In early May the Italian data protection authority (“Garante”) issued “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies” (“Guidelines”).  These are intended to provide clarity on the application of Legislative Decree No. 69/2012 (the “2012 Act”), which implemented the EU Cookie Directive in Italy.

The Guidelines synthesize the findings of a public consultation and set out simple methods for informing website users about the use of cookies and procuring their consent.

Key topics include:

  1. Distinguishing technical cookies from profiling cookies: technical cookies only require users to be clearly informed and include browsing/session cookies, first-party analytics cookies and functional cookies; while profiling cookies require users’ consent to create a user profile and for the website operator and any third parties to carry out marketing and promotional activities.
  2. A ‘double decker’ approach to inform users and obtain consent by providing summary cookie by means of a ‘banner’ on a website landing page with more detailed information included in a full privacy notice that is linked to the banner.
  3. Links to third parties that also place cookies on a user’s device to each respective third party’s own consent and privacy notices so users remain fully informed and retain their ability to consent.   
  4. Implementation and sanctions: Garante has given data controllers one year from the date of publication of the Guidelines to meet these requirements. Failure to do so carries a range of sanctions, including a maximum fine of €300,000 and ‘naming and shaming’.