Italy’s DPA Garante Updates Cookie Guidance
On December 10th, 2020 the Italian Data Protection Authority (‘Garante’) released new guidelines on cookies and other tracking...
On December 10th, 2020 the Italian Data Protection Authority (‘Garante’) released new guidelines on cookies and other tracking technologies. Including, but not limited to, rules relating to ‘passive’ identifiers, such as fingerprinting, scrolling, and the ban on cookie walls, privacy by design, and third-party cookies. Additionally, the guidelines push towards the necessary standardization for requests for consent and new methods of communicating privacy information.
Read the summary of the new guidance update here to learn more.
Overview of Italy’s New Cookie Guidance
There were no changes in terms of technical cookies, other than the simple obligation of disclosure. This also applies to the analytical cookies that fall under the technical category. Additionally, sites that only use technical cookies can give information about them on the homepage without the need for specific banners to be removed by the user.
Analytical cookies can be considered technical only if:
- used to evaluate statistics relating to a single site or mobile app, or
- third parties mask the fourth component of the IP address, or
- even minimized, is not combined with processing data, or
- transmitted to third parties
Other Tracking Systems
The guidelines point out behavioral advertising doesn’t just happen with cookies, but also through other tracking tools known as passive identifiers. In particular, fingerprinting is a passive identifier that is increasingly used to identify a user’s device and subsequently, profile them and display personalized advertisements. They determined, unlike cookies where there exists the possibility of direct removal, the user cannot independently stop the profiling but instead must resort to the actions of the owner.
Compliance with the privacy by design and by default principles are enforced. Specifically, when a user first visits a website, no cookies other than technical ones can be dropped on their device. They also prohibit any other active or passive profiling techniques from being used.
It’s reiterated that consent is only compliant with the opt-in approach and that the cookies are not enabled by default. This allows the user to take an affirmative action to consent to the processing of their data by checking a box or similar action.
Standardization and Disclosure
The regulation also requires website owners to provide information on how users can exercise rights, including the right to make an access request and to propose a complaint to a supervisory authority. Ultimately, it is up to the website owner to verify and be able to provide their compliance with the regulation.
CookiePro Supports Your Compliance
With CookiePro’s pre-built templates you can easily manage user’s privacy choices and ensure your compliance under key regulations and frameworks. Get started for free, no credit card required.