Support Centre

You have out of 10 free articles left for the week

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante's new guidelines on cookies and similar tracking technologies - key takeaways

The Italian data protection authority ('Garante') launched, on 10 December 2020, a public consultation on its draft guidelines on cookies and other similar tracking technologies1 ('the Guidelines'). In particular, the Guidelines aim to illustrate the legislation applicable to the storing of information, or the gaining of access to information already stored, in the terminal equipment of users, as well as to specify the lawful means to provide the cookie policy and collect online consent of data subjects, where necessary, in light of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

JakeOlimb / Signature collection / istockphoto.com

In addition, the Guidelines note that the Garante's previous guidance on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies2, while maintaining its relevance, need to be integrated with specific reference to certain aspects such as scrolling as a lawful means to collect consent for profiling cookies and the use of cookie walls.

Scope of application - beyond cookies and traditional terminal devices

The Guidelines provide that the concept of terminal device no longer merely comprises traditional tools such as tablets or smartphones, but must be extended to Internet of Things ('IoT') devices, which are designed to connect to the web and among themselves in order to offer various services, not necessarily limited to communication.

'Active' v. 'passive' identifiers

The Guidelines provide a distinction between 'active' and 'passive' identifiers.

With active identifiers, such as cookies, the user has the possibility of directly removing identifiers from his/her device, as well as the possibility of exercising the rights provided by the GDPR to data subjects.

On the other hand, with passive identifiers, such as fingerprinting, the user is not offered autonomously actionable instruments, and has therefore to revert to the data controller. In fact, passive identifiers do not imply the storage and/or access of information on the user's device, but merely the reading of its configuration, which makes it identifiable and results in the creation of a 'profile' that only the controller is allowed to access.

More specifically, the Guidelines outline that fingerprinting is one of the most commonly used passive identifiers, and that it represents a technique through which it is possible to identify the user's device by collecting information on its configuration. For this reason, the Guidelines confirm that fingerprinting is to be included in their own scope.

Scrolling as a lawful means to collect consent

The Guidelines recall that, according to the European Data Protection Board's ('EDPB') Guidelines 05/2020 on Consent under Regulation 2016/679, as updated on 4 May 2020, actions such as scrolling will not under any circumstances satisfy the requirement of a clear and affirmative action for the installation of non-technical cookies. In this regard, the Guidelines specify that, although the Garante shares the EDPB interpretation, the 'scroll down' action, however, can be one of the components of a more articulated process that will clearly show to the website manager, through the generation of a precise pattern, the user's unequivocal choice to provide his/her positive consent to the use of cookies.

In this regard, the Guidelines note that publishers may in theory make use of more developed means based on the idea of the 'dynamic web,' such as the transmission from the browser of events like the movement of the mouse on the website (so-called 'pattern'). Such means could make it easier than traditional virtual buttons to indicate positive and unequivocal actions of the user. These actions could in fact bring to configuration changes of specific website areas (such as colour, format, or position) and/or of the information provided in those same areas that could be codified by the website and interpreted as an expression of consent. However, the Guidelines recall that these alternative means must always make clear to the user the consequences of his/her actions, with the aim of avoiding 'false positives,' i.e. mistaken interpretation of casual actions as positive expression of consent.

Cookie walls

The Guidelines provide that cookie walls are to be considered invalid, with the exception of the case (to be verified on a case by case basis) where the website manager provides the user with the possibility of accessing an equivalent content/service without the need of providing consent to the installation of cookies. In this regard, the Guidelines point out that the alternative will have to be considered equivalent when it is compliant with, among others, Article 5(1)(a) of the GDPR, which provides that personal data must be processed in a lawful, fair, and transparent manner.

Re-collection of consent

The Guidelines acknowledge the existence of the invasive practice of website managers reiterating the request of consent via cookie banner at every user's visit.

In this regard, the Guidelines provide that, according to Article 7 of the GDPR, data controllers using cookies and other tracking technologies must implement a mechanism to be able to record and prove the collection of consent. Therefore, the Guidelines highlight that once they collect consent, controllers will not have to re-collect the same at every user's visit of the website, unless:

  • the conditions of collection have changed; or
  • it is impossible for the controller to be aware of the fact that a cookie has been already installed on the device in order to be re-transmitted, when the user re-access the website, to the website that generated the cookie itself. This is the case where, for example, the user deletes the cookie installed on his/her device. The Guidelines recall that this action does not amount to the exercise to the right of object, as provided by the GDPR.

Privacy by Design and by Default for cookies

The Guidelines stress the fact that the Garante's previous guidance on cookies maintain its validity in relation to the mechanism for the collection of consent. However, the Guidelines also note that the Garante's guidance must be updated in light of the principles of Privacy by Design and by Default, as provided by Article 25 of the GDPR.

In practice, the Guidelines outline that, when the user merely accesses the website:

  • non-technical cookies must not be installed by default; and
  • the use of any other active or passive profiling techniques is not allowed.

Moreover, the Guidelines state that the user, when presented with the cookie banner, must be able to deny his/her consent to cookies by closing banner through the use of a top right 'X' button, without accessing any other cookie related webpage.

Cookie policy 

First layer

The Guidelines provide that the cookie banner must include at least the following:

  • minimum information in relation to the website's use of technical and profiling cookies;
  • a link to the extended privacy policy (2nd layer) where information in accordance with Articles 12 and 13 of the GDPR is provided;
  • information in relation to the fact that if the user continues browsing, he/she signifies his/her consent to the use of cookies, where the conditions outlined above are met;
  • the possibility of consenting to the use of all the cookies and other tracking technologies; and
  • a link to a webpage where the user will be able to select granularly the functionalities, the third parties (in relation to which an up to date list must be maintained), and the cookies, eventually even grouped by categories, that he/she consents to. In this case all the choices must be de-selected by default. The user must also be provided in this webpage with the possibility of providing/withdrawing the consent to all the cookies.

When designing the 1st layer, the Guidelines recommend data controllers to use buttons of the same size, emphasis, and colour, which have to be equally easy to see and use, in order to ensure that users are not influenced by design choice.

Second layer

The Guidelines specify that the extended cookie policy must include the following:

  • information on the means through which data subjects can exercise their rights under the GDPR;
  • information on the potential recipients of the data subjects' personal data;
  • information on the retention periods for information collected through cookies;
  • information on the criteria through which cookies are categorised semantically. These criteria could be requested by the Garante as part of an investigation.

Alternative cookie policies

The Guidelines highlight that the cookie policy does not necessarily have to adopt a multilayer approach. In fact, the Garante points out that a 'multichannel' approach may also be followed, enabling the maximisation of more dynamic and less traditional points of contact between the controller and the data subjects, such as video channels, informative pop-ups, vocal interactions, virtual assistants, phone calls, and chat boxes.

Analytics cookies

The Guidelines note that analytics cookies may be deemed technical cookies, if certain conditions are met, in accordance with the principle of Privacy by Design.

In particular, the Guidelines outline that data minimisation measures must be adopted in order to reduce the identification power of third-party analytic cookies. In practice, the Guidelines state that it must be impossible to directly identify the data subject through analytic cookies, which means that the use of analytic cookies that, considering their features, act as direct and univocal identifiers, is not permitted.

Therefore, the Guidelines provide that the structure of analytic cookies must ensure that the same cookie can be matched not to just one device, but instead to more devices, in order to obtain a reasonable uncertainty as to the informatic identity of the user. This result is usually obtained by integrating the structure of the IP address within the cookie and masking portions of that same address. In practice, the Guidelines note that one of the measures that can be implemented to consider analytic cookies as technical ones, considering the IP address version 4 ('IPv4'), is to mask at least ¼ of the IP address, which enable an identification uncertainty of 1/256 (approx. 4%). The Guidelines recall that similar procedures can also be implemented with IP address version 6 ('IPv6').

In any case, the Guidelines stress the fact that the data minimised in this way will not have to be combined with other information (such as customer's file and audience measurement) or shared with third parties. Lastly, the Guidelines note that the use of analytic cookies must be limited to the production of aggregated statistics and must also be used in relation to a single website or mobile app, so that the tracking of the user surfing through different applications or websites is not permitted.

Next steps

The Guidelines have been under public consultation for 30 days from 10 December 2020. The publication of the finalised version is now expected from the Garante.

Matteo Quartieri Privacy Analyst
[email protected]


1. Available, only in Italian, at: https://www.garanteprivacy.it/documents/10160/0/Consultazione+sulle+%E2%80%9CLinee+guida+sull%E2%80%99utilizzo+di+cookie+e+di+altri+strumenti+di+tracciamento%E2%80%9D+-+Allegato+1+-+Linee+guida.pdf/72eab081-e4c4-4500-77c3-8b6957f8cd12?version=2.0
2. Available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3167654