The previous resolution on cookies was issued by the Garante on May 8, 2014 in light of the provisions on cookies set forth by Legislative Decree No. 196/2003 (“Data Protection Code”), which implemented European Directive No. 2002/58/CE (“ePrivacy Directive”). Although cookies and other tracking tools remain regulated by the Data Protection Code, Regulation No. 2016/679 (“GDPR”) contains several rules impacting cookies. Indeed, the GDPR inter alia introduced new provisions on (i) the data subject’s consent, which must be unequivocal; (ii) the accountability principle; (iii) principles of privacy by design and privacy by default; and (iv) new elements to be underlined within the privacy (and cookies) policy, e.g., the retention period for each category of collected data.
The Garante decided to draft these new guidelines on cookies aimed at replacing the previous ones for the purpose of providing data controllers with a clear and up-to-date legal instrument. In addition to the GDPR, enforcement regarding cookies carried out in recent years, the significant number of years that have elapsed since the previous guidelines were issued, and the increasing spread of the use of new technologies were all taken into consideration when making this decision.
Among other things, in the new guidelines the Garante analyzes methods for obtaining consent, such as scrolling and the cookie wall, taking into account the EDPB guidelines on consent of May 4, 2020. In this regard, in applying the principles of privacy by design and privacy by default, when a user accesses a website for the first time, by default no cookies other than technical ones should be placed on his/her device, nor shall any other active or passive profiling technique be used. The same principles require that initially all checkboxes and similar tools are preset to deny the installation of cookies, and that therefore the user can accept cookies in a granular way. Moreover, the Garante clarifies the correct way to inform online users about the processing of their personal data, the cookies used, etc.
The public consultation is addressed to entrepreneurs, consumers, and operators (preferably through a representative trade association) and is aimed at collecting thoughts and opinions. It is possible to participate by sending an email to firstname.lastname@example.org within 30 days of publication in the Official Gazette (Gazzetta Ufficiale) of the Italian Republic, meaning by January 10, 2021.
The full text of the new guidelines on cookies is available here.