Privacy & Cybersecurity Law Blog

Laura Liguori of Portolano Cavallo reports that on June 10, 2021, the Italian Data Protection Authority (Garante or “DPA”) adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”).

The Guidelines replace the resolution dated May 8, 2014, which set out simplified arrangements to provide information and obtain consent regarding cookies. The 2014 resolution previously had been superseded by changes to the applicable legal framework, including the entry into force of the EU General Data Protection Regulation (“GDPR”).

The Guidelines make major changes to guidance previously provided by the Garante. Below is an overview of the key points:

Types of Online Markers and Legal Grounds

The Garante indicates that the Guidelines apply to a variety of different technologies, including not just cookies, but also other types of identifiers (such as fingerprinting and radio-frequency identification tags). The Guidelines also distinguishes between “technical” cookies, used solely to allow a website to function, and “non-technical” cookies, used for a variety of purposes, such as associating certain actions or behavior patterns with identified or identifiable subjects, potentially for the purpose of customizing a service or displaying targeted advertising to data subjects. Only technical cookies (and anonymized analytics cookies) may be used without user consent, as consent must be obtained in all other cases. More specifically, the Garante expressly prohibits using legitimate interest as a basis for using cookies and other tracking mechanisms.

Obtaining Consent: Scrolling and Cookie Walls

The Guidelines reiterate—in line with the general stance of European data protection authorities—that scrolling alone is not sufficient for obtaining valid consent. However, the Garante does allow the use of scrolling for the purposes of obtaining consent provided it is part of a wider process that can be documented and recorded on the site’s server and can be classified as a positive action the user has taken unequivocally indicating a choice to the site.

Cookie walls, which force users to express consent to receive cookies and other tracking mechanisms or else be blocked from accessing a site, are not permitted.

Reiteration of Consent

Reposting banners to seek consent when a user already has expressed preferences for the relevant website is prohibited. At least six months must elapse before a user can be asked to make a choice again. An exception is made for reposting banners in limited circumstances, e.g., cases in which one or more elements of the data processing terms change or in which the user has voluntarily deleted cookies installed on a device.

Multilayer Policy: Banners and Unabridged Policy

A user visiting a website for the first time should be shown a banner that is sized so as to be clearly distinguished from the rest of the page and that is designed so that people with disabilities can use it (pursuant to Law No. 4 of January 9, 2004). The banner must include (1) an “X” in the upper right corner that can be used to close it (in which case only technical cookies may be installed); (2) a simplified policy explaining the consequences of closing the banner, the use of cookies, and the relevant purposes; (3) a link to the “unabridged” privacy policy containing all the elements required under Articles 13-14 of the GDPR, as well as the classification criteria for categorizing the cookies/tracking mechanisms used by the controller; (4) a command for the user to accept placement of all cookies; and (5) a link to an area where the user can make an informed decision about which specific functions, third parties, and cookies to allow.

Companies will have six months to comply with the new Guidelines.