Italy

Can you place cookies without consent?

No.

The Italian DPA distinguishes cookies into three major groups:

a) Technical cookies: which are those used exclusively for “carrying out the transmission on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service” (Article 122(1) of the Privacy Code).

These cookies could be further grouped into:

  1. Browsing or session cookies – which allow users to navigate and use a website;
  2. Analytics cookies – which can be equated to technical cookies insofar as they are used directly by the website’ owner (the “Publisher”) to collect aggregate information on the number of visitors and the pattern of visits to the website; and
  3. Functional cookies – which allow users to navigate as a function of certain pre-determined criteria such as language so as to improve the quality of service;

b) Profiling cookies: these cookies are aimed at creating user profiles and are used to send ads messages in line with the preferences shown by the user during the web browsing; and
c) Third-party cookies: which are installed on the user’s devices by the owner of another websites through the Publisher’ website – e.g., cookies installed by social networks.

These cookies could be further grouped into:

  1. Third-party analytics cookies – which can be equated to technical cookies as long as technical means to reduce the identifying power of cookies (such as the IP masking allowed by Google Analytics) are adopted and the third-party does not cross- reference the collected information to other information already available to it; and
  2. Third-party profiling cookies – which are aimed at creating user profiles and are used to send ads messages in line with the preferences shown by the user during the web browsing.

Consent is necessary for profiling cookies and for third-party analytics cookies. As long as technical means to reduce the identifying power of cookies (such as IP masking allowed by Google Analytics) are not adopted and as such the third-party cross references the collected information to other information already available to it.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes, mostly followed. However please note that to the date the Italian Data Protection Authority has never adopted sanctioning measures in relation to cookie and similar technologies on a device, rather only a few decisions warning and preventing controllers from using Google Analytics due to the connected transfer of personal data to the USA.

Are there any exemptions if consent is required?

Yes.

It is not necessary for the above cookie categories a) and c1.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Please see Q1 above.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No.

The consent can only be legitimately collected through the implementation by design of an unequivocal and informed choice of the user, which is at the same time recordable and documentable.

Can you set cookies without a cookie notice? 

No.

Required for every cookie category.

Can you set cookies without a cookie banner/ management tool?

No.

It is necessary for:

  1. Third-party analytics cookies, if there are no adopted technical means to reduce the identifying power of cookies and the third-party does not cross-reference the collected information to other information already available to it; and
  2. Profiling cookies.

Are you able to use cookie walls? 

No.

However, the Garante has been looking into a very recent practice implemented by some Italian online editors which have purportedly implemented a barrier that could be considered similar to a cookie wall. A formal decision of the Garante on this is expected in the near future.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

No.

However, please see Q2 above: a change in the enforcement by the Garante is expected in the next future.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

The Italian Data Protection Authority has approved new Guidelines on cookies dated June 10, 2021, with the aim of strengthening the decision-making power of users over the use of their personal data when they surf online. The measure was adopted taking into account the results of the public consultation publicised at the end of last year.

Guidelines for cookies and other tracking tools - Italy