New Italian Data Protection Authority’s Guidelines on the use of cookies

On 10 June 2021, the Italian Data Protection Authority issued the new Guidelines on the use of cookies, already regulated by Directive 2002/58/EC (so-called ePrivacy Directive), thus updating – following the entry into force of EU regulation 679/2016 (GDPR) – the guiding principles previously issued in 2014. The most important provisions of the Guidelines are summarised below.

Cookies and their classification

Cookies are small text files that a website places on user devices (PC, smartphone, etc.), which encode non-personal information about the user (e.g. language settings or type of device used), or personal information (such as IP address, username, unique identifier, e-mail, etc.). They perform a large number of functions, including monitoring sessions, storing information relating to a user, improving the use of online content or profiling the user.

The so called “technical cookies” are used for the sole purpose of providing the requested services, while “profiling cookies” are used to record specific actions or user behaviour to create homogeneous groups of people to enable content – e.g. advertising content – targeting consistent with their interests.

In the Guidelines commented upon here, the Italian DPA specified that the use of technical cookies is expressly exempted, by Article 122 of the Italian Privacy Code, from the obligation to acquire user consent and the data controller need only inform users pursuant to Article 13 of the GDPR. On the contrary, profiling cookies and other tracking tools used for non-technical purposes can only be used after obtaining user consent.

Consent validity requirements and banner

As regards cookies that require user consent, the Authority reiterated that the mere scroll of a webpage does not imply consent, which can only be deemed legitimately acquired when the data controller can prove that the user’s will is unequivocal, verifiable and above all corresponds to a conscious action.

Moreover, the DPA censored the so-called “cookie wall” mechanism that forces users to mandatorily accept tracking cookies prior to accessing a website, since such consent does not comply with the requirement of “freedom” under Article 4(11) of the GDPR.

Data controllers are instead required to insert a banner on the website, by means of which users who access the website for the first time can alternatively maintain the default settings relating to cookies or express – by means of a positive action – their consent to different settings. Obviously, users must be able to modify such choices at any time and in a simple, immediate and intuitive manner through a link placed in the website footer, bearing the words “review your cookie choices” or similar.

Where mandatory, the banner must be sufficiently large to disrupt the navigation on the webpage and to avoid the risk of unwanted or unconscious clicks (e.g. accept cookies/close the banner). The same banner must also contain the following essential information:
i) a caveat communicating that closing the banner implies the application of default settings;
ii) if applicable, a brief information note relating to the fact that the website uses technical cookies and can also use – only upon consent – profiling cookies or similar tracking tools;
iii) the link to the privacy policy;
iv) a button through which users can express their consent by accepting all cookies or the use of any other tracking tools;
v) a link to a dedicated area where it is possible to selectively choose only certain cookies’ functionalities, the list of third parties owner of the cookies used by the website (that must be kept constantly updated) and the list of cookies (possibly grouped by homogeneous categories) for which users give their consent.

As an alternative to the above indicated methods, however, the data controllers shall have the possibility to implement different ways of collecting consent with respect to those users who access the services through authentication or access credentials.

Lastly, the Guidelines contested the lawfulness of a common trend of data controllers, i.e. to repeatedly reintroduce the banner to users who have previously denied their consent, because it forces users to give their consent just to continue browsing. Therefore, where already denied, consent can no longer be requested unless: (i) there is a significant change in the conditions of the processing; (ii) it is impossible for the website manager to know that a cookie had already been previously stored on the user’s device; (iii) at least 6 months have passed since the previous banner was displayed.

Analytics cookies

The DPA also reiterates the comparability of analytics cookies – which are used to measure the effectiveness of an IT service – to technical cookies (and the consequent applicability of the related exemptions for consent and banner), on condition that they prevent the direct identification of a subject and their use is strictly limited to the development of aggregated statistics.

Privacy policy

Finally, the Authority concluded by admitting that the privacy policy under Article 13 of the GDPR may also be provided through different and multiple channels and methods, more dynamic and less traditional, such as information pop-ups, voice interactions, virtual assistants, use of the phone, chatbot.