Italian Data Protection Authority Publishes Cookie Guidelines

The Italian Data Protection Authority’s (DPA) guidelines on the use of cookie have entered into force. All operators of Italian websites must now provide certain cookie information to all users as soon as they access the site, or face substantial fines.

Under the guidelines, if targeting cookies are used to send marketing messages or , as recently clarified by the Italian DPA, if third parties’ analytics cookies that are not anonymized and that are set to be combined with other personal data are used, the user must be shown a suitable banner containing information on cookies immediately upon accessing the home page (or any other landing page) of a website.

Mandatory Information

The banner must include the following information:

1. That the website uses profiling cookies to send advertising messages in line with the user’s online navigation preferences; and/or
2. That the website allows sending third-party cookies as well (if applicable);
3. A clickable link to the extended information notice, where information on technical and analytics cookies must be provided along with tools to enable or disable such cookies;
4. That on the extended information notice page, the user may refuse to consent to the installation of whatever cookies;
5. That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), they signifies their consent to the use of cookies.

The banner must be of a sufficient size and must be an integral part of the action through which the user signifies consent. In other words, the banner will only cease being displayed on screen if the user takes action – by selecting any item on the page underneath the banner.

The Italian DPA has also published the example banner below.

In line with the general principles of data protection, the publisher must in any case keep track of the user’s consent. Ad-hoc technical cookies can be used for this purpose.

Inadequate Information Results in Heavy Fines

The failure to provide information or the provision of inadequate information, i.e. information that does not include the items specified in the guidelines as well as in Section 13 of the Italian Data Protection Code (DPC), carry administrative fines ranging from six thousand to thirty-six thousand Euros.

Installing cookies on users’ equipment without the users’ prior consent carries an administrative fine ranging from ten thousand to one hundred and twenty thousand Euro.

The failure to notify processing operations to the DPA or the provision of an incomplete notification to the DPA under the terms of Section 37(1), letter d) of the DPC carry an administrative fine ranging from twenty thousand to one hundred and twenty thousand Euro.