What are the Italian DPA Cookie Guidelines

Italian Garante published updated cookie guidelines. What is Garante? How to deal with the Italian DPA Cookie Guidelines? Learn about it here!

What is Garante?

The Italian Data Protection Authority (Garante per la protezione dei dati personali, or simply Garante) is an independent authority set up to protect fundamental rights and freedoms in connection with the processing of personal data, and to ensure respect for individuals' dignity. 

What are the Garante Cookie Guidelines?

The Italian DPA adopted a resolution, on 8 May 2014, about the simplified arrangements for information notices and obtaining consent for the use of cookies. Since then, there have been several amendments to the applicable legal framework in Italy, including the entry into effect of the EU General Data Protection Regulation (GDPR). 

On 10 June 2021, the Garante published its updated guidelines concerning cookies and other tracking tools (Cookie Guidelines). The Cookie Guidelines aim to ensure that website owners comply with both the GDPR and the ePrivacy Directive. 

The Guidelines make it clear that they apply not only to cookies but also to other tracking tools such as fingerprinting (collectively “Cookies”). The Italian DPA divides cookies into “technical” cookies and “non-technical” cookies. Technical cookies (also referred to as “strictly necessary cookies”) are those used solely for the purpose of “carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide that service”. On the other hand, non-technical cookies can be used for several purposes including tracking users and sending targeted advertising messages. 

Requirements of the Garante Cookie Guidelines?

According to the Italian DPA Cookie Guidelines, you must:

1. Obtain consent before setting non-technical cookies. 

Cookies and other tracking tools serving purposes other than the technical ones may only be used after obtaining informed consent from the user. 

2. Users visiting your site for the first time must be shown a cookie banner. 

This cookie banner should be clearly distinguishable from other components of the website. The banner should contain 

1) an “X” button at its top-right which when clicked should close it without placing any cookies other than the technical cookies; 

2) a minimal information notice which contains information about the cookies and purposes; 

3) a link to the privacy policy which should be one-click away containing information about all the elements of Article 13-14 of the GDPR; 

4) a command (button) through which consent can be given by accepting the storage of all cookies; and

5) a link to a dedicated area where users can make informed choices about which cookies, third parties, and functionalities to allow. 

3. Scrolling cannot be relied on as a means of valid consent. 

In line with the view of most EU data protection authorities, the Italian DPA also considers that mere scrolling down of the page bar cannot equate to obtaining valid consent. However, Garante states that in some instances scrolling may be used as a means of obtaining valid consent. This is the case when scrolling is one (and not the only) component of a more complex process that allows users to flag his/her informed and unambiguous choice, which can be recorded and documented. 

4. Cookie walls are illegal. 

Cookie walls are not permitted under the guidelines of the Italian DPA, except for the cases where the website controller provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools.

5. Analytics cookies can be used without consent only when it is not possible to single out a data subject. 

Analytics cookies can be considered technical cookies under strict conditions. In order for analytics cookies to be treated as technical cookies, it is essential to prevent direct identification of the data subject, or, in other words, keep your users anonymous.

6. At least 6 months must elapse before you can show your cookie banner again. 

When a user has made his/her choice regarding the cookies you cannot repost cookie banners repetitively. You must ensure that at least a 6-month period has elapsed before you can re-present the banner to the same user. However, there are exceptional situations which are 1) if one or more of the circumstances of the processing changes significantly, and you need to inform users exactly about the changes, and 2) the user has deleted the cookies lawfully stored in his/her device and the controller is no longer able to keep track of the user’s intention concerning the placement of cookies. Take a look at some GDPR cookie banner examples.

Read our blog to get a simplified breakdown of the latest EDPB Cookie Consent Guidelines.

How to Comply with the Italian DPA’s Consent Guidelines with Secure Privacy

Secure Privacy’s GDPR compliance solution is packed with enterprise-level features such as; 

• Advanced  ongoing website scanning with our unique GDPR cookie scanner that helps you detect all cookies and trackers on your website, and blocks the deployment of third-party cookies until consent is given 
• Cross-domain consent to help you manage your data subject’s cookie consent preferences in a single step across multiple domains
• Highly customizable and stylish GDPR cookie consent banners that allow your users to opt-in, or withdraw their cookie consent easily, as well as manage their preferences
• A privacy policy generator that allows you to develop a customized cookie notice for your company automatically.
• Logs and consents tracking in real-time to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs) 
• Multiple language support with 70+ languages, which allows you to customize your cookie consent banner in the language of your target users
• Future-proof cookie consent compliance solution that supports California’s CCPA, Brazil’s  LGPD alongside other upcoming data privacy regulations globally.

Book a 30-min call today and get a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy from a data privacy expert.

Relevant Links

Italian DPA official website

Italian DPA Cookie Guidelines

Check out the other Cookie Consent Guidelines from other European Data Protection Authorities that you may need to comply with as well; 

• Belgian Data Protection Authority (DPA) Cookie Consent Guidance 
• Irish Data Protection Commission (DPC) Cookie Consent Guidance 
• French CNIL Consent Guidelines 
• Spanish AEPD Cookie Guidelines
• DSK Germany Cookie Guidelines
• Swedish Datainspektionenen Consent Guidelines 
• Luxembourg DPA Cookie Guidelines
• Danish DPA Cookie Guidelines
• Greek DPA Cookie Consent Guidelines 
• Dutch DPA Cookie Consent Guidelines
• Czech Cookie Law