.

 

Summary

Cookie: new guidelines Italian Supervisory Authority
Figure 1 – Summary of the major profiles addressed in the 2021 guidelines on cookies by the Italian Supervisory Authority (Garante).

 

Previous model

The model indicated by the Garante in 2014 for the management of notice and online consent in relation to the use of cookies and other trackers was essentially based (if the cookies were not only “technical”) on a banner to be published on the web page of first access, containing a short notice that referred with a link to an extended one and with the warning that any operation that constituted a perceptible discontinuity (ie in essence, the continuation of online navigation) would have represented the manifestation of the user acceptance of all cookies. In the full notice, then, the user was enabled to make more granular choices or even to revoke any consent already given. In the 2021 guidelines – also in light of the contributions received during the public consultation – the Garante believes that the system indicated above remains substantially valid, albeit with the changes made necessary following the changes made by the GDPR.

 

Main issues

These are the main aspects addressed in the 2021 guidelines.

Cookies and other trackers – The guidelines and the relevant discipline are addressed indiscriminately to cookies and to any other “active” (such as pixel, clickcommand) or “passive” (e.g. fingerprinting) tracking technique.

Privacy notice – The full notice – pursuant to articles 13 and 14 GDPR – must also indicate the recipients of personal data and the data retention times; different channels and methods may be used (e.g. pop-up, video, chat).

Consent – The user must have the freedom to: (a) not making any decision (b) accept cookies and trackers (c) refuse them. For case (a) the banner must be able to close, meaning the maintenance of the initial default setting (i.e. the impossibility to place any cookie or tracker on the user’s device); for hypothesis (b) the banner will contain an “Accept all” button; for option (c) the banner will show a link to an underlying level area in which the user will have the possibility to consent only to some cookies or trackers (also aggregated by categories), to refuse them all or to revoke the consent previously granted. The user’s choice must be recorded both to document it as proof and to avoid re-showing the banner to the returning user. The banner can be re-proposed under certain conditions or after 6 months.

Scrolling – It is not an appropriate manifestation of consent except that it is part of a mechanism capable of being perceived as a positive and unambiguous action of the user’s willingness to consent.

Cookie wall – It must be considered illegitimate except that the owner of the site makes it possible to access equivalent content or services that do not require the use of trackers.

Technical cookies – That is, those essential for the functioning of the website or for the provision of the service requested by the user, if they are the only ones used, the banner is not required but they must be mentioned in the full notice.

Analytics – They are comparable to technical cookies provided that they are used only for statistical purposes and, moreover: if first-party analytics, they can also be used in clear text; if third party analytics, the fourth component of the IP address must be masked and third parties must refrain from combining them with other processing operations.

Status of consents – The Garante deemed it is good practice to provide an area containing the status of the consents given by the user, where they can be modified or revoked, accessible via a link located in the footer of any web page of the domain.