On June 10, 2021, the Italian Data Protection Authority (hereinafter the “Garante”) adopted a new version of its guidelines for cookies and other tracking mechanisms (hereinafter the “Guidelines”).
The Guidelines replace the resolution dated May 8, 2014, that set out simplified methods for providing information and obtaining consent regarding cookies. That resolution had already been superseded by changes to the applicable legal framework, including the entry into force of the General Data Protection Regulation EU 2016/679 (the “GDPR”).
The Guidelines make some major changes to the indications previously provided by the Garante. They transpose some market practices, at least in part, and introduce several new and interesting elements.
Below is an overview of what we consider the key points:
- Types of online markers and the legal grounds for them
The Garante points out that the Guidelines apply to a variety of different technologies, including not just cookies, but other types of identifiers (such as fingerprinting and radio-frequency identification tags). It also distinguishes between “technical” cookies, used solely to allow a website to function, and “non-technical” cookies, used for a variety of purposes, such as associating certain actions or behavior patterns with identified or identifiable subjects, potentially for the purpose of customizing a service or displaying targeted advertising to them. Only technical cookies (and anonymized analytics cookies) may be used without user consent, while consent must be obtained in all other cases. More specifically, the Garante expressly prohibits using legitimate interest as a basis for using cookies and other tracking mechanisms.
- Obtaining consent: Scrolling and cookie walls
The Guidelines reiterate—in line with the general stance of European data protection authorities—that scrolling alone is not sufficient for obtaining valid consent. However, the Garante does allow the use of scrolling for the purposes of obtaining consent, as long as it is part of a wider process that can be documented and recorded on the site’s server and can be classified as a positive action the user has taken in unequivocally indicating a choice to the site.
What are not permitted are cookie walls, which force users to express consent to receive cookies and other tracking mechanisms or be blocked from accessing a site.
- Reiteration of consent
Reposting banners to seek consent when a user has already expressed preferences for the website in question is prohibited. At least 6 months must elapse before a user can be asked to make a choice again. An exception is made for reposting banners in limited circumstances, meaning cases in which one or more elements of the data processing terms change or the user has voluntarily deleted cookies installed on a device.
- Multilayer policy: Banners and unabridged policy
Companies will have 6 months to comply with the new Guidelines.