Italian Data Protection Authority Updates Cookie and Tracker Compliance Guidelines

The Italian Data Protection Authority (“IDPA”) recently adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”), which aim to clarify requirements for company websites to obtain consent regarding cookies. The Guidelines are consistent with GDPR requirements such as explicit or “opt-in” consent, as well as the requirement for such consent to be granular. Companies collecting personal data from Italian citizens should familiarize themselves with the Guidelines to ensure they’re in compliance.

What types of technologies are in scope?

The Guidelines apply to a variety of different technologies, including not just cookies, but also other types of identifiers (such as fingerprinting and radio-frequency identification tags). The Guidelines also distinguishes between “technical” cookies, used solely to allow a website to function, and “non-technical” cookies, such as functional, performance or advertising cookies. Only technical cookies (and anonymized analytics cookies) may be used without user consent, as consent must be obtained in all other cases. Specifically, the IDPA prohibits using legitimate interest as a basis for using cookies and other tracking mechanisms; explicit consent must be obtained.

Is scrolling or a cookie wall enough to obtain consent?

No. While various data protection authorities have made this clear, companies still believe that cookie walls (meaning those banners which state that by using the website the user agrees to cookies and tracking scripts) or other implied consent mechanism are compliant. They’re not. 

If a user declines to allow cookies, can I ask them again for their consent?

Not immediately. According to the IDPA, reposting banners to seek consent when a user already has expressed preferences for the relevant website cannot be done until six months have passed since the user configured their consent.

What is considered to be a compliant cookie banner?

First, the banner must be clearly visible and distinguishable from the rest of the website. Additionally, the banner must include:

1. an “X” in the upper right corner that can be used to close it (in which case only technical cookies may be installed);
2. a simplified policy explaining the consequences of closing the banner, the use of cookies, and the relevant purposes;
3. a link to the “unabridged” privacy policy containing all the elements required under Articles 13-14 of the GDPR, as well as the classification criteria for categorizing the cookies/tracking mechanisms used by the controller;
4. a command for the user to accept placement of all cookies; and
5. a link to an area where the user can make an informed decision about which specific functions, third parties, and cookies to allow.

Are the Guidelines being enforced immediately?

According to the IDPA, companies will have six months to comply with the new Guidelines. However, given the increased focus on cookies from various European DPAs and private advocacy groups, the time to update your cookie consent management approach is now.

How Can Clym Help?

Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.