Italy: FAQs - Are you compliant with the Garante's guidelines on cookies?
The guidelines on cookies and other similar tracking tools1 ('the Guidelines') of the Italian data protection authority ('Garante') established a period of six-months from their publication in the Official Gazette, on 9 July 2021, for entities to align their operations with its instructions. This means that, as of 9 January 2022, the deadline for compliance has expired.
Having analysed the Guidelines in detail in two previous Insight articles, Italy: Garante's finalised guidelines on cookies and similar tracking technologies - key takeaways2 and Italy: Key points from Garante's updated cookie guidance3, in this Insight OneTrust DataGuidance provides an overview of some frequently asked questions ('FAQs') and answers.
1. Do website operators need to comply with the Guidelines if they seek to use tracking tools other than cookies?
2. Which legal basis can I rely on to install cookies and similar technologies on the user's device?
3. Which types of cookies are considered 'technical cookies' which do not require user consent?
The Guidelines clarify that 'technical cookies' are those used solely to carry out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service to provide such a service, when the same is explicitly requested by the user.
Notably, the Guidelines provide that analytics cookies may be considered technical cookies and may accordingly be used without the user's consent, provided that certain conditions are met. Specifically, analytics cookies may be deemed as technical cookies if:
- direct identification of the data subject through the use of analytics cookies is impossible;
- third-party analytics cookies are structured in such a way as to enable the same cookie to relate to several devices, which will create reasonable uncertainty as to the IT identity of the cookie recipient, which is usually achieved by masking out appropriate portions of the IP address in the cookie (e.g. the last four digits of a 32 bit IPv4 IP address and similar procedures for IPv6);
- analytics cookies are used solely for the production of aggregated statistics and in relation to a single website or mobile app; and
- the third party does not combine the minimised analytics cookies with other data (e.g. customer files or statistics of visits to other websites) or share the same with third parties.
In addition, the Guidelines note, in relation to third-party analytics cookies, that third parties are allowed to produce statistics with data from several domains, websites, or apps that can be traced back to the same website operator or business group.
Moreover, if a data controller merely carries out statistical analyses relating to multiple domains, websites, or apps that can be traced back to the same data controller, unencrypted data may be used, subject to the principle of purpose limitation.
4. How do I make a cookie banner that is in line with the Guidelines?
According to the Guidelines, when users access the website for the first time, a cookie banner should appear immediately and should be of adequate size. The latter should be assessed also considering the various devices likely to be used by the user to access the website. In addition, the Guidelines recommend that a cookie banner contains the following:
- a warning that by clicking on the 'X' button, the defaults settings are left unchanged, i.e. the user may continue browsing the website without cookies;
- a minimal information notice that the website uses technical cookies and, if appropriate, profiling cookies and other tracking tools, subject to the user's consent;
- a command to easily accept all cookies or similar tracking technologies; and
- a link to a dedicated area of the website where the user will be able to select analytically the functionalities, the third parties, and the cookies, including the possibility of changing, by means of two further commands, the choices previously made.
In addition, the choices presented to the user must be de-selected by default, and the banner should be designed in a way so as to avoid influencing the decisions of the user. Consequently, banner should include buttons of the same size, emphasis, and colour, which should be equally easy to see and use.
Moreover, it should be noted that the Guidelines do not require the use of a cookie banner in all cases. In particular, if only technical cookies are used, the relevant information can be placed on the home page or in the general information of the website, without the need for a cookie banner. Conversely, when website operators use non-technical cookies, the Guidelines recommend the use of a cookie banner that follows the model described above, however they also highlight that website operators are free to implement different mechanisms to obtain consent, for instance, through the use of authentication or access credentials.
7. The user did not actively express their consent but continued browsing the website. Can I consider their scrolling of the webpage as a suitable declaration of consent to the use of non-technical cookies?
The Guidelines provide that the mere 'scrolling' of a website is never sufficient for the purpose of obtaining the user's consent to the use of non-technical cookies. However, while scrolling may never be the only way to obtain the user's consent, the Guidelines note that it may constitute one part of a more articulated procedure that allows the user to flag their informed choice unambiguously, through a recordable IT event.
8. If a user does not consent to the use of non-technical cookies, can I block the content of my website for them?
9. How often can I reiterate the request for the user's consent?
The Guidelines establish that, contrary to widespread practice, if a user has not consented to the use of non-technical cookies or has only consented to the use of certain cookies, the website operator has a duty to record the user's choice and should not continuously seek the user's consent every time they visit the website. Nevertheless, the website manager may solicit the user's consent previously withheld if one of the following exceptions applies:
- the conditions of the processing have changed significantly;
- it is impossible for the website operator to know that a cookie has already been stored on the device for re-transmission to the website that generated it, on the occasion of a subsequent visit by that user; or
- at least six months have passed since the last time the user was presented with the cookie banner.
Users must always be able to modify their choices, either in the sense of providing consent previously withheld or, conversely, to withdraw their consent previously provided. Accordingly, the Guidelines require website managers to include a link in the website footer through which users may access an ad-hoc area, that allows the same to easily modify their choices, at any time and in a user-friendly fashion. The link in the website footer must be easily identifiable, e.g. it should use wording such as 'change your mind on cookies' or a similar expression.
Anna Baldin Privacy Analyst
1. See: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9677876#english
2. See: https://www.dataguidance.com/opinion/italy-garantes-finalised-guidelines-cookies-and
3. See: https://www.dataguidance.com/opinion/italy-key-points-garantes-updated-cookie-guidance