On January 9, 2022, the cookie guidelines (“guidelines”) published by the Italian Supervisory Authority (“Garante”) on July 9, 2021 entered into force.  This means that all those companies that have not yet conformed to the guidelines’ provisions should do so promptly, to avoid incurring in future sanctions.  The guidelines include precise indications on, e.g., the categorization of cookies and other tracking technologies (“cookies”), the recommended design of the cookie banners, the collection, review and renewal of consent, and on the information notices.

More in detail:

  • Cookie categorization: the Garante maintain the distinction between technical cookies (including, also, analytics cookies with masked IPs) for which consent is not required, and profiling cookies for which consent, instead, is the only possible legal basis.  The Garante explain that the category of profiling cookies is necessarily large and contains all the cookies that are not explicitly considered technical by law.  This means, according to the Garante, that until there is an harmonized system to determine the nature of cookies, controllers must clarify the technical or non-technical nature that they attribute to each cookie in the privacy notice or elsewhere.  In any case, controllers must ensure that, in accessing the website, only technical cookies are dropped by default on users’ devices.
  • Cookie banner design: the design of cookie banners should conform to the recommendations that the Garante make;  this authority provide that banners should:
    1. appear at first website visit, be quickly distinguishable from the rest of the website content, and bear commands that have all the same font, color and size;
    2. have an ‘X’ at its top right that users can click to close the banner without giving their consent;
    3. contain sufficient information for users to be aware of the consequences of any of their actions; this means, in practice, that banners should include: (i) a warning that by clicking the ‘X’ users will agree to the default settings (e., only technical cookies will be used);  (ii) a brief explanation that profiling cookies are used exclusively with users’ consent and to show advertising or personalize the services; (iii) a link to the extended privacy policy;
    4. a command through which all cookies can be accepted at the same time (g., an “Accept all” button);
    5. a link to another area where users can select/deselect cookies one by one or per categories.
  • Review of preferences: users must be given the opportunity to review their cookie preferences;  for this, the Garante suggest to have a dedicated area in the footer of the website with a recognizable design (g., a “Review your cookie preferences” button) to allow users to easily withdraw or modify the consents already given.
  • Renewal of consent: controllers must avoid asking users to renew their cookie consent too often, because that may unlawfully pressure users into accepting all cookies just to avoid the banner;  the Garante clarifies that controllers can only resurface the cookie banner: (i) where the processing conditions change significantly; (ii) if it is not possible for the controller to know the users’ previous choices because – for example – they erased all the cookies from the device; or (iii) after 6 months.
  • Information notice: multi-layer information notices may be used;  however, the extended privacy notice must be accessible in just one click from the banner, and also to users with disabilities who necessitate technological assistance, pursuant to Law 4/2004.  The Garante add that the notice may also be multichannel (g., by video, pop-up, vocal interactions, virtual assistants, call, chat bots, etc.).  The controller should decide the design that works best to ensure completeness, clarity, efficacy, and accessibility.
  • Scrolling: under certain circumstances, scrolling can be considered as consent;  however, according to the Garante, this can only happen if the controller is able to demonstrate that this is a user’s choice that is unequivocal (what the Garante calls a “clear behavioral pattern”), documentable, and informed;  this means, in practice, that the proof required from controllers is very burdensome.
  • Registered accounts: those controllers who offer their online services only to users with a registered account may adopt mechanisms different from those described above.  The Garante clarifies that, whatever the mechanism chosen, controllers must always inform their registered users of the use of cookies, and give them the option to choose whether they can be tracked cross devices.