What’s in the Latest Cookie Guidance from Italy’s Garante?

This week’s guest editors are Filip Sedefov, Legal Director for Privacy at IAB Europe & Giulia Sala, Senior Associate at DGRS and legal counsel for IAB Italy. In this post, they share their views on the Italian data protection authority’s (Garante’s) newly published set of guidelines on cookies and other tracking tools. They discuss the new challenges for ID solutions and look at what is strictly necessary to ensure compliance. 

On July 10th, Italy’s data protection authority (the Garante per la protezione dei dati personali – “the Garante”) published a fresh set of Guidelines on cookies and other tracking tools. These new Guidelines complement and specify the Garante’s previous guidelines on the topic, which date back to 2014. The new Guidelines represent the expectations of the regulator when it comes to compliance with Italy’s implementation of article 5(3) of the ePrivacy directive, which establishes a consent requirement for storage and access operations on a user’s device. The final version of the Guidelines comes at the end of a one-month consultation period and six months of analysis of contributions (including from IAB Italy). It follows the publication of guidance on the topic by a number of other prominent European DPAs such as France’s CNIL, Ireland’s DPC, Spain’s AEPD, Denmark’s Datatilsynet as well as – on the topic of GDPR consent specifically – the European Data Protection Board (EDPB). All guidance by DPAs so far is aligned and compatible with IAB Europe’s TCF. Below, we take a brief look at the content of this latest cookie consent guidance by a European regulator, which companies have six months to comply with.

Scope of the Garante’s Guidelines

As mentioned above, the Guidelines refer to the implementation of the consent requirements of the ePrivacy Directive in Italian law (art. 122 of the Personal Data Protection Code). In the digital advertising context, this means they provide indication of the criteria the Italian regulator will use to assess whether or not valid consent was collected by a digital publisher – or their third-party ad tech partners – for storage and access operations on the user’s device, that are related to the delivery and measurement of advertising and content.

Although the Garante’s prior 2014 Guidelines on “Simplified arrangements to provide information and obtain consent regarding cookies” still apply, these were in clear need of an update following the reforms brought about by the GDPR. The regulator explicitly calls out new privacy notice requirements (e.g., data retention periods), more elaborate consent requirements as well as reinforced transparency and accountability principles, and promotion of privacy by design and by default as elements underpinning its updated guidance.

The Garante also clarifies that the Guidelines apply to all tracking tools. It draws a rather detailed and interesting distinction between “active identifiers” (i.e., cookies) and “passive identifiers”, such as fingerprinting or other tracking tools, that do not necessarily presuppose storage of information on the user’s device but are assimilated to such operations for the purpose of its recommendation.

Collecting valid consent

The Garante offers relative flexibility in the implementation of different methodologies for gathering consent. It sets out some best practices in terms of presenting the information to the user while allowing for approaches that deviate from these as long as valid consent can be adequately demonstrated in line with the accountability principle.

The inevitables: scrolling and cookie walls

Although controversial, continued scrolling by the user was considered a valid consent mechanism in Italy for several years, following the entry into force of the GDPR and at least until the EDPB’s Guidelines 05/2020 on consent “officially” invalidated it last year. In these new Guidelines, the Garante addresses the issue of “scrolling” consent directly. Unsurprisingly, the DPA follows the previously established position of the EDPB, indicating that “scrolling” cannot, in and of itself, be considered as constituting valid consent. However, the Garante still – and somewhat more prominently than other regulators – defends its 2014 stance (established namely following efforts by IAB Italy), which is that scrolling may constitute a significant component of a pattern of user interactions that could lead to a positive conclusion about their clear and unambiguous intent to consent.

Similarly, when it comes to cookie walls the Garante also follows the conclusions of the EDPB’s consent guidance (para. 39), which states that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls)”. The regulator leaves the door open, however, for a case-by-case assessment of the legality of cookie walls, in cases where the service provider offers the possibility to access equivalent content or services without consent. Still, the inevitable question of whether a paid alternative would satisfy the “equivalent offer” requirement, or under what conditions it would satisfy it, remains unanswered.

What’s in a UI? Consent notice UI requirements

With regard to transparency and user interface (UI) functionality, the Garante – as in its 2014 guidance – maintains an endorsement of consent request by way of a prominent banner or notice (e.g., a CMP UI), presented to users upon their first visit to a digital property. It nevertheless recognises that other methods of obtaining consent are also possible when particular processing requires it, such as through a log-in or authentication process. These pose their own challenges, which we discuss briefly in a separate section further below.

The new Guidelines contain relatively detailed views from the regulator about acceptable UI design, content, and functionality. The DPA recognises, for example, that a UI may be surfaced on different devices and expects UIs to be designed in a way that takes adequate account of the context and environment in which a user is viewing them so that the transparency objective is fulfilled. In addition, the Guidelines specify that user-facing interfaces should, at the very least, respect the following best practices:

  • Contain an initial layer with (i) essential information about the cookies and other trackers used and their purpose(s), (ii) an option to close the notice without consenting (e.g. located in the top right-hand corner), including information about the fact that closing the notice is equivalent to a refusal to consent, (iii) an option to consent, and (iv) an option to access a secondary layer with additional information and configuration options concerning purposes and third parties;
  • Be easy to resurface, for example through a link at the bottom of each page or dedicated icon that allows users to easily view, access, and modify their preferences;
  • Make use of design and colours that are not deceiving, including by using equal text treatment for UI calls to action so that the user is offered clear options and can exercise a free choice.

Where a user takes no action or actively rejects consent, that decision should, according to the Garante, be respected for at least six months. However, the UI can be resurfaced earlier in cases where one or more processing operations or third parties are significantly modified, or where it is impossible to identify what choices the user has made, for instance, because they have deleted the cookies on their device. There is no specified period for storing consent or an indication of when the user should be reminded they can withdraw their consent.

The key: standardisation

On several occasions in the guidelines, the Garante encourages standardisation. In particular, the regulator estimates that users would greatly benefit from standardisation of UI types of commands, colours, functions, and content. The DPA also refers to the fact that dedicated technical cookies can be used to record and maintain the status of a user’s preferences and serve to document their prior actions with regard to such preferences for compliance and accountability purposes.

IAB Europe’s Transparency & Consent Framework (TCF) is the most prominent instrument in the digital advertising context that promotes and operates standardisation precisely around these topics. The table at the end of this blog article attempts to provide a high-level overview and comparison of Garante’s requirements next to those of the TCF. It serves to demonstrate that TCF policies are aligned with the Garante’s latest Guidelines and that the Framework can be implemented in a way that is fully compatible with the regulator’s expectations.

New challenge for ID solutions and enrichment activities?

Interestingly, since the first draft of the Guidelines, a new paragraph has been introduced, which specifically refers to processing activities that accompany the creation of an account or authentication with an existing account. This is raised in the context of alternative methods to collecting consent that do not involve surfacing a banner or notice.

The Garante provides the example of a user accessing a service through the use of authentication or login credentials. It then states that, in such cases, when the account is created, there is an opportunity for the digital service provider (i.e., publisher) to inform the user and request consent for the use of cookies and other trackers. The regulator appears to suggest that, in addition to storage and access consent, users authenticated through login, must be asked to consent specifically to any activity that links different data sets, irrespective of whether these are from the same or different devices. In other words, the Guidelines could be read as effectively establishing a prohibition on the crossing of data relating to navigation carried out through the use of multiple devices, where prior and specific consent has not been obtained. This could be a challenge for ID solutions or any data controllers involved in linking offline and online data. 

An elaborate view on what can be considered as “strictly necessary”

Like the ePrivacy Directive and Italian implementing legislation, Garante’s guidelines make a distinction between strictly necessary technical trackers and so-called “profiling” trackers, used for purposes that are not absolutely required for the operation of a digital property. The question, as always, is what exactly qualifies as a strictly necessary technical storage operation for which transparency must be provided, but which does not require the user’s consent. Interestingly, the Italian regulator goes further in its reflection than others on this point and adopts a slightly more nuanced position, specifically when it comes to first-party analytics.

In short, the regulator is of the opinion that cookies or trackers that serve first-party analytics purposes, can qualify as strictly necessary and hence not be subject to a consent requirement. This is only possible, however, where the following minimisation techniques have been cumulatively applied to these cookies and other trackers:

(i) The possibility of identifying the user is precluded, and they cannot serve to identify a device. The regulator suggests this can be achieved by masking appropriate IP address portions (e.g., at least to the 4th component) so as to introduce sufficient uncertainty in attribution;

(ii) They are used in relation to a single website/app; and

(iii) Third parties intervening in these activities (i.e., who provide the publishers with a measurement service) do not combine such data with other data or statistics of visits to other websites, nor transmit such data to other third parties except in the case where the production of statistics refers to multiple domains attributable to the same publisher (i.e., group’s websites).

Moreover, where a publisher carries out statistical analysis on their own, without the intervention of third parties, they may do so also in relation to multiple domains, websites, or apps, without the above-mentioned minimisation techniques, for as long as such operations do not serve the purpose of making commercial decisions. In essence, this means that a publisher is allowed to carry out ​​statistical analysis on multiple web properties for technical reasons (e.g., deciding on storage and backup requirements) but not for commercial ones (i.e., deciding on digital ad space offering).

Garante’s Guidelines and the TCF

As promised earlier, below is a table that offers a high-level view of how some of the requirements in Garante’s new Guidelines compare to those set out in IAB Europe’s TCF. As always, it’s useful to keep in mind that TCF Policies set a minimum standard and that organisations should, in addition to TCF, implement more stringent requirements where these exist locally.

 

Topic Garante updated Guidelines on cookies and other trackers Transparency & Consent Framework (TCF)
Scrolling consent Scrolling cannot in itself be considered as an affirmative action by the user that signifies their consent. TCF does not define “affirmative action” therefore allowing for flexibility depending on local regulatory requirements and guidance. However, Appendix B, Policy C(b) TCF requires “Accept” and “Settings” calls to action in the initial layer of the Framework UI at the very least.
Cookie walls Cookie walls are not allowed in principle, as they do not constitute “freely given” consent, except where it can be verified, on a case-by-case basis, that the service provider offers the possibility to access equivalent content or services without consenting to cookies / other trackers. TCF does not define “freely given” consent therefore allowing for flexibility depending on local regulatory requirements and guidance. Appendix B, Policy C(h) TCF, however, accounts for cookie walls (if and where these are allowed) and their impact on other TCF UI requirements.
Prior information Cookies / trackers that are not strictly necessary cannot be placed prior to informing the user and collecting their consent. Cookies / trackers that are not strictly necessary cannot be placed prior to informing the user and collecting their consent. See e.g., Policies 13(3) and 14(4) TCF.
Use of cookie banners / notices Encouraged. The banner / notice must be prominent and separate from other information. Required. The banner / notice must be prominent and separate from other information. See Appendix B, Policy C(a) TCF.
Content of cookie banners / notices The banner / notice must allow the user to

– view essential information about the use of cookies/trackers

– view essential information about collection and processing related to digital advertising

– Call to action to accept

– Call to action to access settings

– Call to action to refuse or other means of closing the banner that entails refusal

– access a secondary layer or privacy policy that contains extended information

– access a secondary layer where purpose / third party -specific choices can be made.

The banner / notice must allow the user to

– view essential information about the use of cookies/trackers

– view essential information about collection and processing related to digital advertising

– Call to action to accept

– Call to action to access settings

– access a secondary layer or privacy policy that contains extended information

– access a secondary layer where purpose / third party -specific choices can be made.

See full information requirements in relation to consent in Appendix B, Policy C TCF.

Consent toggles Consent choices must be set to “off” by default. Consent choices must be set to “off” by default. See Appendix B, Policy C(d) TCF.
Resurfacing UI Users must be able to modify their choices by resurfacing the banner through an easily accessible link. Users must be able to modify their choices by resurfacing the banner through an easily accessible link. See Appendix B, Policy C(f) TCF.
Purpose limitation & data minimisation Only data necessary to fulfil a specific, strictly defined purpose are collected. Only data necessary to fulfil a specific, strictly defined purpose are collected. See Purposes, definitions and guidance in Appendix A TCF.
Design / colours and dark patterns Design and colours cannot be deceptive. Text treatment of commands should be identical. Design and colours cannot be deceptive. Text treatment of commands should be identical. See Appendix B, Policy C(g) TCF.

Our Latest Posts

Categories

Lines (1)