Understanding the Italian DPA's Guidance on Cookie Consent Compliance

Italy's data protection authority (DPA), the Garante, has announced its finalized guidelines on cookies and tracking technologies. The Garante’s guidelines, first released as a draft in December 2020, stipulate the means by which organizations may obtain customer consent, and what they can do with it.

The Garante based their update of existing 2014 guidelines on both EU privacy regulations and the growing use of what they consider “particularly invasive trackers.”

Site owners will have 6 months to comply with the principles contained in the Guidelines. Read on for a breakdown of the Garante’s new guidelines.

Serious About Default Opt-Out

The Garante has mandated that any mechanism for acquiring consent must ensure that—by default—no cookies or tracking tools other than technical ones are enabled at the time of a user’s first access to a website. That means no tracking cookies may be fired before the user explicitly expresses their consent to do so.

The Garante’s Banner Guidelines

The Garante also clarified its guidelines on consent banners, tracing the familiar guidelines of the GDPR, under which a banner must be clearly distinguishable on the web page and offer users the possibility of continuing without being tracked (opt-out).

The Garante specifically stipulates that if a user clicks an [x] button to close a consent banner, an opt-out should be assumed, and the user should not be tracked in any way.

On a similar note, the Garante specified that a user quickly scrolling or swiping away from a consent banner does not represent “a suitable manifestation of consent,” and should be treated as an opt-out.

Cookie Walls and Persistent Consent Requests

The Garante explicitly forbids cookie walls, i.e., Consent banners that deny users access to a webpage if they don’t consent to cookies and trackers. However, exceptions to this rule can be made, on a case-by-case basis, for cases in which the owner of the site allows access to equivalent content or services without requesting consent for the use of cookies or other trackers.

Site owners are also forbidden from resubmitting a consent banner to users who denied it at each new access to the website. The user’s choice to opt-out must be duly recorded, and no longer solicited. Exceptions are made for situations in which the “conditions of processing significantly change,” or when 6 months have passed.

The Garante also mandates that the user’s “right to reconsider” and withdraw their consent must be respected and must be possible at any time. Therefore, the website must provide a permanent link to the privacy policy and consent choices.

How Ensighten Can Help

As guidelines and regulations continue to evolve, marketers and site owners must remain vigilant in updating and maintaining compliance. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the GDPR, CCPA, LGPD, and many more laws and frameworks.

With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.

Ensighten CMP+ offers real-time enforcement, so user preferences are applied instantaneously, and no cookies or tracking measures are fired before consent is given.

And it’s easy to use. Our low-code, zero-integration deployment means Ensighten CMP+ can be added to every iteration of your website with a simple line of code.

You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use, and identify potential security or compliance issues.

Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.