Italian DPA guidelines on the use of cookies and other tracking tools

Within January 10th, 2022, the webmasters will have to comply to the new guidelines on the use of cookies published by the Italian Data Protection Authority (DPA).

Generally, cookies are strings of text which enable websites to store information on the device in use by the user. Because of cookies, for instance, it is possible to save online purchases in the virtual shopping cart, and it is even possible to fulfill behavioural advertising techniques: websites select specific ads which are calculated on the user’s preferences by storing information concerning the browsing sessions.

Cookies are divided in two macro-categories traditionally: technical cookies (which are essential for the smooth performance of the website), and profiling cookies (used in order to comprehend the user’s behavioural pattern). Furthermore, there are also analytics cookies used to design a website or to monitor its traffic data.

By the way, as the Italian DPA stated, it is not always easy to discern between technical, profiling or analytics cookies since there is not a universally accepted coding of cookies. Moreover, not all the tracking devices involve personal data, and not on every occasion they involve the storage of strings of text on the user’s device (that the user can see and delete).

Indeed, cookies can collect personal data (such as e-mail address or IP), however they can also code non-personal data, like information concerning the configuration of the device in use by the user (for instance, the language). This second data category enables the so-called passive tracking techniques, that is, based on the mere reading of the settings that characterize the device, making it identifiable. In these cases, the user cannot have any access to the information about him, and he is not aware of their collection, as the Italian DPA noticed.

Through the new guidelines on the use of cookies, the Italian DPA intended to increase the users’ decision-making power in a context characterized by the use of increasingly intrusive tracking devices.

First of all, the Italian DPA formalized the ban to arrange different cookies from the technical ones in the user’s device when he visit a website for the first time, and the ban to use other tracking techniques, included the passive ones. Furthermore, the cookie policy must state the encoding criteria applied by the different trackers of the website.

Besides, the cookie wall, that is the system which obliges users to give their consent, was declared illegal. Said system would be legal only if the users can log into the similar content or services regardless, without requesting the consent to the use of cookies or other trackers. Even a simple scrolling (the movement of the pointer in order to follow-up the browsing) was declared an illegal form of consent acquisition, since it lacks the user’s registrable and unambiguous active action.

The Italian DPA reiterated the need of requesting the consent through an well distinguishable banner on the website for profiling cookies. In any case, the users must have the possibility to follow-up the navigation without being tracked by any means. With regards to analytics cookies, their use has been suggested only for statistical purposes.

Lastly, the Italian DPA censored the mechanism of resubmitted banner requesting a consent anytime the user log into the website. Therefore, if the user denies the consent, the choice must be stored by the website and it can be solicited only if the processing conditions change significantly.