Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Cookie focus: new guidelines published by the Italian Data Protection Authority

published on 26 July 2021 | reading time approx. 6 minutes

Following the public consultation promoted in early 2021, the Italian Data Protection Authority ("Authority") approved the new "Guidelines on Cookies and Other Tracking Tools" ("Guidelines"), which were published in the Official Gazette on 9 July 2021. Website owners will have six months to comply with the principles contained in the document since the day of its publication in the Official Gazette.

The main changes introduced by the new regulation can be identified below.

1. Technical and analytical cookies: the Authority reiterate that the analytical cookie can be assimilated to the technical one only if:

the identifying power of the analytical cookie is significantly reduced when they are used by “third parties”;
it precludes the possibility of identifying the data subject in a direct and unambiguously way (so-called single out practice);
from a structural point of view, the analytical cookie refers to more than one device, thus representing a reasonable uncertainty in identifying the user’s digital identity;
the analytical cookie is used only for the production of aggregate statistics;
the third parties will not combine the data – even if a minimization process is completely carried out – with other processing operations, nor will they in turn transmit the data to others third parties.

2. Legal basis: although it was already clear beforehand, the Authority nevertheless wish to point out that consent is the only condition for the lawfulness of profiling cookies.

Cookies and other tracking tools implemented for purposes other than technical ones can be installed only after obtaining an informed consent of the user.

Moreover, as underlined by the same Authority, it is clear that the positive action required of the user at the time of his first access to the website will still be exclusively aimed at the expression of consent (so-called opt-in) and can never refer instead to the expression of a refusal (so-called opt-out).

In the light of the above, therefore, in no case it is possible to refer to the owner’s legitimate interest to justify the use of cookies or other tracking tools.

3. Cookie policy: when implementing only technical cookies or other technical identifiers of the same nature, the Authority specifies that the website owner may provide information to the user on the homepage or in the traditional notice required by the GDPR; while if cookies and other tracking tools are also implemented for purposes other than technical ones, it is necessary to provide the user with a specific notice.

This kind of information may also be provided through several channels and methods, such as, for example, the use of video channels, pop-up information, voice interactions, virtual assistants, the use of the telephone and the use of chatbots.

4. Scroll and Cookie Wall practices: the Authority would like to reiterate the unlawfulness of the practice of “scrolling down” in order to collect user’s consent to the installation and use of profiling cookies or other tracking tools. Eventually – in order to be compliant with the Guidelines – scrolling must be included in a more structured process capable of generating an event (so-called pattern) by the user that is documentable and recordable in order to prove the existence of a positive and unequivocal action.

Similarly, the practice of the so-called “cookie wall” is considered an illegitimate mechanism for acquiring consent, unless the owner is able to allow the user to access content or services of the website without requesting consent to the use of cookies or other trackers.

5. Banner structure: according to the Guidelines, the re-presentation of the banner must not be pursued at every single access of the user, even in the case where he has freely chosen.

The Authority, however, identifies three cases in which the re-presentation is considered legitimate, namely: when a significant change of one or more conditions of treatment occurs (for example, when one or more third parties change); when is impossible for the website owner to know if a cookie is already stored in the device (because, for example, the user chooses to delete the cookies installed in his device); when is expired the period of six months from the previous presentation of the banner.

Moreover, in compliance with the principle of privacy by design and by default, the website owner is obliged to install on the user's device – as a default setting when the user accesses the homepage of the website – only technical cookies, without any possibility of active or passive tracking of the user.

Looking at the content characteristics of the banner, it is expected to contain:

an "X" button (usually to be positioned in the top right-hand corner of the banner) which allows the user to close the banner without being forced to access other areas or pages specifically dedicated to this purpose. This command shall have a graphic evidence equal to that of the further commands or negotiation buttons suitable to express the other choices available to the user;
an indication for the user in order to inform him that when he will close the banner, by clicking on the “X” button, the default settings will be applied and the navigation will continue with only installation of technical cookies;
a restricted notice concerning the fact that the website may use cookies or other technical tools after obtaining the user's consent;
the link to the privacy notice – i.e. to an extended notice placed in a second layer where all the indications pursuant to Articles 12 and 13 of the GDPR are provided – also with regard to the cookies or other technical tools;
a command through which you can express your consent by accepting the placement of all cookies or the use of any other tracking tools;
the link to a further dedicated area in which it is possible to select, in an analytical manner, only: the functionalities of cookies, the third parties – the list of which must be kept constantly updated, whether they can be reached through specific links or also through the link to the website of an intermediary subject representing them – and the cookies themselves, also possibly grouped in homogeneous categories, to the use of which the user chooses to consent. In the event of subsequent changes to the list of third parties included in the homogeneous category, the Authority underlines that the selection and the activity of vigilance are activities referred to the first party (i.e. the website owner);
it is expected that the user will not be influenced or penalised by the design choices of the banner, so this one shall be implemented using fonts of equal size, emphasis and colour, which are equally easy to view and use.

6. Withdraw of consent: users, also considering the discipline offered by the GDPR, must be able to change the choices they have made – both giving a denied consent or withdrawing a consent given – at any time and in a simple, immediate and intuitive way. In this regard, the Authority invites the website owner to place a link (with a statement such as "review your choices on cookies" or similar) in the footer of the page in order to allow users to access the area of choice.

Once the new consent choice has been made – and generally whenever the user changes the choices originally made – the banner thus re-proposed shall be able to show the user the last choice made, providing in this way a mechanism for storing choices.

7. Accountability: in order to allow the storage of user actions and choices, the website owner may implement specific technical cookies or even other mechanism offered by the technological progress (the identification of which falls under the entrepreneurial autonomy and accountability of the website owner).