Cookies and other tracking systems – The Italian Data Protection Supervisory Authority confirms the Guidelines

Prepared by Chiara Giannella and Dafne Chillemi

The Italian Data Protection Supervisory Authority with a press release dated July 10, 2021, confirmed the content of the Guidelines on the use of cookies and other tracking systems of November 26, 2020 (respectively, the “Authority” and the “Guidelines”).

The Guidelines arise from the need to update, downstream of the entry into force of the EU Regulation 2016/679 (“GDPR”)[1], the indications previously crystallized in the provision of the Authority of May 8, 2014[2], taking into account the technological evolution that today – and presumably even more in the near future – allows the tracking of personal data belonging to users by means increasingly invasive of their privacy, as well as the changed behavior of the latter who, by accessing in a habitual (and very often “light”) way multiple services and functions of the network, enter daily an increasing volume of information with the effect of allowing the creation of more and more specific and detailed profiles.

In other words, the intervention of the Authority was necessary, in the last analysis, to strengthen the protection of the interested parties, allowing (as much as possible) to the same an effective control of their own personal information object of treatment, in order to favor the ability of “self-determination of the single[3].

What changes?

1. Information notice

The main change, in addition to the need (in accordance with the new provisions introduced by the GDPR) to indicate in a transparent manner any recipients of personal data and the retention period of information collected through tracking systems, is certainly the invitation to make the same through the use of a multi-level approach that takes into account innovative and user-friendly ways such as pop-up, video, voice interaction, etc.

It remains then confirmed the obligation of the sole information notice for technical cookies that can also be made within a more general one.

2. Consent

By default, the system must allow the first time the user logs on, no cookies other than purely technical ones will be recorded. The user, therefore, must be guaranteed the possibility of refusing – through a special command such as a clearly visible “X” – the use of any tracking technique.

The consent must be considered validly given only if it is the result of an active and conscious intervention of the interested party – which can be always demonstrable by the owner, as well as having the characteristic of granularity (it will no longer be possible, therefore, to use systems of request or revocation of consent “in bulk” to all tracking systems indifferently)[4].

The collection of the same will be able to continue to happen using a banner containing at least the following indications and options:

  • the warning that closing the banner by selecting the appropriate command marked by the X placed inside it, in the upper right corner, involves the permanence of the default settings and therefore the continuation of navigation in the absence of cookies or other tracking systems other than technical ones;
  • a minimum information notice relating to the fact that the site uses cookies or other technical tools and may, only after obtaining the user’s consent to be given in the manner indicated in the same brief information notice, also use profiling cookies or other tracking systems in order to send advertisements or to modulate the provision of the service in a customized way beyond what is strictly necessary for its provision, that is, in line with the preferences expressed by the user in the use of features and navigation on the network and/ or in order to perform analysis and monitoring of the behavior of visitors to websites;
  • a link to the privacy policy, i.e. to an extended information notice placed in a second layer – which is accessible with a single click also through a further link placed in the footer of any page of the domain accessed by the user – where at least all the indications referred to in Articles. 12 and 13 of the Regulation are provided in a clear and complete manner, also with regard to the aforementioned cookies or other technical tools;
  • a command through which it is possible to express consent by accepting the placement of all cookies or the use of any other tracking tools;
  • a link to a further dedicated area in which it is possible to select, in an analytical way, only the functions, the so-called third parties – whose list must be kept constantly updated, whether they can be reached through specific links or also through the link to the website of an intermediary subject representing them – and the cookies, also possibly grouped by homogeneous categories, to the use of which the user chooses to consent[5].
2.1 Scrolling and cookie walls? No thanks

The Authority expresses the prohibition to resort to the so-called “scrolling”, a modality through which the user, moving down the cursor, manifests his implicit consent to profiling through cookies or other similar systems. However, it is still possible to resort to it when scrolling is included in a dynamic process and on more than one level of information to the data subjects.

Even the use of the “cookie wall” can no longer be considered lawful, since the use of a banner that literally blocks the user’s ability to navigate unless he/she gives his/her consent, certainly cannot constitute free consent under the new data protection legislation.

2.2 Is it appropriate to repeat the request for consent?

The user’s choice will have to be duly recorded unless the conditions of the processing change significantly, it is impossible to know whether a cookie is already stored in the device, or at least six months have passed since the first collection. Apart from these hypotheses, therefore, it is not necessary to renew the request for consent to the data subject at each access.

2.3 Can analytics and third-party cookies be used?

The Authority emphasizes the importance of adopting, as much as possible, systems that reduce the power of identification of analytics cookies, especially if third party, limiting, moreover, the use, for the sole purpose of processing aggregate statistics.

* * *

The Authority hopes, finally, the possibility that, in the near future, it will be realized a system of universal semantic coding of the cookies and of the other tools of tracing, that will allow in an unequivocal way to the users to distinguish such tools.

In the meantime, the Authority urges the owners to make known at least the main methods adopted, also by inserting the details within the informative report.

The owners of websites offering online services will have six months to comply with the principles contained in the Guidelines.

[1] “(…) On the other hand, it cannot be underestimated how the Regulation has intended to expand and strengthen the power of disposition and control of the individual with regard to the processing of his personal information (…)“, Garante per la Protezione dei Dati Personali, Linee guida cookie e altri strumenti di tracciamento – 10 giugno 2021, cit.

[2] Garante per la Protezione dei Dati Personali, Identification of the simplified methods for information and acquisition of consent for the use of cookies, May 8, 2014 [web doc. no. 3118884].

[3] Garante per la Protezione dei Dati Personali, Guidelines for Cookies and Other Tracking Systems – June 10, 2021 [9677876].

[4] This is in order to correctly transpose the notion of consent as outlined in Article 7 and Recital 32, GDPR, as well as the recent Guidelines 5/2020 on consent under Regulation 2016/679, adopted in May 2020 by the Article 29 Working Party.

[5] Garante per la Protezione dei dati Personali, Guidelines for Cookies and Other Tracking Systems – June 10, 2021, cit.

Let’s Talk

For a deeper discussion, please contact:

Andrea Lensi Orlandi

PwC TLS Avvocati e Commercialisti


Chiara Giannella

PwC TLS Avvocati e Commercialisti