On July 10th, 2021, the Italian Data Protection Authority (“Garante Privacy”) approved new guidelines for cookie usage. We’ve created this guide to help you understand these changes and meet them with minimum effort (the deadline for compliance was January 10th, 2022).
Are you or your users based in Italy? Then Italian requirements apply to you.
The banner constitutes a valid mechanism to obtain users’ consent, if a website uses profiling cookies or other tracking tools.
The Italian Data Protection Authority requires that the banner or, alternatively, an area or window displayed at the users’ first access to a website include the following elements:
* If a website only installs technical cookies, the banner is not necessary. Information on the use of these technical cookies can be placed on the homepage of the website or in the privacy notice etc.
Our Privacy Controls and Cookie Solution allows you to activate “Accept”, “Customize”, “Reject” and “Continue without accepting” buttons (the last one can be used as an alternative to the close “x” to continue without accepting and close the banner), per-category consent, list tracking purposes in the notice, explicitly mention the right to withdraw consent and your users to access and edit tracking preferences at any time:
Take a look at our Privacy Controls and Cookie Solution introduction guide to learn more.
Scrolling or scroll down is now to be considered unsuitable for the collection of valid consent. The only exception is if scrolling is part of a series of actions that unambiguously indicate the users’ willingness to provide consent.
The Garante also considers so-called “cookie walls” to be unlawful unless users are offered an alternative way to access the website, content or service without having to provide their consent (to be assessed on a case-by-case basis).
You can easily deactivate consent on scroll and consent on page interaction (also not allowed) in the Privacy Controls and Cookie Solution configurator. Just deselect “Consent on continued browsing” under “Consent”.
Users may be prompted to provide consent again only if:
The default validity for our Privacy Controls and Cookie Solution is 12 months, which already complies with the Garante’s indications. If you had customized it, scroll our configurator’s “Advanced view” to “Validity period of user’s consent preferences (days)”, and make sure you set it to at least 180 days.
Cookies are to be identified on the basis of two main categories: technical cookies and profiling cookies.
The Italian Data Protection Authority also clarifies that first-party analytics cookies may in principle be placed without collecting users’ consent.
As for third-party analytics cookies, they may be placed without collecting users’ consent only if the following conditions are met:
If you’re using Google Analytics, take a look at our guides to IP anonymization or Google Consent Mode as valid alternatives to prior blocking for Google Analytics. Anyway, please note that in certain countries (e.g. Belgium, Ireland and the UK) analytics cookies always require consent. As a result, prior blocking remains the safest option.
The Garante states that the owner of a website is required to prove that they have obtained valid consent according to the standards of the GDPR (see proof vs records of consent).
The Cookie and Consent Preference Log is now available in our Privacy Controls and Cookie Solution. Click here for more info on how to activate the Cookie and Consent Preference Log within your Privacy Controls and Cookie Solution.
If you have activated the Cookie and Consent Preference Log, you are already collecting consents in accordance with the new guidelines of the Italian Data Protection Authority.
You can now request a new consent when preferences are not stored in the log, for example because they were collected before the activation of the Cookie and Consent Preference Log. To do so, just integrate the Privacy Controls and Cookie Solution using the new code available (you will notice the presence of the
In the configurator’s advanced view you will find the option “Request new consent when preference record is not found”.
You can choose to request new consents immediately (default option, in the code you will have
"invalidateConsentWithoutLog": true) or choose a specific date.
Remember that as of January 10th, only consents registered according to GDPR standards are considered valid, therefore, if you haven’t made these changes yet, you should do so right away.
The Italian Data Protection Authority explicitly states that cookies (and other trackers) can’t be placed on any legal grounds other than users’ consent or, if the conditions of the “strictly necessary” exception apply (i.e. cookies strictly necessary and solely used to carry out or facilitate the communication or to provide the service explicitly requested by the user) without the users’ consent.
The website owner’s “legitimate interest” does not constitute a valid legal basis.
If you’ve activated the TCF, you need to make sure the purposes are based on only consent (and not legitimate interest).
To do this, in the Privacy Controls and Cookie Solution configurator, go into the “Advanced Options” and scroll to “IAB Transparency and Consent Framework”. Under “Restrict Purposes” choose “Consent Only” for active purposes.
Then you only need to go to your dashboard and make sure your configuration is tweaked according to our instructions above.
Make sure to also check out our Cookie Consent Cheatsheet for a clear overview of the Italian cookie consent regulations. Curious if the Italian regulations are stricter than those of other countries? You can find that out, too.