Italian DPA announces new guidelines and tighter deadlines

The clock is ticking for businesses in Italy when it comes to GDPR compliance. On July 10, 2021, the Italian Data Protection Authority (‘Il Garante’) announced its final guidelines on cookies and other tracking technologies. Organizations must achieve compliance within the stipulated six-month timeframe, where now two months have gone by. These guidelines refer to the implementation of the consent requirements of the ePrivacy Directive in Italian law (art. 122 of the Personal Data Protection Code). They are a welcome update to the 2014 Garante’s guidelines.

Any company with headquarters in Italy, or which targets Italian data subjects, must ensure their cookie banner complies with the Italian DPA’s cookie guidelines before the deadline.

This updated guidance follows updates to guidelines from other major DPAs across the EU. For example: France’s CNIL, Ireland’s DPC, Spain’s AEPD and Denmark’s Datatilsynet. Although there are some common features amongst these guidelines, the most important issue to note is that these changes do not only affect the country where they have been set, but also organizations that process personal data of subjects in these countries. These guidelines set the tone for how compliant consent must be obtained.

Usercentrics supports the Italian DPA’s new guidelines and has updated our Consent Management Platform (CMP) accordingly. When the CMP is closed by clicking on the “X” on the first layer, only necessary cookies are loaded for the user. The corresponding configuration option will be available with the next Admin Interface released.

In order to help you understand what has changed with the finalized guidelines, we have compiled the following list of key takeaways. Now you can begin to make sure that your website is compliant with the latest rules regarding cookies and the setting of tracking technologies in Italy as well as abroad.

These are the 7 points to watch out for.

The act of scrolling as consent has gotten a fresh review. The DPA follows the previously established position of the EDPB, stating that scrolling does not constitute valid consent.

A clear distinction between first- and third-party cookies has now been made. Like the ePrivacy Directive and as a result of Italian legislation, Garante’s guidelines make a distinction between strictly necessary technical trackers and so-called “profiling” trackers, used for purposes that are not absolutely required for the operation of a digital property. This means that legitimate interest cannot be considered a lawful ground to set cookies and other similar tracking technologies.

As stated by the INPLP, “if users do not give their prior consent, unlike in the current regulation, the owner of a website may only use technical cookies”. This isn’t the case entirely for analytical cookies, where consent must only be requested if combined with other processing, or the data is transmitted to other third parties.

The Italian DPA stresses the “Duty to include” certain information and icons in the footer of websites, where website providers must provide a link for users to re-assess their cookie preferences or to showcase the status of the user’s consent choice. This allows for the option to change any user choice.

Clear and simple communication is key.
A privacy policy must state which cookies are being used and for which purposes, in a manner that is coherent and easy to understand.

Use of a cookie banner is encouraged.

According to the INPLP the banner must also contain the following elements/information:

• a button (usually an “X” in the top right corner) that enables the user to close the banner while maintaining the default settings, thus denying the installation of cookies other than technical ones
• a warning that closing the banner (e.g. by clicking on the X in the top right corner) will result in the default settings remaining in place and, therefore, the continuation of browsing in the absence of cookies other than technical ones
• minimum information advising the user that the site may implement profiling cookies or other tracking technologies after obtaining their consent
• a link to the extended privacy policy that is always accessible from the footer of any page on the site
• a button enabling the user to accept the implementation of all cookies (or other tracking technologies)
• a link to a specific area where it is possible to analytically select only the functionalities, third parties and cookies for which the user chooses to consent, and where it is also possible to modify previously made choices

Users must be able to revoke their consent at any time.

If you would like to learn more about the GDPR or other global privacy laws, don’t forget to check out our extensive knowledge hub where our expert team of researchers compiles the latest in data privacy.

We want to make sure you understand which types of data your company is collecting and why. Our free web page audit can show you which technologies your site sets and enable you to understand whether you use Analytical, Tracking, or Marketing cookies. Once you know, a Consent Management Platform (CMP) can help you collect, manage and store consent in order to be able to use the cookies and tracking technologies in a compliant manner.

After the compliance period ends, the Italian DPA can enforce the new cookie guidance with warnings or fines of up to € 20 million or 4 percent of annual global revenue.

DISCLAIMER:

A data protection-compliant implementation of a Consent Management Platform is ultimately at the discretion of the respective data protection officer or legal department.

These explanations therefore do not constitute legal advice. They merely serve to support you with information about the current legal situation when implementing a Consent Management Platform solution. If you have any legal questions, you should consult a qualified attorney.