The Italian Data Protection Authority (“IDPA”) recently adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”), which aim to clarify requirements for company websites to obtain consent regarding cookies. The Guidelines are consistent with GDPR requirements such as explicit or “opt-in” consent, as well as the requirement for such consent to be granular. Companies collecting personal data from Italian citizens should familiarize themselves with the Guidelines to ensure they’re in compliance.
The Guidelines apply to a variety of different technologies, including not just cookies, but also other types of identifiers (such as fingerprinting and radio-frequency identification tags). The Guidelines also distinguishes between “technical” cookies, used solely to allow a website to function, and “non-technical” cookies, such as functional, performance or advertising cookies. Only technical cookies (and anonymized analytics cookies) may be used without user consent, as consent must be obtained in all other cases. Specifically, the IDPA prohibits using legitimate interest as a basis for using cookies and other tracking mechanisms; explicit consent must be obtained.
No. While various data protection authorities have made this clear, companies still believe that cookie walls (meaning those banners which state that by using the website the user agrees to cookies and tracking scripts) or other implied consent mechanism are compliant. They’re not.
Not immediately. According to the IDPA, reposting banners to seek consent when a user already has expressed preferences for the relevant website cannot be done until six months have passed since the user configured their consent.
First, the banner must be clearly visible and distinguishable from the rest of the website. Additionally, the banner must include:
According to the IDPA, companies will have six months to comply with the new Guidelines. However, given the increased focus on cookies from various European DPAs and private advocacy groups, the time to update your cookie consent management approach is now.
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.