With the publication in the Italian Official Journal on 9 July 2021, the Italian Data Protection Authority (Garante Privacy) released the new guidelines on the use of cookies and other tracking technologies.

The purpose of these new guidelines is to update the previous discipline, drafted by the Italian DPA itself in 2014, to the principles of the GDPR, which impose a higher level of transparency in the relationship with users and, above all, the expression of an unambiguous consent for data processing of a discretionary nature.

The website owners have until early January 2022 to comply with the new rules.

 

THE MAIN CHANGES

1. The acquisition of unambiguous consent from users

The main change introduced by the new Guidelines of the Italian DPA is the need to obtain an unambiguous consent from users in order to implement profiling cookies, analytical cookies that do not fall under the exemption cases and other tracking tools. In particular, if users do not give their prior consent, unlike in the current regulation, the owner of a website may only use technical cookies.

The continued use of a website, the so-called scrooling and cookie wall, is no longer considered a valid form of obtaining consent.

2. More specific conditions for excluding analytical cookies from consent

While the rules applicable to the use of technical cookies remain unchanged, regarding analytical cookies, the Italian DPA has subjected the possibility of excluding this category of cookies from the request for consent to more detailed conditions than those currently applicable. In particular, the implementation of analytical cookies may not require consent if such tracking technologies:

  • are used only to produce aggregate statistics and in relation to a single site or a single mobile application;
  • at least the fourth component of the IP address is masked in the case of third-party cookies;
  • third parties do not combine analytics cookies, so minimized, with other processing or transmit them to other third parties, in order to avoid the increase of the risk of users’ identification; this is without prejudice to the hypothesis that the production of statistics concerns third parties with data relating to multiple domains, websites or apps attributable to the same publisher or business group.

An exception is also provided for the data controller for its own mere statistical processing of data relating to multiple domains, websites or apps that can be attributed to it, which can also be used in an unencrypted way, on the assumption that such processing is expressly indicated to users in the privacy policy.

3. Information

In order for the user to be able to decide whether or not to accept the implementation of cookies, the new Guidelines require that the user be adequately informed by means of an information, in an intelligible and easily accessible form, also in multilayer mode, i.e. by means of a banner containing a short information that refers to an extended information.

In particular, the site that intends to use cookies other than technical ones must present, at the first visit by the user, a banner of adequate and appropriate size that does not prevent the consultation of the site.

The banner must also contain the following elements/information:

  • a button (usually an x in the top right-hand corner) that allows the banner to be closed while maintaining the default settings and thus denying the installation of cookies other than technical ones;
  • a warning that closing the banner (e.g. by selecting the appropriate command marked by an X in the top right-hand corner) will result in the default settings remaining in place and, therefore, the continuation of browsing in the absence of cookies other than technical ones;
  • a minimum information advising the user that the site may implement profiling cookies or other tracking technologies after obtaining his/her consent;
  • a link to the extended privacy policy that is always accessible from the footer of any page on the site;
  • a button allowing the user to accept the implementation of all cookies (or other tracking technologies);
  • a link to a specific area where it is possible to analytically select only the functionalities, third parties and cookies to whose use the user chooses to consent and where it is also possible to modify the choices made.

4. Right to withdraw consent

The new Guidelines require the implementation of tools to ensure that users can change their cookie choices at any time.

In relation to this last point, the Italian DPA suggests the use of a graphic sign/icon or other technical solution, for example in the footer, to indicate the state of the consents previously given by the user, allowing the modification or updating of such consents.

5. Prohibition of repeated requests for consent

The Guidelines prohibit insistently and repeatedly requesting consent to tracking if the user has already made his/her own choices on the matter, except in cases where:

  • the conditions of processing change significantly;
  • it is impossible for the site to know whether a cookie has already been stored on the device;
  • at least 6 months have passed since the previous presentation of the banner.

6. Transparency in the cross-analysis of navigation data with unencrypted data

Lastly, in the event of registration to the site, the new Guidelines require the site owner to enable the user to make an informed choice – by explicitly indicating this possibility in the privacy policy provided at the time of registration – whether to accept the possibility that the tracking of his/her data may be carried out also by cross-analysing his/her behaviour through the use of different devices, or to refuse it.

*** ***

The new Guidelines of the Italian DPA analyzed above represent a good instrument of harmonization of the national discipline with the GDPR and the decisions adopted by other Member States about cookies.  In any case, the writer trusts that the Italian DPA will soon publish new FAQs on the matter in order to provide clarifications on the concrete operational procedures to be adopted to implement this new discipline.

https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876