Italian Data Protection Authority issued guidelines on the use of cookies

On June 5, 2015, the Italian Data Protection Authority (“DPA”) issued Doc 4006878 clarifying specific issues concerning the implementation of the law on cookies (Individuazione delle modalità semplificate per l’informativa e l’acquisizione del consenso per l’uso dei cookie – Means to inform and obtain consent for the use of cookies, dated May 8, 2014 [3118884]).

In light of the duty to inform about the use of cookies implemented according to Directive 2009/136/EC, the DPA specified that:

  • websites that do not use cookies do not have to inform users;
  • websites that use cookies for their proper functioning only have the duty to inform users, without having to use banners;
  • websites that use analytical cookies can consider them as necessary for their functioning only if created by the first-party;
  • if the cookies are third-party’s cookies, the website owners are not subject to duties (e.g. notification to the DPA) if: (i) the cookie tracking capabilities are reduced (for example by blocking part of the IP); (ii) the third party agrees not to cross the information recorded through the cookie with others already in its possession;
  • if the website contains links to other sites (e.g. commercial banner, social networks) that do not require cookies, there is no need to inform the data subject;
  • in an “extended” privacy policy the consent to the use of cookies can be requested for categories (e.g. travel, sport);
  • it is allowed to provide only one privacy policy for multiple websites managed within one domain;
  • the provisions apply to all websites that feed cookies to users, without regard to whether they have a place of business in Italy.

For more information, Francesca Giannoni-Crystal


Follow us on& Like us on