Italy’s Data Protection Authority began enforcing new cookie guidelines on July 9, 2021. The updated guidelines addressed cookie categorization, consent through scrolling, cookie walls, privacy by design and policy, and cookie banner and policy recommendations. Websites had six months to comply with the new guidelines, which took effect January 10, 2022.
Read more about internet cookies.
In this post, we will discuss the highlights of the guidelines and how you can comply with them.
Italy’s new cookie guidance for cookies — key takeaways
Here are the highlights from the updated cookie guidelines.
Cookie Consent through scrolling
The DPA highlights the need for improved methods based on the ‘dynamic web’ to express consent rather than the traditional agree or reject buttons. It believes that such methods based on user behavioral patterns could give more clarity in indicating unambiguous and affirmative action.
The use of cookie walls
Re-collection of consent
The guideline stresses the need for maintaining proof of consent. The DPA directs that there is no need of asking for consent for using cookies and other tracking technologies every time the same user visits the website. There must be a mechanism to keep a log of the consent and remember the user preference for every visit after the first time.
A website only has to re-collect consent if:
- there is a change in the condition for obtaining consent
- The website manager cannot find out if the users have the cookies stored on their devices when they revisit the site. For example, when they delete cookies stored on their device.
Privacy by design for cookies
The guidelines encourage the websites to follow the privacy by design approach for using cookies.
The website must not store cookies, other than technical, by default. The guidelines also do not allow the use of any active or passive profiling techniques.
The structure of analytics cookies
Following the guidelines for privacy by design approach for cookies, Garante states that analytics can be deemed as technical cookies only if:
- It is impossible to identify the users from the data collected by the cookies
- The analytics tool masks ¼ of the user IP address (versions, IPv4 and IPv6)
- The minimized data is not combined with other user information or shared with third parties
- The use of the cookies is limited to obtaining aggregate statistics concerning a single website or mobile app
The Garante makes the following recommendations for the design of cookie banners:
- Appear on the first visit and should be distinguishable from other content on the website. All the commands on the banner must be of the same format.
- An “X” in the upper right corner to close the banner without consent (only loads technical cookies and blocks others until consent).
- An easy option for users to accept all cookies at once (Accept All button)
- A link to a page or window where users can selectively give consent to cookies based on their properties (advertisements, functional, analytical, etc.) — where all the options (except technical cookies) must be de-selected by default.
The guidelines encourage website owners to implement a “multichannel” approach for their cookie policies. This includes multiple contact points, such as video channels, pop-ups, virtual assistants, phone calls, and chat boxes.
How to comply with the new Italy cookie guidelines?
To comply with the updated cookie guidelines:
- Block all non-technical cookies until the user consents to them.
- The cookie banner should have “Accept All” and “Reject All” buttons with the same color, font and size.
- Add a third option or function for users to allow or deny cookies based on their properties. No cookie except technical should be selected by default.
- The banners have a brief explanation of the cookies being used, what closing the banner would mean, and the purpose of cookies.
- Allow users to close the banner without giving consent by adding an “X” button on the top-right corner.
- Scrolling the website without taking specific action to consent indicates a lack of consent.
- The users must be able to withdraw consent using an easily accessible option.