Iubenda logo
Start generating

Documentation

Table of Contents

Italy’s new cookie guidelines (and how to comply)

On July 10th, 2021, the Italian Data Protection Authority (“Garante Privacy”) approved new guidelines for cookie usage. We’ve created this guide to help you understand these changes and meet them with minimum effort (the deadline for compliance was January 10th, 2022).

In short
  • If you or your users are based in Italy, the Italian requirements apply to you.
  • Cookie banner
    • “Accept” and “Reject” buttons (or an “x” command with the reject function) are required.
    • Users need to be able to make any granular choice as to the functionalities, the third parties and the categories of cookies to be installed (the implementation details are left to the service provider on purpose, while the guidelines suggest that allowing user choices by grouping is considered a way to achieve the goal).
    • Users must be able to access and edit their tracking preferences at any time after setting their initial preferences.
  • Collection of consent
    • Consent by simple scrolling is no longer valid.
    • Cookie walls are not admitted unless the website offers the data subject an alternative way to access the content or services without providing their consent.
  • Validity period of users’ consent preferences: after requesting consent the first time, at least 6 months must have passed before users can be asked again to give consent.
  • Analytics cookies
    • First-party analytics cookies may be placed without collecting users’ consent (and prior blocking).
    • Third-party analytics cookies may be placed without collecting users’ consent (and prior blocking) only under certain conditions.
  • Proof of consent: you need to prove that you have obtained valid consent according to the standards of the GDPR.
  • Legal grounds other than users’ consent: legitimate interest never constitutes a valid legal basis.
  • See our demo for proper set up.
  • These rules are now in-force (the deadline for compliance was January 10th, 2022).

📌 Do these requirements apply to you?

Are you or your users based in Italy? Then Italian requirements apply to you.

italian data protection authority

📌 Key requirements and what you need to do

The banner constitutes a valid mechanism to obtain users’ consent, if a website uses profiling cookies or other tracking tools.

The Italian Data Protection Authority requires that the banner or, alternatively, an area or window displayed at the users’ first access to a website include the following elements:

  • a short notice on the website’s use of technical cookies and any profiling cookies or other tracking tools, with the relevant purposes;
  • a link to the cookie policy which indicates any other recipients of personal data, the data retention period and the rights of users;
  • if you choose to use continued browsing through a positive, unequivocal action as a form of consent, this must be clearly stated on the banner. Please note, however, that “simple scrolling” is not considered a valid method to collect users’ consent;
  • a link to a dedicated area where users can make any granular choice as to the functionalities, the third parties and the categories of cookies to be installed;
  • a “command” to accept all cookies or other tracking tools; and
  • a “command” to reject all cookies or other tracking tools.

After users have already set their consent preferences, on subsequent visits to the same website there is no need to present them with the initial banner, but instead, users should have access to the privacy/cookie policy and a dedicated area where they can express their preferences at a more granular level.

* If a website only installs technical cookies, the banner is not necessary. Information on the use of these technical cookies can be placed on the homepage of the website or in the privacy notice etc.

💡 How to solve this with iubenda

Our Privacy Controls and Cookie Solution allows you to activate “Accept”, “Customize”, “Reject” and “Continue without accepting” buttons (the last one can be used as an alternative to the close “x” to continue without accepting and close the banner), per-category consent, list tracking purposes in the notice, explicitly mention the right to withdraw consent and your users to access and edit tracking preferences at any time:

  • Tick the “Explicit Accept and Customize buttons”, “Explicit Reject button” (or “Display a “Continue without accepting” button to allow users to continue without accepting and close the banner”), “List tracking purposes in the notice” and “Explicitly mention the right to withdraw consent” checkboxes in the Privacy Controls and Cookie Solution configurator.
  • Enable the “Per-category consent” option to give users more granular control on which categories of trackers to give consent to. Read the documentation and see our demo for proper set up.
  • Customize the privacy widget to allow users to edit their consent preferences on subsequent visits.

Take a look at our Privacy Controls and Cookie Solution introduction guide to learn more.

Scrolling or scroll down is now to be considered unsuitable for the collection of valid consent. The only exception is if scrolling is part of a series of actions that unambiguously indicate the users’ willingness to provide consent.

The Garante also considers so-called “cookie walls” to be unlawful unless users are offered an alternative way to access the website, content or service without having to provide their consent (to be assessed on a case-by-case basis).

💡 How to solve this with iubenda

You can easily deactivate consent on scroll and consent on page interaction (also not allowed) in the Privacy Controls and Cookie Solution configurator. Just deselect “Consent on continued browsing” under “Consent”.

Users may be prompted to provide consent again only if:

  • consent conditions have changed (e.g. new third-party services have been added or old ones have been taken out); or
  • the website owner has no technical means to keep track of previous consent (e.g. the user has deleted the consent cookie placed on his device); or
  • at least 6 months have passed since the last time you requested their consent.
💡 How to solve this with iubenda

The default validity for our Privacy Controls and Cookie Solution is 12 months, which already complies with the Garante’s indications. If you had customized it, scroll our configurator’s “Advanced view” to “Validity period of user’s consent preferences (days)”, and make sure you set it to at least 180 days.

Analytics cookies

Cookies are to be identified on the basis of two main categories: technical cookies and profiling cookies.

The Italian Data Protection Authority also clarifies that first-party analytics cookies may in principle be placed without collecting users’ consent.

As for third-party analytics cookies, they may be placed without collecting users’ consent only if the following conditions are met:

  • they do not allow for a specific user’s identification (e.g. they only use abridged IPs or they are not assigned to one single device, but to several);
  • their use is limited to a single website or mobile application;
  • the output is not shared or disclosed to third parties;
  • data collected is not enriched with other data.
💡 How to solve this with iubenda

If you’re using Google Analytics, take a look at our guides to IP anonymization or Google Consent Mode as valid alternatives to prior blocking for Google Analytics. Anyway, please note that in certain countries (e.g. Belgium, Ireland and the UK) analytics cookies always require consent. As a result, prior blocking remains the safest option.

The Garante states that the owner of a website is required to prove that they have obtained valid consent according to the standards of the GDPR (see proof vs records of consent).

💡 How to solve this with iubenda

The Cookie and Consent Preference Log is now available in our Privacy Controls and Cookie Solution. Click here for more info on how to activate the Cookie and Consent Preference Log within your Privacy Controls and Cookie Solution.

If you have activated the Cookie and Consent Preference Log, you are already collecting consents in accordance with the new guidelines of the Italian Data Protection Authority.

You can now request a new consent when preferences are not stored in the log, for example because they were collected before the activation of the Cookie and Consent Preference Log. To do so, just integrate the Privacy Controls and Cookie Solution using the new code available (you will notice the presence of the invalidateConsentWithoutLog parameter).

In the configurator’s advanced view you will find the option “Request new consent when preference record is not found”.

You can choose to request new consents immediately (default option, in the code you will have "invalidateConsentWithoutLog": true) or choose a specific date.

Remember that as of January 10th, only consents registered according to GDPR standards are considered valid, therefore, if you haven’t made these changes yet, you should do so right away.

The Italian Data Protection Authority explicitly states that cookies (and other trackers) can’t be placed on any legal grounds other than users’ consent or, if the conditions of the “strictly necessary” exception apply (i.e. cookies strictly necessary and solely used to carry out or facilitate the communication or to provide the service explicitly requested by the user) without the users’ consent.

The website owner’s “legitimate interestdoes not constitute a valid legal basis.

💡 What you need to do

If you’ve activated the TCF, you need to make sure the purposes are based on only consent (and not legitimate interest).

To do this, in the Privacy Controls and Cookie Solution configurator, go into the “Advanced Options” and scroll to “IAB Transparency and Consent Framework”. Under “Restrict Purposes” choose “Consent Only” for active purposes.

Meet Italy’s requirements in the easiest way!

👉 Using iubenda already for both your Privacy and Cookie Policy and Cookie Consent?

Then you only need to go to your dashboard and make sure your configuration is tweaked according to our instructions above.

👉 Have users in Italy but not using our solutions yet?

Start using our Privacy and Cookie Policy Generator and Privacy Controls and Cookie Solution to create your Cookie Policy & Cookie Banner and easily meet these cookie consent requirements.

👉 Cookie Consent Cheatsheet

Make sure to also check out our Cookie Consent Cheatsheet for a clear overview of the Italian cookie consent regulations. Curious if the Italian regulations are stricter than those of other countries? You can find that out, too.

Manage cookie consent with the Privacy Controls and Cookie Solution

Generate a Cookie Banner

See our demo

See also