TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | ITALY—Cookie Clarifications from the Garante Related reading: A view from DC: Is your privacy notice stuck in the ’90s?




Cookies rules have just come into force in Italy.

Due to interpretative uncertainty, on June 5, the Italian Data Protection Authority (DPA), or the Garante, issued a set of clarifications concerning the correct interpretation and the relevant implementation of the provisions provided for by the general resolution No. 229/2014, "Simplified arrangements to provide information and obtain consent regarding cookies."

In detail, the main clarifications provided by the Garante include:

  • The obligations established by the general resolution on cookies do not apply to those websites that do not make use of cookies;
  • The use of technical cookies requires neither the implementation of the information via simplified mechanisms, i.e., the informative banner, nor the previous acquisition of the users' consent online. It is only necessary to provide the users with an information notice that may be inserted within the general privacy policy of the website;
  • Analytics cookies can be equated to technical cookies insofar as they are used directly by the website manager to improve the usability of the website, e.g., to collect aggregate information on the number of visitors and the pattern of visits to the website;
  • If analytics cookies are made available by third parties, the websites' managers making use of such cookies are not subject to the obligations provided for by the applicable law, such as, for instance, notification to the DPA if proper mechanisms to reduce the identification of the users are adopted--for instance, by masking a significant part of the IP--and the third party undertakes to not make a cross-check of the information provided by the cookies with those already in his availability;
  • If the website contains links to third parties' websites such as, for instance, advertising banners or links to social networks, which do not require the installation of profiling cookies, then it will not be necessary to implement the information via simplified mechanisms, i.e., the informative banner nor to acquire the previous users' consent online;
  • It is also possible to acquire the users' consent online through the "scroll" of the web page, provided that such an option is expressly provided for by the information;
  • Within the extended information notice, it is not necessary to require and acquire the consent for each cookie, but it is possible to request a consent based on the cookies' category, such as travel or sports;
  • It is possible to do only one notification with regard to all websites managed within the same domain, and,
  • The provisions provided for by the general resolution on cookies shall apply to websites that install cookies on users' terminals, regardless of the presence of an office in Italy.

Although the Garante has followed a very prudent, transparent and open approach in adopting cookies rules, at the same time, a number of issues are still a struggle as the consent mechanism is always functioning in theory but hard to be implemented in concrete.

1 Comment

If you want to comment on this post, you need to login.

  • comment Richard • Jun 12, 2015
    As someone who has helped lots of websites comply with the cookie rules in lots of EU jurisdictions, I find the Garante guidelines difficult to decipher.
    It seems to me that having decided that the only solution is a 'cookie banner' (misguided in my view), they have tried to find ways of allowing sites to provide minimal choice over the setting of cookies. Yet in doing this, they have over-complicated it, and potentially done more damage to the user experience, without allowing users to choose greater privacy.
    It seems they really missed an opportunity to learn from mistakes of earlier guidelines elsewhere, leaving website owners confused over their obligations, and users unclear of their actual rights. I would also suggest they have failed to consider what is technically possible for site owners when it comes to controlling the setting of cookies at a code level.  Their guidelines could have been simpler to both understand and implement, plus given consumers better control if they had done this. However, few DPAs have really got this right either.