On January 9, 2022, the cookie guidelines (“guidelines”) published by the Italian Supervisory Authority (“Garante”) on July 9, 2021 entered into force. This means that all those companies that have not yet conformed to the guidelines’ provisions should do so promptly, to avoid incurring in future sanctions. The guidelines include precise indications on, e.g., the categorization of cookies and other tracking technologies (“cookies”), the recommended design of the cookie banners, the collection, review and renewal of consent, and on the information notices.
More in detail:
- Cookie categorization: the Garante maintain the distinction between technical cookies (including, also, analytics cookies with masked IPs) for which consent is not required, and profiling cookies for which consent, instead, is the only possible legal basis. The Garante explain that the category of profiling cookies is necessarily large and contains all the cookies that are not explicitly considered technical by law. This means, according to the Garante, that until there is an harmonized system to determine the nature of cookies, controllers must clarify the technical or non-technical nature that they attribute to each cookie in the privacy notice or elsewhere. In any case, controllers must ensure that, in accessing the website, only technical cookies are dropped by default on users’ devices.
- Cookie banner design: the design of cookie banners should conform to the recommendations that the Garante make; this authority provide that banners should:
- appear at first website visit, be quickly distinguishable from the rest of the website content, and bear commands that have all the same font, color and size;
- have an ‘X’ at its top right that users can click to close the banner without giving their consent;
- a command through which all cookies can be accepted at the same time (g., an “Accept all” button);
- a link to another area where users can select/deselect cookies one by one or per categories.
- Review of preferences: users must be given the opportunity to review their cookie preferences; for this, the Garante suggest to have a dedicated area in the footer of the website with a recognizable design (g., a “Review your cookie preferences” button) to allow users to easily withdraw or modify the consents already given.
- Renewal of consent: controllers must avoid asking users to renew their cookie consent too often, because that may unlawfully pressure users into accepting all cookies just to avoid the banner; the Garante clarifies that controllers can only resurface the cookie banner: (i) where the processing conditions change significantly; (ii) if it is not possible for the controller to know the users’ previous choices because – for example – they erased all the cookies from the device; or (iii) after 6 months.
- Information notice: multi-layer information notices may be used; however, the extended privacy notice must be accessible in just one click from the banner, and also to users with disabilities who necessitate technological assistance, pursuant to Law 4/2004. The Garante add that the notice may also be multichannel (g., by video, pop-up, vocal interactions, virtual assistants, call, chat bots, etc.). The controller should decide the design that works best to ensure completeness, clarity, efficacy, and accessibility.
- Scrolling: under certain circumstances, scrolling can be considered as consent; however, according to the Garante, this can only happen if the controller is able to demonstrate that this is a user’s choice that is unequivocal (what the Garante calls a “clear behavioral pattern”), documentable, and informed; this means, in practice, that the proof required from controllers is very burdensome.