In addition, the Guidelines note that the Garante's previous guidance on Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies, while maintaining its relevance, needed to be integrated with specific reference, in light of both technological developments and regulatory and legislative reforms.

In this insight, OneTrust DataGuidance outlines the key amendments introduced by the Garante in the finalised version of the Guidelines, after having addressed the draft version in a previous Insight article.

The finalised Guidelines introduced, among others, the following key changes:

• Legitimate interest cannot be considered as a lawful ground to set cookies and other similar tracking technologies;
• Possibility to re-present cookie banner to users after six months from the initial presentation;
• Duty to assess the adequacy and appropriateness of the size of the banner in relation to the various devices used by the user;
• Duty to position an 'X' button within the banner by which users can continue navigating without consenting to the use of non-technical cookies;
• 'Authenticated' users must be allowed to consent to the possibility of being tracked by cross-analysis of their behaviour through the use of different devices;
• In case of changes to the third parties list within the 'preference centre,' the website owner is responsible for the selection of the same third parties and for ensuring that the consequent processing remain in line with the category groups;
• New specifications for the accessibility of cookie information in relation to person with disabilities;
• Information on the criteria through which cookies are categorised semantically may be included in the privacy policy, alternatively to the dedicated cookie policy;
• Duty to include, in the footer of the website, a link in for the user to re-assess his/her cookie preferences;
• Duty to include, in any domain page, a graphic sign, an icon, or a technical feature aimed to showcase the status of the user's expressed consents, allowing potential amendments; and
• Analytics cookies used in relation to multiple domains may be deemed technical ones, even in the absence of the data minimisation measures, when the controller carries out the statistical analysis himself, without such analysis not going beyond the boundaries of a mere statistical count; and
• Six-months deadline for organisations to comply with the finalised Guidelines

The above amendments are outlined in the sections below, together with the provisions of the draft version of the Guidelines that remained unaltered.

Scope of application - beyond cookies and traditional terminal devices

The Guidelines provide that the concept of terminal device no longer merely comprises traditional tools such as tablets or smartphones, but must be extended to Internet of Things ('IoT') devices, which are designed to connect to the web and among themselves in order to offer various services, not necessarily limited to communication.

'Active' v. 'passive' identifiers

The Guidelines provide a distinction between 'active' and 'passive' identifiers.

With active identifiers, such as cookies, the user has the possibility of directly removing identifiers from his/her device, as well as the possibility of exercising the rights provided by the GDPR to data subjects.

On the other hand, with passive identifiers, such as fingerprinting, the user is not offered autonomously actionable instruments, and has therefore to revert to the data controller. In fact, passive identifiers do not imply the storage and/or access of information on the user's device, but merely the reading of its configuration, which makes it identifiable and results in the creation of a 'profile' that only the controller is allowed to access, and in relation to which the data subject could also be not aware of its own existence.

More specifically, the Guidelines outline that fingerprinting is one of the most commonly used passive identifiers, and that it represents a technique through which it is possible to identify the user's device by collecting information on its configuration. For this reason, the Guidelines confirm that fingerprinting and other passive identifiers are to be included in their own scope.

Legitimate interest as a lawful ground to set cookies

The finalised Guidelines, when addressing the legislation applicable to cookies and other tracking technologies, specify that the legitimate interest of the data controller will not be a viable lawful ground for the use of cookies and other tracking instruments. The Garante highlights that the applicable law does not address further legal bases that could make the processing activity lawful, other than the data subject's consent or in the case of exceptions to the same, in case of technical cookies.

Scrolling as a lawful means to collect consent

The Guidelines recall that, according to the European Data Protection Board's ('EDPB') Guidelines 05/2020 on Consent under Regulation 2016/679, as updated on 4 May 2020, actions such as scrolling will not under any circumstances satisfy the requirement of a clear and affirmative action for the installation of non-technical cookies. In this regard, the Guidelines specify that, although the Garante shares the EDPB interpretation, the 'scroll down' action, however, can be one of the components of a more articulated process that will clearly show to the website manager, through the generation of a precise pattern, the user's unequivocal and informed choice, that must also be recordable, to provide his/her positive consent to the use of cookies. The finalised Guidelines conclude that this is in line with the principle of accountability, as introduced by the GDPR, according to which the autonomous power to determine the most suitable solution to comply with the applicable legislation must be recognised to the data controller. The Garante therefore invites controllers to evaluate diligently any possible solution, even of a technical nature, that will be suitable to be interpreted and recorded as valid consent of the data subject.

In this regard, the Guidelines outline that, in order for the above consent to be collected lawfully, the controller will have to make sure that potential alternative means to collect the same will have to make the effect of the user's choice unequivocal even for the data subject himself, with the aim of avoiding 'false positives,' i.e. mistaken interpretation of casual actions as positive expression of consent.

Cookie walls

The Guidelines provide that cookie walls are to be considered invalid, with the exception of the case (to be verified on a case-by-case basis) where the website manager provides the user with the possibility of accessing an equivalent content/service without the need of providing consent to the installation of cookies. In this regard, the Guidelines point out that the alternative will have to be considered equivalent when it is compliant with, among others, Article 5(1)(a) of the GDPR, which provides that personal data must be processed in a lawful, fair, and transparent manner.

Re-collection of consent

The Guidelines acknowledge the existence of the invasive practice of website managers reiterating the request of consent via cookie banner at every user's visit, even when the user freely expressed a choice.

The Guidelines provide that the above practice could harm users' freedom by inducing them to consent to continue browsing without having to address the cookie banner.

In this regard, the Guidelines state that, both when the user does not consent to the use of cookies and when the user consents to the use of certain cookies, the choice will have to be recorded, and the consent request will not have to be re-presented, unless one of the following cases apply:

• One or more of the processing conditions have changed, so that the banner also fulfil a specific and necessary transparency goal in relation to those changes, such as in the case in which the third parties' list changed; or
• It is impossible for the controller to be aware of the fact that a cookie has been already installed on the device in order to be re-transmitted, when the user re-access the website, to the website that generated the cookie itself. This is the case where, for example, the user deletes the cookie legitimately installed on his/her device, without the possibility for the controller to keep record of the will to maintain the default settings and therefore continue browsing without being tracked. The Guidelines recall that this action does not amount to the exercise to the right of object, as provided by the GDPR; and
• At least six months have elapsed from the previous presentation of the cookie banner.

Privacy by Design and by Default for cookies

The Guidelines stress the fact that the Garante's previous guidance on cookies maintain its validity in relation to the mechanism for the collection of consent. However, the Guidelines also note that the Garante's guidance must be updated in light of the principles of Privacy by Design and by Default, as provided by Article 25 of the GDPR.

In practice, the Guidelines outline that, when the user merely accesses the website:

• non-technical cookies must not be installed by default; and
• the use of any other active or passive profiling techniques is not allowed.

In addition, the Guidelines notes that the Garante suggests the adoption of the model described by the Guidelines themselves, to be considered compliant with the applicable legal requirements.

Specifically, when the user accesses the website, he/she must be presented with an area or banner of a size such as to cause a perceptible discontinuity in his/her experience of the visited webpage. However, the banner must also be of a size such as to avoid the risk for the user to resort to commands and make unwanted or unaware choices. As a consequence, the adequacy and appropriateness of the size of the banner must also be assessed in relation to the various devices likely to be used by the user.

Moreover, the Guidelines state that the user, when presented with the cookie banner, must be able to deny his/her consent to cookies by closing banner through the use of a top right 'X' button positioned within the banner itself, without accessing any other cookie related webpage. The button must be graphically as clear as the other commands or negotiation buttons suitable for expressing the other choices available to the user. In other words, the methods of continuing the navigation without consenting must be as immediate, usable, and accessible as those provided for the provision of consent.

This mechanism would allow for the user who does not want to provide consent to not be tracked or profiled by default. In addition, the mechanism would allow the generation of an informatic event recognisable and recordable by the controller. This event would express the choice of the user not to provide consent for the use of non-technical cookies and would therefore prevent the website from reiterating the presentation of the banner on subsequent accesses by the user, subject to the exceptions outlined above.

In any case, others way to collect consent are also permitted, such as in the case of users who access the relevant services through the use of authentication or access credentials. In this scenario, from when the account is being created, there would be a natural moment of discontinuity in navigation suitable for the controller to fulfil its obligations concerning the use of cookies and other tracking tools. In this regard, the Guidelines stresses that these 'authenticated' users must also be allowed to make an informed choice (which must be mentioned in the cookie notice) as to whether to accept the possibility of being tracked also by cross-analysis of their behaviour through the use of different devices.

Cookie policy

First layer

The Guidelines provide that the cookie banner must include at least the following:

• the 'X' button described above and information in relation to the fact that the closure of the banner through the same button imply the default settings remaining in place and therefore the continuation of the navigation in the absence of non-technical cookies;
• minimum information in relation to the website's use of technical and profiling cookies;
• a link to the extended privacy policy (2^nd layer) where information in accordance with Articles 12 and 13 of the GDPR is provided. Access to the privacy policy must be possible with one single click, even by an additional link placed in the footer of any page of the web domain the user is accessing;
• information in relation to the fact that if the user continues browsing, he/she signifies his/her consent to the use of cookies, where the conditions outlined above are met;
• the possibility of consenting to the use of all the cookies and other tracking technologies; and
• a link to a webpage where the user will be able to select granularly the functionalities, the third parties (in relation to which an up-to-date list must be maintained, whether third parties can be reached through specific links or through the website of an intermediary subject representing them), and the cookies, eventually even grouped by categories, that he/she consents to. In this scenario, when cookies are grouped by homogeneous categories, in case changes are implemented to the list of third parties, with additional third parties being added, it will be the responsibility of the first party (the website owner) to select them, as well as to control whether the addition of any this party and the consequent processing activity remain in line with the category groups defined in the beginning.

In addition, all the choices must be de-selected by default. The user must also be provided in this webpage with the possibility of providing/withdrawing the consent to all the cookies.

When designing the 1^st layer, the Guidelines recommend data controllers to use buttons of the same size, emphasis, and colour, which have to be equally easy to see and use, in order to ensure that users are not influenced by design choice.

Moreover, the finalised Guidelines address the accessibility of cookie information in relation to person with disabilities. In particular, the Guidelines provide that it will be the responsibility of the data controller to adopt any measure for the information included in the banner to be accessible, without any discrimination, for who need assisting technologies or other specific configurations, in line with Law No. 4/2004 (as amended) on Provisions to Facilitate and Simplify the Access of Users and, in particular, of People with Disabilities to IT Tools³.  

Second layer

The Guidelines specify that the extended cookie policy must include the following:

• information on the means through which data subjects can exercise their rights under the GDPR;
• information on the potential recipients of the data subjects' personal data;
• information on the retention periods for information collected through cookies;
• information on the criteria through which cookies are categorised semantically. As an alternative, the finalised Guidelines specify that controllers will also be able to include this information in the privacy policy. These criteria could be requested by the Garante as part of an investigation.

The management of cookie preferences

The finalised Guidelines recall that users must always be able to modify their choices in relation to cookies (both negatively and positively) at any moment and through simple, immediate, and intuitive means using a dedicated area that will be accessible thanks to a link to be positioned in the footer of the website. On this, the link will have to mention the functionality it offers with a mention such as 're-assess your cookie choices' or similar.

Moreover, the Guidelines recall that, both when the banner is re-proposed to the user and when the latter changes his/her cookie preferences, the preferences expressed by the user in subsequent accesses will have to overwrite the previous ones. Furthermore, and in relation to the possibility for users to change their cookie preferences, the finalised Guidelines suggest placing in any domain page, eventually even alongside the link to the cookie preference dedicated area, a graphic sign, an icon, or any technical feature aimed to showcase, even in an essential way, the status of the user's expressed consents, allowing at any moment potential amendments.  

Alternative cookie policies

The Guidelines highlight that the cookie policy does not necessarily have to adopt a multilayer approach. In fact, the Garante points out that a 'multichannel' approach may also be followed, enabling the maximisation of more dynamic and less traditional points of contact between the controller and the data subjects, such as video channels, informative pop-ups, vocal interactions, virtual assistants, phone calls, and chat boxes.

Analytics cookies

The Guidelines note that analytics cookies may be deemed technical cookies, if certain conditions are met, in accordance with the principle of Privacy by Design.

In particular, the Guidelines outline that data minimisation measures must be adopted in order to reduce the identification power of third-party analytic cookies. In practice, the Guidelines state that it must be impossible to directly identify the data subject through analytic cookies, which means that the use of analytic cookies that, considering their features, act as direct and univocal identifiers, is not permitted.

Therefore, the Guidelines provide that the structure of analytic cookies must ensure that the same cookie can be matched not to just one device, but instead to more devices, in order to obtain a reasonable uncertainty as to the informatic identity of the user. This result is usually obtained by integrating the structure of the IP address within the cookie and masking portions of that same address. In practice, the Guidelines note that one of the measures that can be implemented to consider analytic cookies as technical ones, considering the IP address version 4 ('IPv4'), is to mask at least ¼ of the IP address, which enable an identification uncertainty of 1/256 (approx. 4%). The Guidelines recall that similar procedures can also be implemented with IP address version 6 ('IPv6').

In addition, the Guidelines note that the use of analytic cookies must be limited to the production of aggregated statistics and must also be used in relation to a single website or mobile app, so that the tracking of the user surfing through different applications or websites is not permitted.

In any case, the finalised Guidelines outline that third parties providing web measurement services to the publisher must not combine data, even minimised as mentioned above, with other information (such as customer's file and audience measurement) or share the same with third parties. The only exception will be the case where the production of statistics carried out by third parties with the minimised data involves several domains, websites, or apps attributable to the same publisher or business group.

However, and even in the absence of the required minimisation measures, the use of statistical analyses relating to multiple domains, websites, or apps attributable to the same data controller may be deemed lawful, provided that the data controller carries out the statistical analysis himself, without such analysis resulting in an activity assuming the features of a processing aimed at making commercial decisions, and therefore going beyond the boundaries of a mere statistical count.

Next steps

The Garante, taking into consideration the potential complexity of adapting the systems and processing operations already in place to the principles set out in the final version of the Guidelines, identify as appropriate a six-months deadline, from the time of publication in the Official Gazette, within which entities are required to comply with the Guidelines. Please note that the Guidelines were published in the Official Gazette on 9 July 2021⁴.

In relation to consents that have been already collected, provided that they comply with the requirements prescribed by the GDPR, they may be deemed valid where, at the time of their acquisition, they were recorded and are therefore duly documented, including by means of computerised evidence.

Matteo Quartieri Privacy Operations
[email protected]

---

1. Available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876
2. Available, only in Italian, at: https://www.garanteprivacy.it/documents/10160/0/LINEE+GUIDA+COOKIE+E+ALTRI+STRUMENTI+DI+TRACCIAMENTO+-+SCHEDA+DI+SINTESI.pdf/8d97e88f-2213-5e5f-97fe-805eaeb41af3?version=3.0
3. Available, only in Italian, at: https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:2004-01-09;4!vig=
4. Available, only in Italian, at: https://www.gazzettaufficiale.it/showNewsDetail?id=3857&provenienza=home