On 10 July 2021, the Privacy Guarantor published the new Guidelines relating to the use of cookies. How are e-commerce and websites required to comply with the rules imposed by the so-called cookie law? And what are the most useful tips for those who manage a site? Last November (2020), the same Privacy Guarantor had drawn up a preliminary draft of the Guidelines, to which most of the internet platforms had adapted quickly. The document had also been the subject of public consultation, desired by operators who wished to report their considerations. The Privacy Guarantor, therefore, has examined the assessments expressed by the operators regarding the draft of the Guidelines and has updated the document, proposing a definitive one, which we are about to describe.

The importance of the Guidelines on the use of Cookies

The importance of the decisions of the Privacy Guarantor lies in the need to regulate a field that is, to say the least, crucial for those who usually surf the internet and for operators in the sector. The Guidelines establish the way in which each website must manage the cookies released on users' devices. First of all, the Privacy Guarantor begins with a necessary premise, which can be summarized as follows. The reference regulatory framework, says the Guarantor, is currently made up of the provisions belonging to directive 2002/58 / EC (the so-called "ePrivacy directive") and subsequent amendments, as clearly highlighted in the national law and in particular in article 122 of the legislative decree of 30 June 2003 (the Privacy Code), as well as in the GDPR itself. The same indications are also present in the official document issued by the European Committee in relation to the protection, storage and management of personal data, published on 25 May 2018, then subsequently updated with the Guidelines adopted in May 2020.

The main changes reported by the Guidelines

The subjects most involved in the updating of the Guidelines on the use of cookies are the companies that manage legal documents. It will in fact be necessary to adapt the well-known banner cookies to the new provisions. But let's start from the beginning and explain what cookies are. This term indicates the text strings that websites store, directly or indirectly, within the devices used by users who land on a particular site. Therefore, these are files installed automatically on the terminals of those who surf the Net every time they visit a site, in order to memorize their choices, manage behavioral advertising, measure the effectiveness of advertising messages. In this regard, the new Guidelines issued by the Privacy Guarantor confirm what is indicated in the update dated 2014, namely that cookies can be differentiated into profiling cookies (those that monitor the user's habits and choices) and technical cookies ( those that allow the site to function properly and to load pages more quickly on each subsequent visit). The Guidelines also state that cookies are used to: "modulate the provision of the service in a personalized manner and to send targeted advertising messages, in line with the preferences expressed by the user while surfing the net". The same updated Guidelines also confirm that the release and installation of technical cookies can take place without any consent from the user, as these are necessary for the correct functioning of the site and not to keep track of user habits. As for the profiling ones, however, consent is always required.

The prohibitions confirmed by the Guarantor

The Privacy Guarantor also confirms some prohibitions already indicated above, relating to the ways in which websites offer consent to the user who lands on a site. It is absolutely forbidden to use page scrolling, as well as to use the so-called cookie wall . What is it about? It is soon said. Consent must always be expressed, this being the only legal basis on which the release and use of cookies is based. This cannot be the case if the site releases profiling cookies as soon as the user scrolls (perhaps unwittingly) the page. Even the cookie wall is considered unsuitable, since this is a binding system, which literally obliges the user to offer his consent, under penalty of inability to access the site. But then how should a site ask for the user's consent for the use of cookies?

How to request the user's consent

Having clarified the prohibitions, let's move on to illustrate the correct method to request consent for the release of cookies to users who visit a page. What must a website operator do to obtain valid and perfectly legal consent? The updated Guidelines roughly confirm the original plant dating back to 2014, with some important clarifications. First, you need to show a banner during the first login. The banner itself must have these characteristics: an "X" located at the top right, useful for closing the section or banner, and some clarifications relating to the cookie policy and user information, as long as both tables do not have too many items, as an excess of information could ruin the user's user experience. It should be noted that closing the banner is equivalent to a refusal regarding the release of profiling cookies. In this regard, it is mandatory that the banner inform the user that closing it implies acceptance of the default settings. As mentioned above, the banner must contain a short information section that refers to the importance and nature of cookies, also adding a link to the cookie policy. It is also necessary to indicate the retention period of the information and the general retention criteria. Finally, the banner must also include a second link, which leads the user within the area in which to select or deselect the profiling cookies issued by third-party suppliers (eg Facebook or Google) . This function is difficult to implement technically as cookies are issued by third parties, the control is limited.

The banner is only needed if the website releases profiling cookies

Also in this case the Privacy Guarantor confirms the orientation already expressed in 2014. The purpose is to allow the user to allow / deny the release of profiling cookies. No banner is mandatory if the site intends to release only technical cookies. The banner will not be repeated too often to the user, who may be annoyed by it. The Privacy Guarantor has therefore foreseen that at least six months must elapse from the last presentation, or a further update of the Guidelines is necessary. Finally, it is worth remembering that each site has six months from the publication of the document in the Official Gazette to comply.

These Guidelines were published in July 2021.
The deadline, therefore, falls on January 2022.

Useful forms for the GDPR and the Cookies Law

Author: Loris Modena


For Ind Loris Modena , owner of Arte e Informatica , he began working in the IT sector in 1989 as a system engineer in charge of the maintenance and installation of IT systems. He started programming for the web in 1997 dealing with CGI programming in PERL and then moving on to programming in PHP and JavaScript. In this period he approaches the Open source world and the management of Linux servers.

Product added to wishlist