The new guidelines of the Italian data protection authority on cookies introduce onerous privacy-related obligations for any website.
The 5 things to remember about the new Italian privacy guidelines of the Garante on cookies
The main aspects of the Italian privacy guidelines on cookies (which also apply to other online tracking systems, e.g., fingerprinting) can be summarized as follows:
- Categorization: the distinction remains between technical cookies (which include analytics cookies with masked IP) for which consent is not required and profiling cookies (which include all cookies that are not technical) for which consent is the only option, with no possibility to use legitimate interest. When accessing the website, only technical cookies shall be installed by default, and cookie walls are banned when they force to grant consent;
- Consent by scrolling: the possibility of acquiring consent by scrolling remains, but only in the case where it can be demonstrated that it is the result of an unequivocal and documentable choice, which makes this proof decidedly onerous
- Renewal of consent request: the request for consent to the usage of cookies cannot be resubmitted unless (i) the conditions of data processing significantly change, (ii) the website can’t record the user’s previous choice due to a decision of the latter (e.g., the deletion of cookies) and (iii) at least 6 months have elapsed since the previous request;
- Multi-layer privacy information notice: the multi-layer privacy information model is maintained with (i) a banner at the access to the website that shall comply with strict requirements in terms of positioning, size, font, and content and link to the extended privacy information notice, with also the obligation to make it usable also by disabled people according to the Italian law January 9, 2004, n. 4, as recently amended, (ii) the need to make users aware of the consequences of each action, including clicking on the X, (iii) the possibility for users to choose between consent or the option to modulate his preferences concerning tracking and (iv) the link to a section of the website where users can select cookies also by homogeneous categories with a modular approach left to users’ choice
- Review of consents: users must be given the opportunity to review cookie preferences via a dedicated area in the website’s footer where already given preferences must be clearly recognizable through a legal design approach.
How much time is there to comply?
The Garante has given a deadline of 6 months to comply following the approach already adopted during previous months by the CNIL.
The Italian data protection authority’s stance aligns with what the EDPB has already emphasized in its guidelines on consent. However, the remarks raised by the privacy authority underscore above all the need for a new approach to cookies in terms of transparency towards users. This need may be further accelerated by the initiative launched by NOYB, the association coordinated by Schrems, which has targeted more than 10,000 websites, sending complaints about the processing of personal data via cookies and threatening to report companies running such websites to the local data protection authority, if the required corrective measures are not taken.
All this is happening at a time when the ePrivacy Regulation seems to be just around the corner, and companies could take the opportunity to take this new legislation into account when reviewing their websites. On this topic, you can find interesting the article “ePrivacy Regulation: final text approved by the Council of the European Union“.