Italy’s new Guidance on Cookies and similar Tracking Technologies

On 10 July 2021, the Italian data protection authority (Garante) released new guidelines on cookies and other similar tracking technologies. These Guidelines apply equally to active identifiers such as cookies and passive identifiers such as fingerprinting.

The Garante reaffirms that no tracking technologies can be installed on a user’s device unless consent has been obtained.

Some of the key points of the Guidelines are set out below:

• Consent to the use of cookies and other tracking technologies should be freely given, specific, informed and unequivocal.
• Consent should apply to all processing activities carried out for the same purpose or purposes. If the processing has multiple purposes, consent should be given for all of these.
• In general, simple scrolling down a website, silence, inactivity on the part of the user, or the preselection of boxes does not constitute valid user’s consent for the use of cookies and other similar tracking technologies. The only exception in the case of scrolling is where it is part of a series of actions that unambiguously indicates the user’s willingness to consent.
• By default, cookies or any tracking technology should not be dropped on the website unless the user affirmatively accepts.
• Organizations must reaffirm a user’s consent when at least six months have passed since the excessive repetition of the cookie consent banner is likely to damage the freedom of choice of the user. However, the consent banner may be presented earlier where the conditions of the collection of consent have changed or if the website publisher is not aware that cookies have already been installed on the user’s device in order to be re-transmitted.
• Cookie walls are to be assessed on a case-by-case basis. Cookie walls may be acceptable where both services offered to the user are genuinely equivalent.
• The cookie consent banner must consist of clear and concise information. It must consist of the following:
  • Minimum information on the use of technical and profiling cookies with their relevant purposes.
  • Close Command: A command of X to close the banner on the top-right and inside the banner.
  • Accept Command: A command to accept the use of cookies.
  • Privacy Policy Link: A link to the privacy policy or extended information located in the second information layer of the banner. It must include information required under Articles 12 and 13 of the GDPR such as data recipients and data retention periods.
  • Preference Center: A link to a dedicated area where users can make granular choices as to the functionalities, the third parties, and the categories of cookies (grouped by homogenous categories). Users must be able to change their cookie preferences at any time.

Websites must use commands and fonts of equal size, emphasis, and colors so that users are not misguided by banner design choices.