On July 10th, 2021, the Italian Data Protection Authority (“Garante Privacy”) has approved the new guidelines for cookie usage. We’ve created this guide to help you understand these changes and meet them with minimum effort (you have time until January 10th, 2022 to comply).
Are you or your users based in Italy? Then Italian requirements apply to you.
The banner constitutes a valid mechanism to obtain users’ consent if a website uses profiling cookies or other tracking tools.
The Garante requires that the banner or, alternatively, an area or window displayed at the users’ first access to a website include the following elements:
* If a website only installs technical cookies, the banner is not necessary. Information on the use of these technical cookies can be placed on the homepage of the website or in the privacy notice etc.
Take a look at our Cookie Solution introduction guide to learn more.
Note: we’re currently preparing and rolling out wording for the first layer of the banner that will explicitly refer to “technical and other cookies” (as required by the Garante).
Scrolling or scroll down is now to be considered unsuitable for the collection of valid consent. The only exception is if scrolling is part of a series of actions that unambiguously indicate the users’ willingness to provide consent.
The Garante also considers so-called “cookie walls” to be unlawful unless users are offered an alternative way to access the website, content or service without having to provide their consent (to be assessed on a case-by-case basis).
You can easily deactivate consent on scroll and consent on page interaction (also not allowed) in the Cookie Solution configurator. Just deselect “Consent on continued browsing” under “Consent”.
Users may be prompted to provide consent again only if:
The default validity for our Cookie Solution is 12 months, which already complies with the Garante’s indications. If you had customized it, scroll our configurator’s “Advanced view” to “Validity period of user’s consent preferences (days)”, and make sure you set it to at least 180 days.
Cookies are to be identified on the basis of two main categories: technical cookies and profiling cookies.
The Garante also clarifies that first-party analytics cookies may in principle be placed without collecting users’ consent.
As for third-party analytics cookies, they may be placed without collecting users’ consent only if the following conditions are met:
If you’re using Google Analytics, take a look at our guides to IP anonymization or Google Consent Mode as valid alternatives to prior blocking for Google Analytics. Anyway, please note that in certain countries (e.g. Belgium, Ireland and the UK) analytics cookies always require consent. As a result, prior blocking remains the safest option.
The Garante states that the owner of a website is required to prove that he has obtained valid consent according to the standards of the GDPR (see proof vs records of consent).
The Garante explicitly states that cookies (and other trackers) can’t be placed on any legal grounds other than users’ consent or, if the conditions of the “strictly necessary” exception apply (i.e. cookies strictly necessary and solely used to carry out or facilitate the communication or to provide the service explicitly requested by the user) without the users’ consent.
The website owner’s “legitimate interest” may notably never constitute a valid legal basis.
Site owners will have time until January 10th, 2022 to comply (i.e. 6 months since publication of the guidelines in the official journal on July 9th, 2021).
Then you only need to go to your dashboard and make sure your configuration is tweaked according to our instructions above.
Make sure to also check out our Cookie Consent Cheatsheet for a clear overview of the Italian cookie consent regulations. Curious if the Italian regulations are stricter than those of other countries? You can find that out, too.
Cookie consent management for the ePrivacy, GDPR and CCPA