The Italian cookie guidelines:
The 10 simple steps to comply
-
Inform your users of the cookies you use
-
Have a 'Reject' button in your cookie banner
-
Enable visitors to choose what data they give consent to (granular consent)
-
Make it easy to withdraw or change consent
-
Collect active consents (scrolling and swiping as consent is not allowed)
-
Document valid consent (if the data protection authority wants to see them)
-
Use consent as legal basis for cookies (legitimate interest never constitutes legal basis)
-
No cookie walls
-
6-month period before you can ask for consent again
-
Distinguish between profiling and necessary cookies
Italy updates its cookie guidelines – do they apply to you?
On July 10th, 2021, the Italian Data Protection Authority “Il Garante” approved a new set of guidelines for the use of cookies on websites and apps.
The deadline for meeting the new requirements was January 10th, 2022.
Did you meet the deadline?
Or don’t you know where to start?
I’m going to take you step by step through the Italian cookie guidelines. Show you exactly what you need to do. No legal language, no jargon. Just plain words you can act on!
Who are the Italian cookie guidelines for?
“If your website or app visitors are based in Italy, the new Italian cookie guidelines apply to you!”
So, if your business is based in Italy or you target Italian citizens, these cookie guidelines are for you.
Italian cookie guidelines – what are the rules?
The new Italian cookie guidelines requires you to collect valid cookie consent from the users of your website or app.
And you must be able to document the consent.
But there are specific ways you must collect that cookie consent.
Let’s break down the guidelines.
-
The Cookie Banner
The Italian Data Protection Authority requires you use a cookie banner to collect consent.
The cookie banner informs your visitors of your use of cookies.
It informs about:
- who owns the cookies (you, Google, Facebook, Amazon etc.)
- what data they collect (marketing, statistics etc.)
- and for how long time they collect data.
And the banner collects your visitors’ consent.
For your cookie banner to comply with the Italian cookie guidelines and the GDPR it must include:
- A reject button - your cookie banner must have a “reject” Or an “X” to close the cookie banner while letting your users know that they have NOT given consent.
- Granular consent - Your visitors must be able to choose what data collection they want to give consent to. This feature must also be visible in the first layer of the banner.
- Easy withdrawal of consent - Users must be able to withdraw or change their consent at any time.
This is how Cookie Information helps you get a cookie banner that complies with the Italian cookie guidelines.
- A reject button - your cookie banner must have a “reject” Or an “X” to close the cookie banner while letting your users know that they have NOT given consent.
- Granular consent - Your visitors must be able to choose what data collection they want to give consent to. This feature must also be visible in the first layer of the banner.
- Easy withdrawal of consent - Users must be able to withdraw or change their consent at any time.
-
What is valid cookie consent?
The rules for consent are like those in the GDPR.
Consent is an active choice between a ‘yes’ or a ‘no’ based on information about what the user gives consent to.
- Valid consent - Consent must be freely given and made by clicking an “accept” or “ok” button. It is rejected by clicking a “reject” button or an “X” in the banner.
- No implied consent - Consent is NOT given by simply using the website, swiping or scrolling.
- Cookie walls that hide your content if the user does not give consent are not permitted.
This is how Cookie Information helps you collect consent that complies with the Italian cookie guidelines
- Obtain valid consent - We only obtain consent the legal way by using accept/reject buttons, so your user knows exactly that he or she has given consent. We have no feature for obtaining consent merely by scrolling or swiping.
- Cookie Walls - We use proven methods to get high consent rates, so you don’t need cookie walls. We also have Google Consent Mode, so you can get aggregated data from those who reject cookies.
-
Legal basis for using cookies
What is the legal basis for using cookies? And how you document it?
- Consent - The legal basis for collecting user data with cookies and other tracking tools is Consent. It may never be legitimate interest.
- Documentation - Collect and store all consents for 5 years to document you have collected valid GDPR consent.
- Consent period - When users give consent, you may only ask again after a 6-month period, unless conditions for data collection have changed (e.g., new cookies).
This is how Cookie Information helps you collect and document all your users’ consent
- Legal basis - We only use Consent as a legal basis for obtaining valid consent to cookies. Never legitimate interest.
- Consent log/Documentation - All your visitors’ consents are securely stored on servers in the EU/EEA if you need to document consent to the Data Protection Authorities. We help you get the documentation, so you don’t have to worry about it.
- Consent period - You can easily set the time-period for 6 months if your visitors decline consent and for 12 months if they accept cookies.
-
First-party data, analytics cookies and profiling cookies
The Italian Data Protection Authority also touches upon first-party data and analytics cookies.
These rules apply under specific conditions:
- First-party cookies - You may place first-party analytics cookies without collecting your users’ consent (if they do not collect your users’ personal information).
- Third-party cookies - You may only place third-party cookies without consent under certain conditions.
- Tracking cookies - If you use tracking/profiling cookies (cookies that collect your users’ personal data) you must collect valid consent. This no matter if the cookies are first- or third party.
This is how Cookie Information helps you control how to collect consent before cookies are set
- Cookie control SDK - You can control all your cookies with Cookie Information’s SDK. If you have technically necessary cookies or cookies that are free from the Italian cookie guideline’s rules for consent, you can set or lift prior blocking.
- Knowledge base - Cookie Information’s knowledge base consists of 10.170 known cookies, so we can easily distinguish between different types of statistics and marketing cookies. You can also add your own first-party cookies to your Consent Solution.
Follow these simple guidelines and you comply with the new Italian cookie guidelines.
Here’s how you do it!
Cookie Information helps your business comply with the Italian cookie guidelines
Cookie Information’s Consent Management Platform makes sure your website or app is always cookie compliant.
And you don’t have to worry about losing all your data!
Cookie Information is a Google CMP partner.
Google Consent Mode is integrated in our platform as default!
That means you get valuable traffic and conversion data from all those users who decline cookies.
Here’s what you get:
You get a GDPR compliant cookie banner for your website or app that complies with the new Italian cookie guidelines.
The cookie banner includes:
- Information on cookies and data collection based on deep scans of your website or app (as required by the Italian guidelines).
- A “reject all” or “decline all” button (as required by the Italian guidelines).
- Toogles and checkboxes so your user can choose what data to give consent to (as required by the Italian guidelines).
- An easy way to change or withdraw consent to cookies
All your visitors’ consents are securely stored on Microsoft Azure servers within the EU/EEA.
And if the Italian Data Protection Authority asks to see them, we will assist you in every way, so you pass the audit with flying colors.
Give us 5 minutes and we’ll show you how to comply with the Italian cookie guidelines without losing all your data.
The Italian cookie guidelines - the legal stuff
Applicable Italian and international law (GDPR).
The relevant legal framework is the ePrivacy Directive 2002/58/EC amended and transposed in national law by Section 122 of Legislative Decree No 196 of 30 June 2003 and the GDPR. LINKS
Essentially what Section 122 contains is:
Storing information, or accessing information that is already stored, in the terminal equipment of a contracting party or user shall only be permitted on condition that the contracting party or user has given his consent after being informed in accordance with simplified arrangements.
According to Italian law, cookies and other tracking tools (other than technically necessary cookies) may only be used after obtaining an informed consent. It is the responsibility of the website or app owner to collect that consent.
But in 2018 the GDPR took force. Rules for consent are much stricter in the GDPR and requires data controllers (owners of websites and apps) to collect a consent that is:
- Freely given
- Informed
- Specific
- Unambiguous
The Italian cookie guideline’s rules for consent are equal to those of the GDPR.
The new version of the Italian cookie guidelines come from the revised 2014* cookie guidelines which needed an update considering new laws and decisions like the 2018 GDPR, the European Court of Justice ruling against Planet49, Schrems II and much more.
The new Italian cookie guidelines were approved on July 10th, 2021, by the Italian Data Protection Authority “Il Garante”.
The deadline for meeting the new requirements was January 10th, 2022.
Meet the deadline already today with Cookie Information’s Consent Management Platform.
Cookie Information ensures your cookie compliance
Give us 5 minutes and we’ll show you how.
FAQ on cookies and consent in Italy
[Q] – We are not using cookies on our website!
[A] – Most websites use cookies. These are either technically necessary cookies used for making the website work (e.g., remember language preferences, login settings, shopping cart cookies), or cookies set through your website by some of the services you use like for example Google Analytics, Facebook, Instagram, LinkedIn, Hotjar etc.
Our website is not collecting – or processing – any personal data!
Maybe not, but third-party services like Google Analytics, Facebook, Hotjar, Amazon are! If you use any third-party service which set cookies through your website, you are the Data Controller (according to the GDPR), so collecting valid consent using these cookies is your responsibility.
Can we use Google Analytics without consent?
No. Google Analytics is using multiple cookies that collect your visitors’ personal information which is used to provide you with insights into audience, acquisition and behaviour. That’s made possible with persistent cookies that track the user across your website. If you use Google Analytics, you should definitely collect valid GDPR consent to cookies.
What are technically necessary cookies?
Technically necessary cookies are essential for your visitors to browse your website and use its features. That could be login features and shopping cart cookies (so the information is not lost when the visitor clicks away from a specific page). Technically necessary cookies are not Google Analytics. Unfortunately.
How do I know if my website is GDPR cookie compliant?
You have it checked. By a Consent Management Platform provider – like Cookie Information – which can easily and quickly assess whether your website uses cookies that are not collected consent for. Get a free compliance check here with Cookie Information. No strings attached.