The purpose of these new guidelines is to update the previous discipline, drafted by the Italian DPA itself in 2014, to the principles of the GDPR, which impose a higher level of transparency in the relationship with users and, above all, the expression of an unambiguous consent for data processing of a discretionary nature.
The website owners have until early January 2022 to comply with the new rules.
THE MAIN CHANGES
1. The acquisition of unambiguous consent from users
The main change introduced by the new Guidelines of the Italian DPA is the need to obtain an unambiguous consent from users in order to implement profiling cookies, analytical cookies that do not fall under the exemption cases and other tracking tools. In particular, if users do not give their prior consent, unlike in the current regulation, the owner of a website may only use technical cookies.
The continued use of a website, the so-called scrooling and cookie wall, is no longer considered a valid form of obtaining consent.
2. More specific conditions for excluding analytical cookies from consent
While the rules applicable to the use of technical cookies remain unchanged, regarding analytical cookies, the Italian DPA has subjected the possibility of excluding this category of cookies from the request for consent to more detailed conditions than those currently applicable. In particular, the implementation of analytical cookies may not require consent if such tracking technologies:
- are used only to produce aggregate statistics and in relation to a single site or a single mobile application;
- at least the fourth component of the IP address is masked in the case of third-party cookies;
- third parties do not combine analytics cookies, so minimized, with other processing or transmit them to other third parties, in order to avoid the increase of the risk of users’ identification; this is without prejudice to the hypothesis that the production of statistics concerns third parties with data relating to multiple domains, websites or apps attributable to the same publisher or business group.
In order for the user to be able to decide whether or not to accept the implementation of cookies, the new Guidelines require that the user be adequately informed by means of an information, in an intelligible and easily accessible form, also in multilayer mode, i.e. by means of a banner containing a short information that refers to an extended information.
The banner must also contain the following elements/information:
- a button (usually an x in the top right-hand corner) that allows the banner to be closed while maintaining the default settings and thus denying the installation of cookies other than technical ones;
- a warning that closing the banner (e.g. by selecting the appropriate command marked by an X in the top right-hand corner) will result in the default settings remaining in place and, therefore, the continuation of browsing in the absence of cookies other than technical ones;
- a minimum information advising the user that the site may implement profiling cookies or other tracking technologies after obtaining his/her consent;
- a button allowing the user to accept the implementation of all cookies (or other tracking technologies);
- a link to a specific area where it is possible to analytically select only the functionalities, third parties and cookies to whose use the user chooses to consent and where it is also possible to modify the choices made.
4. Right to withdraw consent
The new Guidelines require the implementation of tools to ensure that users can change their cookie choices at any time.
In relation to this last point, the Italian DPA suggests the use of a graphic sign/icon or other technical solution, for example in the footer, to indicate the state of the consents previously given by the user, allowing the modification or updating of such consents.
5. Prohibition of repeated requests for consent
The Guidelines prohibit insistently and repeatedly requesting consent to tracking if the user has already made his/her own choices on the matter, except in cases where:
- the conditions of processing change significantly;
- it is impossible for the site to know whether a cookie has already been stored on the device;
- at least 6 months have passed since the previous presentation of the banner.
6. Transparency in the cross-analysis of navigation data with unencrypted data
The new Guidelines of the Italian DPA analyzed above represent a good instrument of harmonization of the national discipline with the GDPR and the decisions adopted by other Member States about cookies. In any case, the writer trusts that the Italian DPA will soon publish new FAQs on the matter in order to provide clarifications on the concrete operational procedures to be adopted to implement this new discipline.