The Guidelines have been adopted by the Garante with the purpose of providing an up-to-date overview of the rules applicable in Italy to the use of cookies and other tracking technologies and, in particular, to clarify the suitable arrangements in order to properly inform the users and for obtaining the relevant consent, in accordance with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The new set of guidelines do not replace, but complete, the guidelines already issued by the Garante in 2014 on cookies and in 2015 on online profiling.

The Garante clarified that cookies and tracking technologies are currently regulated by the provisions of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code'), implementing the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), that have to be qualified as lex specialis with regard to the protection of personal data in the context of electronic communications and that prevail over the (more general) provisions of the GDPR.

On this regard, the Guidelines point out that the applicable legal bases for the use of cookies shall be defined according to the ePrivacy Directive, which does not 'envisage legal bases for such processing other than the data subject's consent', with the only following exceptions: the use of cookies: (i) for technical storage or access to stored information aimed exclusively at carrying out the transmission of a communication on an electronic communications network; or (ii) insofar as they are strictly necessary for the provision of an information society service explicitly requested by the user. As a consequence, the Garante explicitly clarified that under no circumstances should legitimate interest be considered a valid legal basis to justify the use of non-technical cookies or other online tracking tools.

While the necessity to obtain the user's consent as a legal basis for the use of non-technical cookies is prescribed by the ePrivacy Directive, the requirements for collecting a valid consent are outlined in the GDPR, which sets out that consent should be given by a clear and affirmative act establishing a freely given, specific, informed and unambiguous indication. In this regard, the Guidelines highlight that many mechanisms commonly used online for collecting consent to the use of cookies and other tracking tools do not meet these requirements.

More specifically, the Garante reaffirms that: (i) pre-ticked boxes; and (ii) a mere scrolling down, do not constitute valid ways to collect the user's consent to the use of non-technical cookies, adding that with specific regard to the so called 'cookie walls' - that the 'take it or leave it' mechanism, whereby the users that do not provide their consent to the reception of cookies are not allowed to access the website, in principle, is not permitted.

Indeed, according to the Garante, such a mechanism does not allow the user to express a free consent, as he or she is basically forced to accept the use of cookies in order to continue with the navigation, 'except where the website controller provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools, which will have to be verified on a case-by-case basis'.

That being stated, with regard to the specific modalities whereby the websites operators have to collect a valid consent, the Guidelines stress the key role of the cookie banner and explain that such a banner has to be immediately shown to the user as soon as he or she first visits the website, and its size should be sufficient, also depending on the device in use, to perceptibly interrupt the browsing experience, while preventing the risk for a user to activate commands and therefore make uninformed and/or unwanted choices.

Moreover, the user should be presented with a user friendly option to express or deny their consent: to this end, the Garante suggests the implementation of an X button positioned at the top right end of the banner, which would enable the user to 'simply close the banner by clicking on the command that is usually meant to enable this action without having to access other ad hoc areas or pages'. Accordingly, the banner should include a warning that if the banner is closed by clicking on the X, the browsing by default can go on without non-technical cookies or other tracking tools.

The Guidelines also point out that after the user has denied his or her consent, it is not allowed to present the user with the cookie banner at the moment of a subsequent access to the same website, in the attempt to obtain the relevant consent (already denied), as also such a practice could impact the user's freedom. Therefore, the Garante states that said user cannot be solicited with further requests of consent, unless:

• one or more of the circumstances of the processing changes significantly;
• it is impossible for the website operator to be aware that a cookie has already been stored on the device (e.g. when the user removed all cookies from the browser history); or
• at least six months have elapsed since the banner was last presented.

Whereas users shall not be solicited further to express consent to the use of cookies unless one of the above exceptions occurs, the Garante adds that they should always be granted the option to modify their choices at any time, easily, and in a user-friendly manner. To this end, the Guidelines suggest the implementation of an ad hoc area, accessible through a link in the website footer, with wording such as 'Change your mind on cookies', to enable the users to manage their cookie preferences in an easy and effective way.

The Guidelines provide important clarifications on analytics cookies too, with specific regard to their qualification and to the different requirements applicable to first-party and third-party analytics cookies. In this respect, the Garante recalls that analytics cookies may fall into the category of technical cookies, and accordingly, may be used without the data subject's prior consent, solely upon certain conditions.

The Guidelines stress the importance of deploying solutions fit to comply with the Privacy by Design principle in an effective manner, as well as implementing data minimisation measures able to prevent that a user may be directly identified (singled out) when analytics cookies are used by third parties. According to the Garante, in order to treat third party analytics cookies as technical cookies, the following requirements need to be met:

• analytics cookies shall only be used to produce aggregate statistics relating to a single website or a single mobile application;
• the fourth part of the IP address shall be masked; and
• third parties shall refrain from combining the minimised analytics cookies with other processed data and from sharing them with other parties.

As a result, in the event that third party analytics cookies do not meet such requirements, they can only be used upon the user's express consent. Conversely, the first party analytics cookies used by publishers to gather statistic aggregate data on the number of users visiting their websites, in principle, do not need to comply with the above-mentioned prescriptions in order to be considered technical data.

Finally, regarding 'data enrichment' (the matching of personal information of users, including cookies, related to the use of different functionalities and services, and collected through several terminal devices in order to create enriched profiles of the authenticated users), the Guidelines stress the need for an enhanced framework of safeguards, aimed at fostering and enforcing control over personal information undergoing processing and, ultimately, individual self-determination.

To sum up, the new Guidelines do not introduce new obligations, but, considering the unpredictable time still needed to adopt the ePrivacy Regulation , they do clarify how the already existing rules on cookies and online tracking technologies have to be applied in Italy in order to comply with the GDPR, as well as with the national provisions of the Code.

Massimiliano Pappalardo Partner
[email protected]
Ughi e Nunziante – Studio Legale, Milan