New Italian cookie Guidelines: this is how the regulation of users' browsing data changes.

21.09.2021

On 9 July 2021, the Italian DPA released the new guidelines on the use of cookies. The purpose of these new guidelines is to achieve an higher level of transparency and to obtain an unambiguous consent for profiling data processing.

The acquisition of unambiguous consent from users

The main change introduced by the new Guidelines of the Italian DPA is the need to obtain an unambiguous consent from users in order to implement profiling cookies, analytical cookies that do not fall under the exemption cases and other tracking tools. In particular, if users do not give their prior consent, unlike in the current regulation, the owner of a website may only use technical cookies.

The continued use of a website, the so-called scrooling and cookie wall, is no longer considered a valid form of obtaining consent.

 

More specific conditions for excluding analytical cookies from consent

While the rules applicable to the use of technical cookies remain unchanged, regarding analytical cookies, the Italian DPA has subjected the possibility of excluding this category of cookies from the request for consent to more detailed conditions than those currently applicable. In particular, the implementation of analytical cookies may not require consent if such tracking technologies:

  • are used only to produce aggregate statistics and in relation to a single site or a single mobile application;
  • at least the fourth component of the IP address is masked in the case of third-party cookies;
  • third parties do not combine analytics cookies, so minimized, with other processing or transmit them to other third parties, in order to avoid the increase of the risk of users' identification; this is without prejudice to the hypothesis that the production of statistics concerns third parties with data relating to multiple domains, websites or apps attributable to the same publisher or business group.

 

Information

In order for the user to be able to decide whether or not to accept the implementation of cookies, the new Guidelines require that the user be adequately informed by means of an information, in an intelligible and easily accessible form, also in multilayer mode, i.e. by means of a banner containing a short information that refers to an extended information.

In particular, the site that intends to use cookies other than technical ones must present, at the first visit by the user, a banner of adequate and appropriate size that does not prevent the consultation of the site.

The banner must also contain the following elements/information:

  • a button (usually an “X” in the top right-hand corner) that allows the banner to be closed while maintaining the default settings and thus denying the installation of cookies other than technical ones;
  • a warning that closing the banner (e.g. by selecting the appropriate command marked by an X in the top right-hand corner) will result in the default settings remaining in place and, therefore, the continuation of browsing in the absence of cookies other than technical ones;
  • a minimum information advising the user that the site may implement profiling cookies or other tracking technologies after obtaining his/her consent;
  • a link to the extended privacy policy that is always accessible from the footer of any page on the site;
  • a button allowing the user to accept the implementation of all cookies (or other tracking technologies);
  • a link to a specific area where it is possible to analytically select only the functionalities, third parties and cookies to whose use the user chooses to consent and where it is also possible to modify the choices made.

 

Right to withdraw consent

The new Guidelines require the implementation of tools to ensure that users can change their cookie choices at any time.

In relation to this last point, the Italian DPA suggests the use of a graphic sign/icon or other technical solution, for example in the footer, to indicate the state of the consents previously given by the user, allowing the modification or updating of such consents.

The new Guidelines of the Italian DPA analyzed above represent a good instrument of harmonization of the national discipline with the GDPR and the decisions adopted by other Member States about cookies. In any case, the Italian DPA hopes that there will be soon a universally accepted codification of cookies, which is currently lacking, enabling technical cookies to be objectively distinguished from analytics or profiling ones.

 

Article provided by: Chiara Agostini (RP Legal & Tax, Italy)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.