Italy strengthens its policy on cookies and other tracking devices!

Published on 21/12/2021

On 10 June 2021, the Italian regulator published new guidelines and recommendations on the use of cookies and the collection of consent, applicable from 09 January 2022[1].

Prior to this update of the texts, Italian publishers applied the rules of 8 May 2014 to which the following texts were added:

  • Eprivacy 2002: reference text for cookies and other trackers (expected to be recast in 2020),
  • The RGPD May 2018 on user consent techniques,
  • The European Data Protection Board (EDPB) guidelines of 4 May 2020[2]

These new rules, issued on 10/06/2021 by the Garante, the Italian regulator for personal data protection, specify the methods for collecting consent and using the trackers.

For all website publishers in Italy, these new guidelines and recommendations are applicable from 9 January 2022.

To help you comply before the deadline, we have created a summary infographic to give you an overview of the new Italian text.


Below you will find a more detailed explanation of the new guidelines in order to understand all the ins and outs of these guidelines.

1. Two main categories of cookies

The Italian regulator refers to two types of cookies and trackers:

  • Technical cookiesTechnical cookies, also known as functional cookies, are necessary for the site to function. They enable optimal navigation on a given digital platform.
  • Profiling cookieswhich are used to group together profiles with similar or even identical behavioural patterns; this in turn aims to enable the controller, among other things, to provide increasingly personalised services beyond what is strictly necessary for the provision of the given service and also to send targeted advertising messages.

2. the consent exemption

Cookies and so-called technical tracers are exempt from consent. The display of a banner is not even systematically compulsory if the site only uses this type of tracker. The user must still be informed via the site's homepage or via a minimum information notice or a link to the privacy policy.

Profiling cookies and tracers require the mandatory informed consent of the user or co-contractor.

Certain analytical cookies are exempted, if and only if they meet the following conditions (see details below in §4.b):

  • they are used to produce aggregate statistics, i.e. statistics relating to a group of people in order to limit the risk of identification of users.
  • They are used to measure the audience of a single site or application.
  • The digital identity of the user is not traceable by the publisher.
  • The data collected on the user is not cross-referenced with other data.

The 2002 ePrivacy states the obligation to obtain consent to use cookies. Therefore it is not possible to invoke the legitimate interest of the controller to justify the use of cookies or other tracking tools.

3. obtain online consent

a. Scroll and Cookiewall

Obtaining user consent on a digital platform requires compliance with a number of rules.

The following cases are not considered to obtain consent, as consent must be given for all purposes and without ambiguity:

  • The silence or theinactivity of users
  • The pre-ticked boxes in the notices
  • The scroll and the further navigation by the user
  • The cookie wallmechanism, also known as "take it or leave it", in which the user is obliged to give his consent or risk not being able to access the site, does not allow the consent obtained through its application to be considered as complying with the requirements of the Regulation, in particular its Article 4(11) on "free" consent.

The cookie wall should therefore be considered illegal, unless the website operator offers the data subject the possibility to access equivalent content or services without giving consent to the storage and use of cookies or other tracking tools. which will have to be verified on a case-by-case basis.

In any case, an essential condition is that the proposed alternative complies with the principles of the Regulation as laid down in Article 5(1), and in particular with its letter a) according to which personal data are processed lawfully, fairly and transparently - i.e. the respect of the principle of "lawfulness, fairness and transparency" is paramount.

Otherwise, a cookie wall may not be considered compliant with the applicable legislation.

b. Repeat application for consent after initial consent has failed

The overly repetitive presentation of the consent banner after an opt-out is considered to have an impact on the user's freedom to consent.

Where a user refuses or accepts only certain processing operations, this choice shall be duly recorded and consent shall no longer be sought, unless :

  • It is impossible for the site editor to know that a cookie has already been stored on the collection device during a subsequent visit by the user concerned. For example: when the user has deleted his cookies.
  • At least 6 months have passed since the last presentation of the banner.

4. privacy by design & privacy by default

a. Mechanism for obtaining consent

Consent must be obtained in such a way as to limit the amount of data collected to the strict minimum appropriate and necessary for the purposes being processed. This obligation applies to the amount of personal data collected, the extent of its processing, the retention period and its accessibility.

It is forbidden to place cookies or other tracers before consent has been obtained or information has been given.

The collection of consent must be carried out through the deployment on the site or application of an area or banner present at the beginning of the navigation, where the user can accept or refuse the purposes of processing.

Refusal can be materialized by clicking on the closing "X" of the consent banner, placed at the top right hand corner.

The mechanism for continuing to browse without consent should be as user-friendly and accessible as the one for giving consent.

Consent can only be considered to have been validly given if it is the result of an affirmative and conscious action by the user and if this action can be identified and demonstrated in an appropriate manner, so that the consent in question can ultimately be considered to comply with all the requirements set out in the Regulation.

The consent banner must contain, in addition to the "X" in the upper right-hand corner, at least the following information and options

  • a warning that if the banner is closed by clicking on the "X " at the top right of the banner, the default settings remain unchanged and browsing can continue without cookies or other non-technical tracking tools.
  • a minimum information notice stating that the website uses cookies or technical tracers and may, after obtaining the user's consent, also use profiling cookies or other tracking tools in order to send advertisements and/or personalise its services beyond what is strictly necessary for the provision of these services, i.e. according to the preferences expressed by the user in the context of his or her use of the website's functionalities and browsing, and/or with the aim of analysing and monitoring the behaviour of the website's visitors
  • a link to the privacy policy, or to an extended second-level notice, accessible through a link to be placed in the footer of any page of the domain accessed by the user - where at least all the information referred to in Articles 12 and 13 of the Regulation is provided in a clear and complete manner, including with regard to cookies or technical tools.
  • a button by which consent can be given to the storage of all cookies or the use of other tracking tools
  • a link to an additional dedicated area where the user can select, individually, the functionalities, the so-called third parties whose list is to be kept up to date, whether they are accessible through ad hoc links or through links to the websites of the partners representing them - and the cookies - possibly grouped into homogeneous categories - to which the user chooses to consent. If cookies are grouped into homogeneous categories and the list of third parties changes, as reflected in the links placed in this area, i.e. if additional third parties are included in the said list, it will be the responsibility of the website operator to select them precisely and to carry out the necessary supervision to ensure that the inclusion of these new entities and the resulting processing continue to be in accordance with the grouping into homogeneous categories.

Compliance with privacy by default obligations requires that all possible granular choices are predefined for refusing the storage of cookies, so that the user can also accept their storage individually.

Where only technical cookies or tracers are used, they may be mentioned on the homepage or in the general information notice without the need to display consent banners.

Regardless of the configuration adopted, the colours used for the buttons and, ultimately, the methods of application chosen - the affirmative action that the user is entitled to carry out when accessing a website for the first time must in any case be aimed at giving consent (known as "opt-in") and can never consist of refusing consent (known as "opt-out").

The user should be able to change his or her choices, i.e. to give consent after having refused it and to withdraw it, at any time, in a simple, easy and user-friendly way, through an ad hoc area accessible through a link in the footer of the site; this link should indicate the underlying purpose by a statement such as "Change your mind about sharing your data" or something like that

In order to effectively allow a user to change his/her mind and thus to enforce his/her right to freely make his/her choices, the Garante proposes a good practice: to place a graphic sign, an icon or any other technical tool on each page of the domain concerned, also close to the link to the options selection area, in order to indicate - also in a summary manner - the consent configuration applicable to the given user and thus to allow to modify or update this configuration at any time.

Each time the banner containing the information notice and the user's options is displayed again, as well as each time the user modifies his/her initial choices under the conditions described above, the options selected during subsequent accesses shall cancel and replace the previous ones, i.e. the new options shall apply in all cases, whether the consent is given after having been initially refused or withdrawn after having been initially given.

In order to ensure that users are not influenced or affected by design arrangements that would lead them to prefer one option over another, it is essential that controls and characters are of the same size, emphasis and colour, and that all controls and characters are equally easy to see and use .

The data controller shall take appropriate measures to maintain records of the choices made by the data subject. Evidence of all user choices collected must be kept by the data controller.

b. First or third party analytical cookies

Cookies may also be used to assess the effectiveness of an information society service provided by a publisher, to design a website or to help measure its "traffic ", i.e. the number of visitors, possibly broken down by geographical area, time slot or other characteristics.

The Garante stated in its May 2014 decision that analytical cookies belong to the category of technical cookies and can be used without the prior consent of the data subject, if certain conditions are met:

  • it is essential to prevent direct identification - i.e. singling out - of the person concerned by their use, which amounts to preventing the use of analytical cookies that can function as direct and unique identifiers because of their characteristics.
  • analytical cookies should be structured in such a way as to allow the same cookie to to relate to more than one deviceThis will create reasonable uncertainty as to the computer identity of the recipient of the cookie. This is usually achieved by hiding the relevant parts of the IP address in the cookie. Given the 32-bit IPv4 representation of IP addresses, which are generally represented and used as a sequence of four decimal numbers separated by dots and ranging from 0 to 255, one of the measures that can be implemented to benefit from the said exemption is masking. to benefit from the said exemption is the masking of at least the fourth component of the IP addressaddress, which creates an uncertainty of 1/256 (approximately 0.4%) in the attribution of the cookie to a specific data subject. Similar procedures should be adopted with regard to IPv6 addresses, which have a very different structure and a much larger address space since they consist of 128-bit binary numbers.
  • Analytical cookies are used only for the production of aggregated statistics and in relation to an individual website or mobile application, so as not to allow tracking of a person's browsing across different applications or websites. Therefore, third parties providing web measurement services to publishers should not combine the data, even if minimised as described above, with other information (such as customer records or statistics about visits to other websites) or pass this data on to other third parties, as this would result in an unacceptable increase in the risk of user identification. However, statistical analyses concerning several domains, websites or applications that can be traced back to a single controller may be considered lawful even in the absence of the abovementioned minimisation measures - provided that such analyses are carried out using the controller's own resources and do not turn into activities that go beyond statistical counting and ultimately take on the characteristics of processing operations aimed at enabling business-related decisions.

5. new requirements for information notices

a. The information to be provided under the Regulation

In order for the user to be able to give informed consent, the data controller must inform the user of the possible additional recipients of his/her personal data and of the period of storage of the information obtained.

It is also necessary to provide information on how individuals can exercise all the rights provided for in the Regulation, including the right to make a request for access and to lodge a complaint with a supervisory authority.

Information can be provided not only in a multi-layered approach, but also - taking into account the specific context - through several channels and arrangements, i.e. in a multi-channel approach.

This can make the most of more dynamic and less traditional points of contact between the controller and the data subjects.

Examples include the increasing use of video channels, information pop-ups, voice interactions, virtual assistants, phone messages, chatbots, etc.

It will then be up to the controller, who is entitled to decide on the method or set of methods considered to be the most appropriate, to check that the system put in place meets the requirements laid down by the Regulation, in particular as regards its thoroughness, clarity, effectiveness and ease of use.

It shall be the responsibility of the data controller to take all appropriate measures to ensure that the information contained in the banner is accessible without discrimination to persons with disabilities who require specific assistive technologies or configurations in accordance with Law no. 4 of 9 January 2004, as last amended by Law no. 120 of 11 September 2020.

b. The need to complete the information to be provided to users

To date, there is no universally accepted system of semantic coding of cookies and other tracking tools that objectively distinguishes, for example, technical cookies from analytical or profiling cookies - except on the basis of information provided by the controller in its privacy policy.

It has also been found that queries and checks on the storage of cookies by a specific website may have different results depending on the browser involved.

In light of the above, and pending the rapid implementation of global coding standards - which is particularly important in today's connected online world, where geographical distances are becoming less important due to the growing potential of the network - the Garante wishes to remind controllers using these tools of the need to disclose, through an integration with the information provided, at least the criteria for coding the identifiers they implement. Alternatively, controllers could consider placing such encryption also in their privacy policy.

These criteria may also be made available to the Authority on request, as a tool to support any investigative activity that will be undertaken on the issues in question.

In conclusion

The Italian regulator has decided to tighten up all recommendations and guidelines on cookies and trackers to allow Internet and mobile users to give their consent in full awareness of all the processing that may be carried out on their personal data, and what is involved in depositing cookies or other trackers on their computers or mobiles.

These new measures, applicable from 9 January 2022, can be implemented in our AppConsent product via the back office.

Contact us

If you have any questions or need support, our team is at your disposal to guide you through these new recommendations, and to implement them on your websites and mobile applications, if available and distributed in Italy.

If you are already a customer, contact us at support-cmp@sfbx.io.

If you are not yet a customer, please contact us at sales@sfbx.io.

Written and published by the SFBX team on 21 December 2021

What is Ad4good?

Ad4good is the first solidarity advertising network. If you accept personalised advertising on our site, you will be helping to finance some forty associations in need.

See the full list of associations on the Ad4good website

The Ad4good network is implementing 3 actions to ensure its mission:

  • Partnership between publishers and Ad4Good: part of the publisher's inventory is reserved for the distribution of solidarity ads. These ads are monetised by Ad4good, which then donates 50% of its margin to associations.
  • Partnership between advertisers and associations: each advertisement broadcast by the advertiser during an " Ad4Good" labelled campaign campaign generates a donation for the partner association of the campaign.
  • Partnership between publishers and associations: Ad4good offers publishers the opportunity to provide visibility to partner associations by reserving unused advertising space.

To allow the associations to continue their actions, you can accept in general or set the detail by allowing Store and/or access information on a terminal and Personalised advertising.

Ad4good, partner of the CMP AppConsent® for responsible and ethical advertising

We are partners with the Ad4good network, the first solidarity-based advertising network that brings together some forty associations.

See the full list of associations on the Ad4good website

The Ad4good network is implementing 3 actions to ensure its mission:

  • Partnership between publishers and Ad4Good: part of the publisher's inventory is reserved for the distribution of solidarity ads. These ads are monetised by Ad4good, which then donates 50% of its margin to associations.
  • Partnership between advertisers and associations: each advertisement broadcast by the advertiser during a campaign labelled "Ad4Good generates a donation for the partner association of the campaign.
  • Partnership between publishers and associations: Ad4good offers publishers the opportunity to provide visibility to partner associations by reserving unused advertising space.

What does this mean for your audience?

By opting in to the AppConsent® Xchange Solidaire offer, your participation will be mentioned on the first screen of your consent form.
If a user refuses collection for advertising purposes, a reminder screen will be displayed so that they can change their choices if they wish to be an actor of change towards more ethical advertising.

What are the eligibility criteria?

As a pre-requisite, your website must carry advertising. Once you have registered with AppConsent® Xchange Solidaire, you must have a significant amount of responsible advertising on your website (at least 20%).

The AppConsent® Xchange Solidaire offer allows you to take part in a more responsible advertising ecosystem focused on solidarity and environmental preservation.