How to bring your site into compliance with the new rules of the Guarantor on cookies


privacy policy in order

From January 10, 2022, the Privacy Guarantor began checking that sites and apps comply with the new cookie rules (applicable to you if you or your users are based in Italy).

Key points of the law update:

Is the presence of "Accept" and "Reject" buttons required on the cookie banner?
According to the Italian Guarantor, the banner must contain: an "accept all" command; an “X” or any other equally unambiguous command on which users can click to close the banner and continue browsing without accepting any cookies (“reject all”)

Should the “Accept” and “Reject” buttons have equal relevance?

Is it mandatory to previously block cookies that require consent?

Is scrolling consent considered valid?

Is consent through continued navigation considered valid?
Probably not, but it's not specified

Are cookie walls allowed?
Unless the site owner provides an alternative to access the service without accepting cookies that require consent (possibly even for a fee, it is not specified).

Should cookies be listed individually?
It's unclear (seems unlikely).

Must the purposes of the processing be listed in the banner?
Best practice.

Must cookie consent be granular (i.e. expressed by categories)?
Consent must be granular, but the implementation of the granularity criteria is left to the service provider. The Guarantor speaks of "functionality", "third parties" and "cookie categories" when referring to the grouping criteria.

Is proof of consent required similar to the GDPR?

Should withdrawing consent be as simple as giving it?
YES. Ideally via a link in the footer. The Guarantor also suggests providing an always visible icon that summarizes the user's choices.

Is the use of a cookie banner recommended?

Are “strictly necessary” cookies exempt from the requirement of consent?
YES. Strictly necessary cookies and trackers:
to effect or facilitate the transmission of a communication over an electronic communications network
to provide a service explicitly requested by the user they do not require the user's consent.

Are there other legal bases applicable to the use of cookies (and other trackers) besides consent?
Unlike other authorities, the Italian Guarantor explicitly declares that no other legal bases are applicable.

Should third parties be listed and identified?

Is it specified how long consent to a cookie must last?
It is possible to ask users for consent again only if:
the conditions of consent have changed (for example, new third-party services have been added or old ones have been eliminated);
or the site owner does not have the technical means to keep track of previous consent (for example, the user has deleted the consent cookie stored on his device);
or at least 6 months have passed since the last consent.

Are pre-selected checkboxes allowed?

BigFive is a certified Iubenda Partner and can help you get your site up to speed.

iubenda bronze partner

Furthermore, it must be remembered that:

1. They must be present privacy policies for each language on your site.

2. You must obtain verifiable consent. According to the GDPR, consent is one of the legal bases for data processing. Since consent under the GDPR is a matter of primary importance, it is mandatory to promptly record the consents obtained. To do it it is necessary to activate a consent register.

3. Consent must also be recorded for all forms. The Consent Solution helps you track every aspect of consent (including documents or legal notices and consent forms presented to the user at the time of collecting consent), as well as the preferences expressed by the user.

4. If you show advertising on your sites and use the IAB Transparency and Consent Framework (TCF), disable legitimate interest If you have changed the duration of the cookie preference (“Validity of user preferences relating to consent”), ensure that it is set to at least 6 months

What do you risk by not respecting user privacy?

Failure to comply with the rules carries the risk of huge fines. Depending on the severity of the privacy violation, you risk sanctions ranging from 2% up to 4% of the turnover.
That's why we have chose to rely on Iubenda, a company made up of both legal and technical figures, specialized in this sector.
Together with iubenda, of which we are Certified Partners, we are able to offer all our customers a simple and safe solution to the need for legal compliance.

How can we help you get your site up to speed?

Thanks to our partnership with Iubenda, we can configure everything necessary to bring your site into compliance. Iubenda is in fact the simplest, most complete and professional solution to comply with regulations and one of the few already compliant with Google Consent Mode.