Italy strengthens its policy on cookies and other tracking devices!
Published on 21/12/2021
Prior to this update of the texts, Italian publishers applied the rules of 8 May 2014 to which the following texts were added:
- Eprivacy 2002: reference text for cookies and other trackers (expected to be recast in 2020),
- The RGPD May 2018 on user consent techniques,
- The European Data Protection Board (EDPB) guidelines of 4 May 2020
These new rules, issued on 10/06/2021 by the Garante, the Italian regulator for personal data protection, specify the methods for collecting consent and using the trackers.
For all website publishers in Italy, these new guidelines and recommendations are applicable from 9 January 2022.
To help you comply before the deadline, we have created a summary infographic to give you an overview of the new Italian text.
Below you will find a more detailed explanation of the new guidelines in order to understand all the ins and outs of these guidelines.
1. Two main categories of cookies
The Italian regulator refers to two types of cookies and trackers:
- Technical cookiesTechnical cookies, also known as functional cookies, are necessary for the site to function. They enable optimal navigation on a given digital platform.
- Profiling cookieswhich are used to group together profiles with similar or even identical behavioural patterns; this in turn aims to enable the controller, among other things, to provide increasingly personalised services beyond what is strictly necessary for the provision of the given service and also to send targeted advertising messages.
2. the consent exemption
Profiling cookies and tracers require the mandatory informed consent of the user or co-contractor.
Certain analytical cookies are exempted, if and only if they meet the following conditions (see details below in §4.b):
- they are used to produce aggregate statistics, i.e. statistics relating to a group of people in order to limit the risk of identification of users.
- They are used to measure the audience of a single site or application.
- The digital identity of the user is not traceable by the publisher.
- The data collected on the user is not cross-referenced with other data.
3. obtain online consent
a. Scroll and Cookiewall
Obtaining user consent on a digital platform requires compliance with a number of rules.
The following cases are not considered to obtain consent, as consent must be given for all purposes and without ambiguity:
- The silence or theinactivity of users
- The pre-ticked boxes in the notices
- The scroll and the further navigation by the user
- The cookie wallmechanism, also known as "take it or leave it", in which the user is obliged to give his consent or risk not being able to access the site, does not allow the consent obtained through its application to be considered as complying with the requirements of the Regulation, in particular its Article 4(11) on "free" consent.
In any case, an essential condition is that the proposed alternative complies with the principles of the Regulation as laid down in Article 5(1), and in particular with its letter a) according to which personal data are processed lawfully, fairly and transparently - i.e. the respect of the principle of "lawfulness, fairness and transparency" is paramount.
Otherwise, a cookie wall may not be considered compliant with the applicable legislation.
b. Repeat application for consent after initial consent has failed
The overly repetitive presentation of the consent banner after an opt-out is considered to have an impact on the user's freedom to consent.
Where a user refuses or accepts only certain processing operations, this choice shall be duly recorded and consent shall no longer be sought, unless :
- It is impossible for the site editor to know that a cookie has already been stored on the collection device during a subsequent visit by the user concerned. For example: when the user has deleted his cookies.
- At least 6 months have passed since the last presentation of the banner.
4. privacy by design & privacy by default
a. Mechanism for obtaining consent
Consent must be obtained in such a way as to limit the amount of data collected to the strict minimum appropriate and necessary for the purposes being processed. This obligation applies to the amount of personal data collected, the extent of its processing, the retention period and its accessibility.
It is forbidden to place cookies or other tracers before consent has been obtained or information has been given.
The collection of consent must be carried out through the deployment on the site or application of an area or banner present at the beginning of the navigation, where the user can accept or refuse the purposes of processing.
Refusal can be materialized by clicking on the closing "X" of the consent banner, placed at the top right hand corner.
The mechanism for continuing to browse without consent should be as user-friendly and accessible as the one for giving consent.
Consent can only be considered to have been validly given if it is the result of an affirmative and conscious action by the user and if this action can be identified and demonstrated in an appropriate manner, so that the consent in question can ultimately be considered to comply with all the requirements set out in the Regulation.
The consent banner must contain, in addition to the "X" in the upper right-hand corner, at least the following information and options
- a warning that if the banner is closed by clicking on the "X " at the top right of the banner, the default settings remain unchanged and browsing can continue without cookies or other non-technical tracking tools.
- a button by which consent can be given to the storage of all cookies or the use of other tracking tools
- a link to an additional dedicated area where the user can select, individually, the functionalities, the so-called third parties whose list is to be kept up to date, whether they are accessible through ad hoc links or through links to the websites of the partners representing them - and the cookies - possibly grouped into homogeneous categories - to which the user chooses to consent. If cookies are grouped into homogeneous categories and the list of third parties changes, as reflected in the links placed in this area, i.e. if additional third parties are included in the said list, it will be the responsibility of the website operator to select them precisely and to carry out the necessary supervision to ensure that the inclusion of these new entities and the resulting processing continue to be in accordance with the grouping into homogeneous categories.
Compliance with privacy by default obligations requires that all possible granular choices are predefined for refusing the storage of cookies, so that the user can also accept their storage individually.
Where only technical cookies or tracers are used, they may be mentioned on the homepage or in the general information notice without the need to display consent banners.
Regardless of the configuration adopted, the colours used for the buttons and, ultimately, the methods of application chosen - the affirmative action that the user is entitled to carry out when accessing a website for the first time must in any case be aimed at giving consent (known as "opt-in") and can never consist of refusing consent (known as "opt-out").
The user should be able to change his or her choices, i.e. to give consent after having refused it and to withdraw it, at any time, in a simple, easy and user-friendly way, through an ad hoc area accessible through a link in the footer of the site; this link should indicate the underlying purpose by a statement such as "Change your mind about sharing your data" or something like that
In order to effectively allow a user to change his/her mind and thus to enforce his/her right to freely make his/her choices, the Garante proposes a good practice: to place a graphic sign, an icon or any other technical tool on each page of the domain concerned, also close to the link to the options selection area, in order to indicate - also in a summary manner - the consent configuration applicable to the given user and thus to allow to modify or update this configuration at any time.
Each time the banner containing the information notice and the user's options is displayed again, as well as each time the user modifies his/her initial choices under the conditions described above, the options selected during subsequent accesses shall cancel and replace the previous ones, i.e. the new options shall apply in all cases, whether the consent is given after having been initially refused or withdrawn after having been initially given.
In order to ensure that users are not influenced or affected by design arrangements that would lead them to prefer one option over another, it is essential that controls and characters are of the same size, emphasis and colour, and that all controls and characters are equally easy to see and use .
The data controller shall take appropriate measures to maintain records of the choices made by the data subject. Evidence of all user choices collected must be kept by the data controller.
b. First or third party analytical cookies
Cookies may also be used to assess the effectiveness of an information society service provided by a publisher, to design a website or to help measure its "traffic ", i.e. the number of visitors, possibly broken down by geographical area, time slot or other characteristics.
The Garante stated in its May 2014 decision that analytical cookies belong to the category of technical cookies and can be used without the prior consent of the data subject, if certain conditions are met:
- it is essential to prevent direct identification - i.e. singling out - of the person concerned by their use, which amounts to preventing the use of analytical cookies that can function as direct and unique identifiers because of their characteristics.
- analytical cookies should be structured in such a way as to allow the same cookie to to relate to more than one deviceThis will create reasonable uncertainty as to the computer identity of the recipient of the cookie. This is usually achieved by hiding the relevant parts of the IP address in the cookie. Given the 32-bit IPv4 representation of IP addresses, which are generally represented and used as a sequence of four decimal numbers separated by dots and ranging from 0 to 255, one of the measures that can be implemented to benefit from the said exemption is masking. to benefit from the said exemption is the masking of at least the fourth component of the IP addressaddress, which creates an uncertainty of 1/256 (approximately 0.4%) in the attribution of the cookie to a specific data subject. Similar procedures should be adopted with regard to IPv6 addresses, which have a very different structure and a much larger address space since they consist of 128-bit binary numbers.
- Analytical cookies are used only for the production of aggregated statistics and in relation to an individual website or mobile application, so as not to allow tracking of a person's browsing across different applications or websites. Therefore, third parties providing web measurement services to publishers should not combine the data, even if minimised as described above, with other information (such as customer records or statistics about visits to other websites) or pass this data on to other third parties, as this would result in an unacceptable increase in the risk of user identification. However, statistical analyses concerning several domains, websites or applications that can be traced back to a single controller may be considered lawful even in the absence of the abovementioned minimisation measures - provided that such analyses are carried out using the controller's own resources and do not turn into activities that go beyond statistical counting and ultimately take on the characteristics of processing operations aimed at enabling business-related decisions.
5. new requirements for information notices
a. The information to be provided under the Regulation
In order for the user to be able to give informed consent, the data controller must inform the user of the possible additional recipients of his/her personal data and of the period of storage of the information obtained.
It is also necessary to provide information on how individuals can exercise all the rights provided for in the Regulation, including the right to make a request for access and to lodge a complaint with a supervisory authority.
Information can be provided not only in a multi-layered approach, but also - taking into account the specific context - through several channels and arrangements, i.e. in a multi-channel approach.
This can make the most of more dynamic and less traditional points of contact between the controller and the data subjects.
Examples include the increasing use of video channels, information pop-ups, voice interactions, virtual assistants, phone messages, chatbots, etc.
It will then be up to the controller, who is entitled to decide on the method or set of methods considered to be the most appropriate, to check that the system put in place meets the requirements laid down by the Regulation, in particular as regards its thoroughness, clarity, effectiveness and ease of use.
It shall be the responsibility of the data controller to take all appropriate measures to ensure that the information contained in the banner is accessible without discrimination to persons with disabilities who require specific assistive technologies or configurations in accordance with Law no. 4 of 9 January 2004, as last amended by Law no. 120 of 11 September 2020.
b. The need to complete the information to be provided to users
It has also been found that queries and checks on the storage of cookies by a specific website may have different results depending on the browser involved.
These criteria may also be made available to the Authority on request, as a tool to support any investigative activity that will be undertaken on the issues in question.
The Italian regulator has decided to tighten up all recommendations and guidelines on cookies and trackers to allow Internet and mobile users to give their consent in full awareness of all the processing that may be carried out on their personal data, and what is involved in depositing cookies or other trackers on their computers or mobiles.
These new measures, applicable from 9 January 2022, can be implemented in our AppConsent product via the back office.
If you have any questions or need support, our team is at your disposal to guide you through these new recommendations, and to implement them on your websites and mobile applications, if available and distributed in Italy.
If you are already a customer, contact us at email@example.com.
If you are not yet a customer, please contact us at firstname.lastname@example.org.
Written and published by the SFBX team on 21 December 2021