Data ProtectionPrivacy

The Italian privacy authority launches a consultation on cookies

The Italian privacy authority published the draft guidelines on using cookies and other tracking tools, opening a public consultation on the subject.

On December 10, 2020, the Italian data protection authority announced, through an official notice, to have adopted the new “Guidelines on the use of cookies and other tracking tools” – open to public consultation for 30 days following the publication in the Official Gazette of the above-mentioned notice, i.e., until January 10, 2020 – as well as a summary of the rules for the use of cookies by the operators of the sites contained therein.

The new privacy guidelines on cookies of the Garante are intended to supplement the provision on the “identification of simplified procedures for the information and acquisition of consent for the use of cookies” adopted on May 8, 2014, and to specify the relevant provisions in the light of what has subsequently been provided under the GDPR – which has strongly strengthened the power of control of individuals, focusing both on the “unambiguous” nature of consent to the processing of personal data, and on the implementation of the principles of privacy by design and by default -, as well as based on the guidance on the subject provided by the European Data Protection Board (the EDPB) in its recent Guidelines 5/2020 on consent.

The Italian draft guidelines on cookies of the Italian privacy authority

In particular, among the others, expressly referring to the above mentioned Guidelines 5/2020 on consent, the Italian privacy authority confirms the position taken by the EDPB on the possibility to gran consent through scrolling, thus stating that the mere scrolling on the page of a website by the user is not sufficient to presume the consent of the latter, as not manifested unequivocally.  However, the Garante also specifies that it is not a prohibition tout court and the scrolling, therefore, can be considered a legitimate mode of expression of consent in the case in which it constitutes “a component of a more articulated process that allows the user to signal to the owner of the site, with the generation of a precise pattern, an unequivocal choice in the sense of giving his consent to the use of cookies.” On the other hand, a cookie wall is always illicit since it is a mechanism of “take it or leave it” that in fact obliges the user to give his consent to the installation and use of cookies to access the site.

Through the document adopted by the Italian data protection authority, it is provided further guidance on the proper use of cookies and other tracking technologies by the owners of the websites, including, for example, further clarification concerning analytical cookies, tracking systems “passive” (e.g., fingerprinting) and the reiteration of requests for consent to users, as well as for ways of providing information (e.g., multilayer and multichannel) such as to allow to take full advantage of “more dynamic and less traditional additional points of contact between the owner and the interested parties.”

In particular, the requirement to allow the activation and deactivation of cookies in a granular manner and with equal ease has a significant technical and operational impact on companies.  In fact, many websites allow all cookies to be enabled in straightforward ways, while deactivating them is much more complex.

My view on the guidelines and on what could be improved

Giulio CoraggioThe draft guidelines on cookies adopted by the Garante are therefore a further important piece that is added to the framework of the provisions on the protection of personal data aimed at “encouraging and making effective control over personal information being processed and, ultimately, the ability of the individual to self-determine.”

In our opinion, there are aspects of the guidelines that should be clarified to prevent the use of cookies from becoming overly burdensome, for example, regarding the possibility of enabling or disabling by categories of cookies.  This could be useful for both businesses and users as the latter are unlikely to go through all installed cookies one by one.

On a similar topic, you may be interested in the article “The inconsistency of privacy rules on cookies requires a new approach to compliance“.

Image courtesy of Rawpixel Ltd

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button