Iubenda logo
Start generating

Documentation

Table of Contents

Italy’s new cookie guidelines (and how to comply)

On July 10th, 2021, the Italian Data Protection Authority (“Garante Privacy”) approved new guidelines for cookie usage. We’ve created this guide to help you understand these changes and meet them with minimum effort (the deadline for compliance is January 10th, 2022).

In short
  • If you or your users are based in Italy, the Italian requirements apply to you.
  • Cookie banner
    • “Accept” and “Reject” buttons are required.
    • Users need to be able to make any granular choice as to the functionalities, the third parties and the categories of cookies to be installed (the implementation details are left to the service provider on purpose, while the guidelines suggest that allowing user choices by grouping is considered a way to achieve the goal).
    • Users must be able to access and edit their tracking preferences at any time after setting their initial preferences.
  • Collection of consent
    • Consent by simple scrolling is no longer valid.
    • Cookie walls are not admitted.
  • Validity period of users’ consent preferences: after requesting consent the first time, at least 6 months must have passed before users can be asked again to give consent.
  • Analytics cookies
    • First-party analytics cookies may be placed without collecting users’ consent (and prior blocking).
    • Third-party analytics cookies may be placed without collecting users’ consent (and prior blocking) only under certain conditions.
  • Proof of consent: you need to prove that you have obtained valid consent according to the standards of the GDPR.
  • Legal grounds other than users’ consent: legitimate interest never constitutes a valid legal basis.
  • The deadline for compliance is January 10th, 2022.

Do these requirements apply to you?

Are you or your users based in Italy? Then Italian requirements apply to you.

Key requirements and what you need to do

The banner constitutes a valid mechanism to obtain users’ consent if a website uses profiling cookies or other tracking tools.

The Garante requires that the banner or, alternatively, an area or window displayed at the users’ first access to a website include the following elements:

  • a short notice on the website’s use of technical cookies and any profiling cookies or other tracking tools, with the relevant purposes;
  • a link to the cookie policy which indicates any other recipients of personal data, the data retention period and the rights of users;
  • if you choose to use continued browsing through a positive, unequivocal action as a form of consent, this must be clearly stated on the banner. Please note, however, that “simple scrolling” is not considered a valid method to collect users’ consent;
  • a link to a dedicated area where users can make any granular choice as to the functionalities, the third parties and the categories of cookies to be installed;
  • a “command” to accept all cookies or other tracking tools;
  • a “command” to reject all cookies or other tracking tools.

After users have already set their consent preferences, on subsequent visits to the same website there is no need to present them with the initial banner, but instead, users should have access to the privacy/cookie policy and a dedicated area where they can express their preferences at a more granular level.

* If a website only installs technical cookies, the banner is not necessary. Information on the use of these technical cookies can be placed on the homepage of the website or in the privacy notice etc.

💡 How to solve this with iubenda

Our Cookie Solution allows you to activate “Accept”, “Customize” and “Reject” buttons, per-category consent, and your users to access and edit tracking preferences at any time:

  • Tick the “Explicit Accept and Customize buttons” and “Explicit Reject button” checkboxes in the Cookie Solution configurator.
  • Enable the “Per-category consent” option to give users more granular control on which categories of trackers to give consent to. Read the documentation and see our demo for proper set up.
  • Customize the privacy widget to allow users to edit their consent preferences on subsequent visits.

Take a look at our Cookie Solution introduction guide to learn more.

Scrolling or scroll down is now to be considered unsuitable for the collection of valid consent. The only exception is if scrolling is part of a series of actions that unambiguously indicate the users’ willingness to provide consent.

The Garante also considers so-called “cookie walls” to be unlawful unless users are offered an alternative way to access the website, content or service without having to provide their consent (to be assessed on a case-by-case basis).

💡 How to solve this with iubenda

You can easily deactivate consent on scroll and consent on page interaction (also not allowed) in the Cookie Solution configurator. Just deselect “Consent on continued browsing” under “Consent”.

Users may be prompted to provide consent again only if:

  • consent conditions have changed (e.g. new third-party services have been added or old ones have been taken out); or
  • the website owner has no technical means to keep track of previous consent (e.g. the user has deleted the consent cookie placed on his device); or
  • at least 6 months have passed since the last time you requested their consent.
💡 How to solve this with iubenda

The default validity for our Cookie Solution is 12 months, which already complies with the Garante’s indications. If you had customized it, scroll our configurator’s “Advanced view” to “Validity period of user’s consent preferences (days)”, and make sure you set it to at least 180 days.

Analytics cookies

Cookies are to be identified on the basis of two main categories: technical cookies and profiling cookies.

The Garante also clarifies that first-party analytics cookies may in principle be placed without collecting users’ consent.

As for third-party analytics cookies, they may be placed without collecting users’ consent only if the following conditions are met:

  • they do not allow for a specific user’s identification (e.g. they only use abridged IPs or they are not assigned to one single device, but to several);
  • their use is limited to a single website or mobile application;
  • the output is not shared or disclosed to third parties;
  • data collected is not enriched with other data.
💡 How to solve this with iubenda

If you’re using Google Analytics, take a look at our guides to IP anonymization or Google Consent Mode as valid alternatives to prior blocking for Google Analytics. Anyway, please note that in certain countries (e.g. Belgium, Ireland and the UK) analytics cookies always require consent. As a result, prior blocking remains the safest option.

The Garante states that the owner of a website is required to prove that he has obtained valid consent according to the standards of the GDPR (see proof vs records of consent).

💡 How to solve this with iubenda

Cookie Preference Logs are now available in our Cookie Solution. Click here for more info on how to activate Cookie Preference Logs within your Cookie Solution.

The Garante explicitly states that cookies (and other trackers) can’t be placed on any legal grounds other than users’ consent or, if the conditions of the “strictly necessary” exception apply (i.e. cookies strictly necessary and solely used to carry out or facilitate the communication or to provide the service explicitly requested by the user) without the users’ consent.

The website owner’s “legitimate interestdoes not constitute a valid legal basis.

💡 What you need to do

If you’ve activated the TCF and restricted the purposes, you need to make sure they’re based on only consent (and not legitimate interest).

To do this, in the Cookie Solution configurator, go into the “Advanced Options”, scroll to “IAB Transparency and Consent Framework”. If you’ve previously restricted purposes, the “Restrict Purposes” section will be extended. Under this section, make sure that “Consent only” is selected.

Meet Italy’s requirements now in the easiest way!

Using iubenda already for both your Privacy and Cookie Policy and Cookie Consent?

Then you only need to go to your dashboard and make sure your configuration is tweaked according to our instructions above.

Have users in Italy but not using our solutions yet?

Start using our Privacy and Cookie Policy Generator and Cookie Solution to create your Cookie Policy & Cookie Banner and easily meet these cookie consent requirements.

Cookie Consent Cheatsheet

Make sure to also check out our Cookie Consent Cheatsheet for a clear overview of the Italian cookie consent regulations. Curious if the Italian regulations are stricter than those of other countries? You can find that out, too.

Site owners will have until January 10th, 2022 to comply (i.e. 6 months since publication of the guidelines in the official journal on July 9th, 2021).

Manage cookie consent with the Cookie Solution

Generate a Cookie banner

See also