Cookie Consent Requirements in Italy [Includes Checklist]

The Italy Data Protection Authority’s (Garante per la protezione dei dati personali) guidelines on the use of cookies and other tracking tools aim to provide clarity on cookie consent requirements under:

• General Data Protection Regulation (GDPR) (mainly Articles 4(11), 7, 12, 13 and 25)
• Italian data protection law (section 122)

Let’s break down the details of all the requirements and how you can comply with the law.

The guidelines apply to providers of information society services that use cookies or other tracking tools when offering online services through electronic communication networks. This includes websites that rely on cookies and other identifiers.

In terms of their purpose and impact, Garante groups cookies into two categories:

• Technical cookies: These are essential for things like sending information over the internet or providing a service visitors or users have directly requested. For instance, they might help keep users logged into an account or remember items in their shopping cart.

• Profiling cookies: These are used to create profiles of users based on their behaviors and actions online. This helps websites provide highly tailored services and show users ads that match their interests and preferences.

Similarly, other tracking tools can also be categorized based on their purpose, whether they’re “technical” or “non-technical.

Cookie consent exemption 

The following cookies do not require consent:

• Technical cookies used solely to enable transmission of communication or provide requested service are exempt, including session cookies.
• Analytics cookies may be treated as technical and exempt if configured to prevent direct identification of users, such as by masking portions of IP addresses.
• Analytics cookies that only produce aggregated statistics for individual sites/apps.
• First-party analytics cookies that only produce counts/statistics without enabling business decisions.

Validity of consent

Italy Garante follows GDPR conditions given in GDPR Article 25 for valid consent:

• Freely given: Do not coerce users into giving consent. Give them a real and free choice to do so. When checking if consent is freely given, it’s crucial to consider if agreeing is tied to a contract or service that doesn’t require that specific data processing.
• Informed: Transparently communicate the purpose and scope of data collection associated with cookies, ensuring users are fully aware of what they agree to. 
• Specific: Consent should be specific to the purpose. If there are multiple purposes, the consent request must be clear, separate, easy to understand, and not mixed with unrelated matters. Any conflicting parts are not valid.
• Unambiguous: Users should be able to actively consent to the use of their data with their full knowledge. 

Additionally

• When processing relies on consent, the controller must prove that the users agreed to the personal data being processed.
• The users can withdraw consent anytime. This doesn’t affect the legality of prior processing based on their consent. Withdrawing should be just as simple as giving consent.

Let’s look at the specific requirements in detail:

Methods of obtaining consent

Consent by scrolling/navigation

The Regulation stipulates that obtaining consent should be a clear, specific, and unambiguous indication of a person’s agreement to their data being processed. The mere act of scrolling down a webpage, by itself, doesn’t fulfill this criteria. This standpoint aligns with the perspective of the EDPB, a regulatory authority. However, scrolling can form a part of a broader process, aiding users in explicitly expressing their choice to permit specific cookies or tracking tools.

Additionally, silence, pre-ticked boxes, and inactivity are not considered valid forms of consent. These passive actions do not meet the criteria for a clear and affirmative indication of agreement. 

Use of cookie walls

The use of cookie walls is not considered compliant with the Regulation’s requirement for “freely given” consent. Exceptions can be made if the website provides equivalent content or services without needing consent for cookies. This alternative must adhere to the principles of legality, fairness, and transparency as stipulated in the Regulation.

Duration between cookie consent

A further issue arises when websites repeatedly display consent requests to users who have previously made a choice. This practice is not user-friendly and falls short of meeting legal standards. This repetitive approach might result in users agreeing to something without a complete grasp of their options. However, there are certain scenarios where re-presenting the consent request is justified. For instance, if there are substantial changes in the way data is utilized or if a user clears their cookies, causing the website to lose track of their initial choice, then it could be appropriate to re-prompt the consent request after a span of approximately six months.

Default settings

• Article 25 of GDPR mandates data minimization and privacy by default. The Garante states that when a user first accesses a website, only technically necessary cookies should be used by default without any user action.
• Optional profiling or analytic cookies require explicit opt-in consent from the user. They cannot be enabled by default per Garante’s guidance.

Freedom to modify consent choice

Users must be able to easily modify their cookie consent choices at any time. An accessible area in the website footer should allow users to change their cookie consent. It should be clearly labeled.

When the consent banner appears again or when users update their choices, the new selections override any previous choices.

The consent options should be equally easy to view, access, and select – no design or visual emphasis should encourage one choice over another.

To enable users to easily change their minds, the best practice is to place an icon on each page signaling the user’s current consent configuration. This allows updating the consent at any time.

Cookie notice information

Websites using cookies need to provide clear information to users in order to obtain their consent. This information should cover:

• What cookies does the website use and why. The different types of cookies should be listed (e.g. technical, analytics, profiling).
• All third parties that receive user data from the cookies.
• How long cookie data is stored for.
• Instructions on how users can exercise their data rights under regulations. This includes:
  • Requesting access to their data
  • Deleting their data
  • Filing complaints regarding data practices
• The information should be presented in an accessible way across different channels like videos, popups, phone messages, etc. Accessibility for assistive technology users must also be ensured.
• Details should be provided on how the website categorizes different cookies (e.g. technical vs analytics) to help users understand them better. This provides transparency.
• Websites are recommended to use universal cookie classification standards when available. This enables easier identification of cookie types.

Consent exemption for analytics cookies

Cookies can be used to assess the effectiveness of a website, measure traffic, etc. These “analytics cookies” are considered technical cookies under EU law. With the GDPR, the rules around using them without consent need reassessment.

Data minimization is key to using analytics cookies without consent. To avoid directly identifying users, analytics cookies should relate to multiple devices, not just one user. Masking parts of the IP address in the cookie creates uncertainty about which user it relates to. Masking at least the fourth component of IPv4 addresses creates approximately 0.4% uncertainty. Similar minimization should be done for IPv6 addresses.

Some other requirements for using analytics cookies without consent include:

• Analytics cookies should only relate to one website or app, not track users across multiple sites. This prevents cross-site tracking of users.
• Third parties providing analytics services should not match minimized cookie data with other user info like customer records. This increases identification risks.
• Aggregated cross-site analytics are permitted for sites/apps of the same publisher using their own resources. However cross-site tracking of users still requires consent.

Cookie banner design and content

Here are some best practices for cookie banners recommended by the guideline:

• Banner placement: The Garante recommends that when a user first lands on a website’s homepage or any other page, a cookie consent banner should immediately appear and be prominently positioned without interrupting browsing.
• Optimal visibility: The banner should be adequately sized for optimal visibility across devices as per the Garante. 

• Closing ‘X button’: Closing the banner via the ‘X’ button leaves settings unchanged by default. The banner should clearly explain that closing the banner via the ‘X’ button at the top right corner will leave cookie settings at the default, which is no consent given for optional cookies. This allows the user to continue browsing without accepting cookies.
• Notice on cookie types: The banner should contain a short notice summarizing the website’s use of technically necessary cookies that enable basic site functions and profiling/analytical cookies that track user behavior for personalized ads or analytics.
• Privacy policy link: There should be a link to the website’s full privacy policy that provides detailed information on each specific type of cookie used, including strictly necessary, performance/analytics, and advertising/tracking cookies from specific third parties.
• Opt-in consent button: An affirmative consent button should be included for the user to actively enable all cookie categories. This cannot be pre-checked.
• Granular consent link: A link should lead to a separate page where users can specifically consent to individual cookie types, analytics providers, or third-party companies setting cookies, rather than blanket consent. Each option should be in an unchecked state.

The banner design, wording, and consent controls should be standardized across websites to provide clarity and transparency around cookie practices. The text, options, and commands should have equal prominence and visibility.

• Display a clear and prominently positioned cookie consent banner on the homepage or relevant pages.
• Obtain explicit opt-in consent before placing such cookies on the user’s device
• Ensure the consent notice uses clear language to describe the type and purpose of cookies, how long cookie data is stored, and how to exercise user rights
• Provide a close button “X” on the cookie banner which when used maintains default settings of no consent for optional cookies
• Avoid using scrolling/navigation as sole consent.
•  Do not use pre-ticked boxes, silence, or inactivity for consent.
•  Allow users to withdraw cookie consent preferably using a widget in the footer
• Clearly distinguish between the cookie categories and provide separate consent choices for each
• Re-prompt consent only after 6 months
• Link to the website’s full privacy policy that provides detailed information