New Italian cookie Guidelines: this is how the regulation of users' browsing data changes.
The acquisition of unambiguous consent from users
The main change introduced by the new Guidelines of the Italian DPA is the need to obtain an unambiguous consent from users in order to implement profiling cookies, analytical cookies that do not fall under the exemption cases and other tracking tools. In particular, if users do not give their prior consent, unlike in the current regulation, the owner of a website may only use technical cookies.
The continued use of a website, the so-called scrooling and cookie wall, is no longer considered a valid form of obtaining consent.
More specific conditions for excluding analytical cookies from consent
While the rules applicable to the use of technical cookies remain unchanged, regarding analytical cookies, the Italian DPA has subjected the possibility of excluding this category of cookies from the request for consent to more detailed conditions than those currently applicable. In particular, the implementation of analytical cookies may not require consent if such tracking technologies:
- are used only to produce aggregate statistics and in relation to a single site or a single mobile application;
- at least the fourth component of the IP address is masked in the case of third-party cookies;
- third parties do not combine analytics cookies, so minimized, with other processing or transmit them to other third parties, in order to avoid the increase of the risk of users' identification; this is without prejudice to the hypothesis that the production of statistics concerns third parties with data relating to multiple domains, websites or apps attributable to the same publisher or business group.
In order for the user to be able to decide whether or not to accept the implementation of cookies, the new Guidelines require that the user be adequately informed by means of an information, in an intelligible and easily accessible form, also in multilayer mode, i.e. by means of a banner containing a short information that refers to an extended information.
The banner must also contain the following elements/information:
- a button (usually an “X” in the top right-hand corner) that allows the banner to be closed while maintaining the default settings and thus denying the installation of cookies other than technical ones;
- a warning that closing the banner (e.g. by selecting the appropriate command marked by an X in the top right-hand corner) will result in the default settings remaining in place and, therefore, the continuation of browsing in the absence of cookies other than technical ones;
- a minimum information advising the user that the site may implement profiling cookies or other tracking technologies after obtaining his/her consent;
- a button allowing the user to accept the implementation of all cookies (or other tracking technologies);
- a link to a specific area where it is possible to analytically select only the functionalities, third parties and cookies to whose use the user chooses to consent and where it is also possible to modify the choices made.
Right to withdraw consent
The new Guidelines require the implementation of tools to ensure that users can change their cookie choices at any time.
In relation to this last point, the Italian DPA suggests the use of a graphic sign/icon or other technical solution, for example in the footer, to indicate the state of the consents previously given by the user, allowing the modification or updating of such consents.
The new Guidelines of the Italian DPA analyzed above represent a good instrument of harmonization of the national discipline with the GDPR and the decisions adopted by other Member States about cookies. In any case, the Italian DPA hopes that there will be soon a universally accepted codification of cookies, which is currently lacking, enabling technical cookies to be objectively distinguished from analytics or profiling ones.
Article provided by: Chiara Agostini (RP Legal & Tax, Italy)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)