Italy’s Data Protection Authority began enforcing new cookie guidelines on July 9, 2021. The updated guidelines addressed cookie categorization, consent through scrolling, cookie walls, privacy by design and policy, and cookie banner and policy recommendations. Websites had six months to comply with the new guidelines, which took effect January 10, 2022.

Read more about internet cookies.

In this post, we will discuss the highlights of the guidelines and how you can comply with them.

Italy’s new cookie guidance for cookies — key takeaways

Here are the highlights from the updated cookie guidelines.

Cookie Consent through scrolling

The Italian DPA recognizes the decision by the  European Data Protection Board (EDPB) guidelines for cookies about the validity of consent via scrolling. The EDPB has stated that the users scrolling through a web page does not constitute valid consent. However, Garante specifies that when the scroll down can be part of a series of actions that indicate a pattern, it is considered as the users’ unequivocal consent to use cookies. 

The DPA highlights the need for improved methods based on the ‘dynamic web’ to express consent rather than the traditional agree or reject buttons. It believes that such methods based on user behavioral patterns could give more clarity in indicating unambiguous and affirmative action.

The use of cookie walls

Following the footsteps of the EDPB, Garante also ruled that using cookie walls is not valid. Just like Spanish DPA, they allow the use of cookie walls where the website manager provides the users an equivalent alternative to the website content without the need to consent to the use of cookies. The alternative must be GDPR compliant.

Re-collection of consent 

The guideline stresses the need for maintaining proof of consent. The DPA directs that there is no need of asking for consent for using cookies and other tracking technologies every time the same user visits the website. There must be a mechanism to keep a log of the consent and remember the user preference for every visit after the first time.

A website only has to re-collect consent if:

  • there is a change in the condition for obtaining consent
  • The website manager cannot find out if the users have the cookies stored on their devices when they revisit the site. For example, when they delete cookies stored on their device. 

Privacy by design for cookies

The guidelines encourage the websites to follow the privacy by design approach for using cookies.

The website must not store cookies, other than technical, by default. The guidelines also do not allow the use of any active or passive profiling techniques.

It also highlights that the user can deny consent to use cookies by closing the cookie banner on the website without the need to access any web pages or settings.

The structure of analytics cookies

Following the guidelines for privacy by design approach for cookies, Garante states that analytics can be deemed as technical cookies only if:

  • It is impossible to identify the users from the data collected by the cookies
  • The analytics tool masks ¼ of the user IP address (versions, IPv4 and IPv6)
  • The minimized data is not combined with other user information or shared with third parties
  • The use of the cookies is limited to obtaining aggregate statistics concerning a single website or mobile app

Cookie consent banners and cookie policy

The Garante makes the following recommendations for the design of cookie banners:

  • Appear on the first visit and should be distinguishable from other content on the website. All the commands on the banner must be of the same format.
  • An “X” in the upper right corner to close the banner without consent (only loads technical cookies and blocks others until consent).
  • A brief policy to explain the consequences of opting out of cookies, the use of cookies, and the relevant purposes.
  • A link to the complete privacy policy containing all the information required under Articles 13 and 14 of the GDPR, and the classification of cookies used with their purposes.
  • An easy option for users to accept all cookies at once (Accept All button) 
  • A  link to a page or window where users can selectively give consent to cookies based on their properties (advertisements, functional, analytical, etc.) — where all the options (except technical cookies) must be de-selected by default.

The guidelines encourage website owners to implement a “multichannel” approach for their cookie policies. This includes multiple contact points, such as video channels, pop-ups, virtual assistants, phone calls, and chat boxes. 

How to comply with the new Italy cookie guidelines?

To comply with the updated cookie guidelines:

  • Block all non-technical cookies until the user consents to them.
  • Update privacy policy or cookie policy and add all relevant details about cookies and their type and purpose and how to manage them.
  • The cookie banner should have “Accept All” and “Reject All” buttons with the same color, font and size.
  • Add a third option or function for users to allow or deny cookies based on their properties. No cookie except technical should be selected by default.
  • The banners have a brief explanation of the cookies being used, what closing the banner would mean, and the purpose of cookies.
  • The banner should have a link to the detailed privacy or cookie policy.
  • Allow users to close the banner without giving consent by adding an “X” button on the top-right corner.
  • Scrolling the website without taking specific action to consent indicates a lack of consent.
  • The users must be able to withdraw consent using an easily accessible option.
  • You can follow this step-by-step guide to implement the Italian cookie guidelines on your website.

Not sure how to get started?

Use CookieYes cookie consent solution to comply with the new Italy guidelines.
Trusted by 1 million+ websites worldwide.


*No credit card required.