Italy’s DPA Garante Updates Cookie Guidance

On December 10th, 2020 the Italian Data Protection Authority (‘Garante’) released new guidelines on cookies and other tracking technologies. Including, but not limited to, rules relating to ‘passive’ identifiers, such as fingerprinting, scrolling, and the ban on cookie walls, privacy by design, and third-party cookies. Additionally, the guidelines push towards the necessary standardization for requests for consent and new methods of communicating privacy information. 

Read the summary of the new guidance update here to learn more. 

Overview of Italy’s New Cookie Guidance 

Italy’s new cookie guidance comes long overdue, as the last provision on the identification and use of cookies was enacted on May 8th, 2014, before GDPR and the EDPB. Since the primary provision was throughout, there’s only a need for updates and clarifications of Italian rules on cookies, rather than a substantial change in the law. 

Cookies 

There were no changes in terms of technical cookies, other than the simple obligation of disclosure. This also applies to the analytical cookies that fall under the technical category. Additionally, sites that only use technical cookies can give information about them on the homepage without the need for specific banners to be removed by the user. 

Analytical cookies can be considered technical only if: 

• used to evaluate statistics relating to a single site or mobile app, or 
• third parties mask the fourth component of the IP address, or 
• even minimized, is not combined with processing data, or 
• transmitted to third parties 

Other Tracking Systems 

The guidelines point out behavioral advertising doesn’t just happen with cookies, but also through other tracking tools known as passive identifiers. In particular, fingerprinting is a passive identifier that is increasingly used to identify a user’s device and subsequently, profile them and display personalized advertisements. They determined, unlike cookies where there exists the possibility of direct removal, the user cannot independently stop the profiling but instead must resort to the actions of the owner.  

Acquiring Consent 

With respect to profiling and acquiring consent, scrolling is generally no longer allowed. However, when scrolling down a website is part of a more complex set of actions generating a specific pattern, it is considered an unequivocal consent to the use of cookies. Still, the guidelines are very clear about the legality of cookie walls. In the “take it or leave it” approach, a cookie wall, which obliges the user to consent to be able to access the website, does not amount to valid consent.

There were no changes for acquiring consent through the presentation of a cookie banner, but there are talks of potential updates or improvements. It is stated that there should be a command to close the banner without giving consent to the use of cookies or other profiling techniques. 

Compliance with the privacy by design and by default principles are enforced. Specifically, when a user first visits a website, no cookies other than technical ones can be dropped on their device. They also prohibit any other active or passive profiling techniques from being used. 

It’s reiterated that consent is only compliant with the opt-in approach and that the cookies are not enabled by default. This allows the user to take an affirmative action to consent to the processing of their data by checking a box or similar action. 

Standardization and Disclosure 

The need to adopt a standardized coding relating to the type of commands, colors, and functions will provide better transparency, clarity, and compliance. The “right to reconsider” and withdraw consent must be possible at all times. This means a website’s homepage must make available a link to the privacy policy and an area dedicated to more detailed choices. 

The regulation also requires website owners to provide information on how users can exercise rights, including the right to make an access request and to propose a complaint to a supervisory authority. Ultimately, it is up to the website owner to verify and be able to provide their compliance with the regulation. 

CookiePro Supports Your Compliance 

With CookiePro’s pre-built templates you can easily manage user’s privacy choices and ensure your compliance under key regulations and frameworks. Get started today by requesting a demo.