Cookies and tracking technologies: The key points of the new guidelines issued by the Garante

This article has been also published on the EACCNY website on August 3, 2021.

On June 10, 2021, the Italian Data Protection Authority (hereinafter the “Garante”) adopted a new version of its guidelines for cookies and other tracking mechanisms (hereinafter the “Guidelines”).

The Guidelines replace the resolution dated May 8, 2014, that set out simplified methods for providing information and obtaining consent regarding cookies. That resolution had already been superseded by changes to the applicable legal framework, including the entry into force of the General Data Protection Regulation EU 2016/679 (the “GDPR”).

The Guidelines make some major changes to the indications previously provided by the Garante. They transpose some market practices, at least in part, and introduce several new and interesting elements.

Below is an overview of what we consider the key points:

  • Types of online markers and the legal grounds for them

The Garante points out that the Guidelines apply to a variety of different technologies, including not just cookies, but other types of identifiers (such as fingerprinting and radio-frequency identification tags). It also distinguishes between “technical” cookies, used solely to allow a website to function, and “non-technical” cookies, used for a variety of purposes, such as associating certain actions or behavior patterns with identified or identifiable subjects, potentially for the purpose of customizing a service or displaying targeted advertising to them. Only technical cookies (and anonymized analytics cookies) may be used without user consent, while consent must be obtained in all other cases. More specifically, the Garante expressly prohibits using legitimate interest as a basis for using cookies and other tracking mechanisms.

  • Obtaining consent: Scrolling and cookie walls

The Guidelines reiterate—in line with the general stance of European data protection authorities—that scrolling alone is not sufficient for obtaining valid consent. However, the Garante does allow the use of scrolling for the purposes of obtaining consent, as long as it is part of a wider process that can be documented and recorded on the site’s server and can be classified as a positive action the user has taken in unequivocally indicating a choice to the site.

What are not permitted are cookie walls, which force users to express consent to receive cookies and other tracking mechanisms or be blocked from accessing a site.

  • Reiteration of consent

Reposting banners to seek consent when a user has already expressed preferences for the website in question is prohibited. At least 6 months must elapse before a user can be asked to make a choice again. An exception is made for reposting banners in limited circumstances, meaning cases in which one or more elements of the data processing terms change or the user has voluntarily deleted cookies installed on a device.

  • Multilayer policy: Banners and unabridged policy

A user visiting a website for the first time should be shown a banner sized so as to be distinguished clearly from the rest of the page and designed so that people with disabilities can use it (pursuant to Law No. 4 of January 9, 2004). The banner must include (i) an “X” in the upper right corner that can be used to close it (in which case only technical cookies may be installed); (ii) a simplified policy explaining the consequences of closing the banner, the use of cookies, and the relative purposes; (iii) a link to the “unabridged” privacy policy containing all the elements required under Art. 13–14 GDPR, as well as the classification criteria for categorizing the cookies/tracking mechanisms used by the controller; (iv) a command for the user to accept placement of all cookies; and (v) a link to an area where the user can make an informed decision about which specific functions, third parties, and cookies to allow.

Companies will have 6 months to comply with the new Guidelines.

Seguici su