1. Do website operators need to comply with the Guidelines if they seek to use tracking tools other than cookies?

The Guidelines include in their scope of application not only the storing and use of cookies, i.e. text strings that the website operators may install within the user's terminal device when visiting a website, but also other tracking technologies. Notably, the Guidelines clarify that 'passive identifiers', such as fingerprinting, are included within their scope of application, on the basis of the fact that the same can be used to achieve the same profiling purposes pursued by cookies.

2. Which legal basis can I rely on to install cookies and similar technologies on the user's device?

The Guidelines highlights that the law applicable to cookies requires the consent of the user as a legitimate basis in order to install non-technical cookies or similar technologies in their terminal device, while the use of technical cookies or similar tracking tools does not require the consent of the user. However, the Guidelines clearly state that under no circumstance is it lawful to rely on the legitimate interest of the data controller to justify the use of cookies or other tracking tools.

3. Which types of cookies are considered 'technical cookies' which do not require user consent?

The Guidelines clarify that 'technical cookies' are those used solely to carry out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service to provide such a service, when the same is explicitly requested by the user.

Notably, the Guidelines provide that analytics cookies may be considered technical cookies and may accordingly be used without the user's consent, provided that certain conditions are met. Specifically, analytics cookies may be deemed as technical cookies if:

• direct identification of the data subject through the use of analytics cookies is impossible;
• third-party analytics cookies are structured in such a way as to enable the same cookie to relate to several devices, which will create reasonable uncertainty as to the IT identity of the cookie recipient, which is usually achieved by masking out appropriate portions of the IP address in the cookie (e.g. the last four digits of a 32 bit IPv4 IP address and similar procedures for IPv6);
• analytics cookies are used solely for the production of aggregated statistics and in relation to a single website or mobile app; and
• the third party does not combine the minimised analytics cookies with other data (e.g. customer files or statistics of visits to other websites) or share the same with third parties.

In addition, the Guidelines note, in relation to third-party analytics cookies, that third parties are allowed to produce statistics with data from several domains, websites, or apps that can be traced back to the same website operator or business group.

Moreover, if a data controller merely carries out statistical analyses relating to multiple domains, websites, or apps that can be traced back to the same data controller, unencrypted data may be used, subject to the principle of purpose limitation.

4. How do I make a cookie banner that is in line with the Guidelines?

According to the Guidelines, when users access the website for the first time, a cookie banner should appear immediately and should be of adequate size. The latter should be assessed also considering the various devices likely to be used by the user to access the website. In addition, the Guidelines recommend that a cookie banner contains the following:

• a command, such as an 'X' button at the top right-hand corner of the banner area, to allow the user to close the banner without giving consent to the use of cookies or other profiling techniques;
• a warning that by clicking on the 'X' button, the defaults settings are left unchanged, i.e. the user may continue browsing the website without cookies;
• a minimal information notice that the website uses technical cookies and, if appropriate, profiling cookies and other tracking tools, subject to the user's consent;
• a link to the extended privacy policy (see FAQ No. 5);
• a command to easily accept all cookies or similar tracking technologies; and
• a link to a dedicated area of the website where the user will be able to select analytically the functionalities, the third parties, and the cookies, including the possibility of changing, by means of two further commands, the choices previously made.

In addition, the choices presented to the user must be de-selected by default, and the banner should be designed in a way so as to avoid influencing the decisions of the user. Consequently, banner should include buttons of the same size, emphasis, and colour, which should be equally easy to see and use.

Moreover, it should be noted that the Guidelines do not require the use of a cookie banner in all cases. In particular, if only technical cookies are used, the relevant information can be placed on the home page or in the general information of the website, without the need for a cookie banner. Conversely, when website operators use non-technical cookies, the Guidelines recommend the use of a cookie banner that follows the model described above, however they also highlight that website operators are free to implement different mechanisms to obtain consent, for instance, through the use of authentication or access credentials.

5. How do I make a cookie policy that is in line with the Guidelines?

The Guidelines recommend website operators to adopt a multi-layer cookie policy, where the cookie banner (as described in FAQ No. 4) represents the first layer and the extended cookie policy is included in the second layer. Moreover, the Guidelines note that the cookie policy does not have to be multi-layer necessarily, pointing out that a multi-channel approach may also be adopted. A multi-channel cookie policy would use, for instance, video channels, informative pop-ups, vocal interactions, virtual assistants, phone calls, and chat boxes.

6. Do the Guidelines cover solely the storage and use of cookies on computers and smartphones?

The Guidelines clarify that the terminal device within which website managers may place and store cookies or similar technologies not only encompasses traditional tools, such as computers, tablets, and smartphones, but also Internet of Things ('IoT') devices. Accordingly, smart kitchen appliances, smart TVs, or smart alarms may fall within the scope of application of the Guidelines as far as the use of cookies is concerned.

7. The user did not actively express their consent but continued browsing the website. Can I consider their scrolling of the webpage as a suitable declaration of consent to the use of non-technical cookies?

The Guidelines provide that the mere 'scrolling' of a website is never sufficient for the purpose of obtaining the user's consent to the use of non-technical cookies. However, while scrolling may never be the only way to obtain the user's consent, the Guidelines note that it may constitute one part of a more articulated procedure that allows the user to flag their informed choice unambiguously, through a recordable IT event.

8. If a user does not consent to the use of non-technical cookies, can I block the content of my website for them?

The use of mechanisms (so-called cookie walls) that oblige, with no alternative, the user to give their consent to the use of non-technical cookies in order to access the content of a website is generally deemed unlawful by the Guidelines. This general rule has one exception, that is where the website manager provides the user with the alternative (to be verified on a case-by-case basis, in light of the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) to access equivalent content or services without the need to give their consent to the storage and use of cookies or other tracking tools.

9. How often can I reiterate the request for the user's consent?

The Guidelines establish that, contrary to widespread practice, if a user has not consented to the use of non-technical cookies or has only consented to the use of certain cookies, the website operator has a duty to record the user's choice and should not continuously seek the user's consent every time they visit the website. Nevertheless, the website manager may solicit the user's consent previously withheld if one of the following exceptions applies:

• the conditions of the processing have changed significantly;
• it is impossible for the website operator to know that a cookie has already been stored on the device for re-transmission to the website that generated it, on the occasion of a subsequent visit by that user; or
• at least six months have passed since the last time the user was presented with the cookie banner.

In addition, the entry into force of the Guidelines does not imply that the declarations of consent to the use of cookies already collected are no longer valid. In fact, the Guidelines note that consent already collected, where in line with the requirements of the GDPR, may be considered valid, provided that the collection of such declarations of consent was recorded and duly documented.

10. Once the user has made their choice regarding the use of cookies, am I required to give them a way to modify such choice?

Users must always be able to modify their choices, either in the sense of providing consent previously withheld or, conversely, to withdraw their consent previously provided. Accordingly, the Guidelines require website managers to include a link in the website footer through which users may access an ad-hoc area, that allows the same to easily modify their choices, at any time and in a user-friendly fashion. The link in the website footer must be easily identifiable, e.g. it should use wording such as 'change your mind on cookies' or a similar expression.

Anna Baldin Privacy Analyst
[email protected]

1. See: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9677876#english
2. See: https://www.dataguidance.com/opinion/italy-garantes-finalised-guidelines-cookies-and
3. See: https://www.dataguidance.com/opinion/italy-key-points-garantes-updated-cookie-guidance