Categories: Insights, Practice

Tag: Cookies, data protection, Garante Privacy


27 Jul 2021

Cookies and other tracking tools: the new Data Protection Authority Guidelines

On 10 June, the Italian Data Protection Authority approved the new ” Cookie Guidelines.”The term cookie refers to a small text file that a website (publisher or “first party”) can autonomously send to the user’s device (e.g. Smartphone, PC or Tablet) when viewing a web page or different sites or web servers (“third parties”). Usually, cookies make it possible to store the preferences expressed by the user so that they do not have to be re-entered later. The browser saves the information and transmits it to the site’s server when the user visits that website again.

The Guidelines, adopted by the Data Protection Authority, considered what emerged during the public consultation promoted at the end of last year. The guidelines aimed to strengthen users’ decision-making power over the use of their data when surfing online.

Here are the main changes.

Privacy Policy

Under Regulation (EU) 2016/679 on the protection of personal data (better known as the “GDPR“), the policy to be issued to users/data subjects shall specify (i) possible recipients, (ii) the retention periods of personal data processed and (iii) a description of all the consequences of any action taken by the user/data subject.

The Data Protection Authority recommends that Analytics cookies, which the Data Controller uses to assess the effectiveness of a service, be used only for statistical purposes.

The multi-layer privacy policy is confirmed, with a banner (short policy) when accessing the site containing specific information on positioning, size, font and content, and a link to the extended policy.

The user/data subject must choose between consent or modulating their preferences on tracking and be provided with a link to another area to select the functions, third parties and cookies, possibly grouped by similar categories, to the use of which the user consents.

Consent by scrolling

The mere “scrolling down” of the page cursor is unsuitable for the collection of an appropriate consent to the installation and use of profiling cookies or other tracking tools by the data controller.

Given the controller’s autonomy in identifying the most appropriate solutions to achieve compliance with data processing regulations, the Data Protection Authority invites the controller to assess every possible solution rigorously. According to the Data Protection Authority, if the user action does not correspond to any unmistakable, documentable computer event with the mentioned features, including user awareness, it will be impossible to attribute the consent validity under applicable regulations.

Renewal of the consent request

Obtaining consent for cookies may not be repeated unless (i) the processing conditions change significantly, (ii) the site operator can’t record the user’s previous choice due to a user decision and (iii) at least six months have elapsed since the previous request.

Review of consents

Users/data subjects shall be provided with the ability to review choices made at any time and in a simple, immediate and intuitive manner. This can be done using a dedicated area made accessible through a link placed in the footer of the site that makes the function explicit and says “review your choices on cookies” or similar.

Website owners have six months to comply with the principles contained in the Guidelines.

Other related insights:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…