A lot is changing in Italy in terms of data protection: website owners can no longer claim legitimate interest in order to place tracking cookies on their users’ devices. 


The Italian Data Protection Authority, Il Garante, published new Guidelines regarding the use of cookies and other tracking technologies on 10 July. Keep reading to find out how to collect consent in a compliant way, switching from legitimate interest as the number one legal basis for data processing to a more consent-focused model.






What are profiling cookies and what is legitimate interest?


Let's clarify a couple of key points about profiling cookies and legitimate interest.


First of all, there is a big difference between technical and profiling cookies. While technical cookies are only functional and are used to provide the service to ensure the smooth running of the website, profiling cookies track users when they surf on websites or applications. The objective of profiling cookies is to collect user data to facilitate direct marketing activities and show the user targeted ads. 


The legitimate interest of a website owner may constitute the legal basis of the processing as an alternative to consent. In a nutshell, before the new Garante Guidelines arrived, the website owner could place profiling cookies on users’ devices and process their personal data without their consent, under the claim of “legitimate interest”. Today, this is no longer possible. If personal data is being processed, the user must be informed. 


Websites & apps must be compliant with the new Garante Guidelines concerning the processing of personal data and the use of cookies and other tracking systems before 10 January 2022.

Would you like to know what are the main changes regarding the Garante's Guidelines in Italy? Read the article here.


The rise of consent 


Originally, the GDPR had been notably ambiguous on whether or not  direct marketing can constitute as a  legitimate interest, i.e. it can be done without user consent. This engendered confusion, and website owners carried on with their marketing activities, simply including legitimate interest clauses in their cookie banners.


The Italian Garante Guidelines have clarified the issue: cookies and other tracking tools with purposes that are non-technical (such as direct marketing)can only be used with valid user consent.


Also, such consent may only be considered valid if it is the consequence of a positive and conscious action that is verifiable and demonstrable. Consent must also be specific, i.e. expressed in relation to each different purpose of processing. 


The Garante’s position is clear: it will no longer be possible to claim, as it has been observed during audits carried out on several websites, that the website owner’s legitimate interest can be used to justify the use of cookies or other tracking tools.


Here is an example of a 100% compliant cookie banner. For more examples of Didomi clients who have implemented both compliant and creative banners, see our article here.



This banner is compliant because it provides the user with an option to refuse, contains a link to the privacy policy and another one to the second level of the banner where the user can manage their consent choices on a more granular level, finality by finality. And, last but not least, it blocks access to the website before the user has made a consent choice, understanding that consent by scrolling/navigating does not constitute a clear positive action. 


How Didomi can help you 


Didomi has developed a Consent Management Platform (CMP), which is in full compliance with the Garante Guidelines on the use of cookies and other tracking systems.


Discover Didomi for Compliance


A CMP helps you collect, store and synchronize consents in a compliant way, prioritizing consent, not legitimate interest, as we believe this will mark the future of data collection. It also allows your users to choose, one by one, the purposes for which their data will be used.


The Didomi CMP second level where users can make their preference choices on a purpose-by-purpose basis.


Didomi ensures compliance with local regulations, but also highly values performance. We help our customers ensure high consent rates, and provide analytics dashboards so that our clients can stay up to date on the data they collect. 


We also provide AB testing on the format, style and text of the banner, to ensure the highest consent rates possible for our clients.


Didomi's CMP on both mobile and web - This tool easily manages and optimises user consent collection on all your channels.


Kick start the implementation process today with one of our GDPR & Garante experts and benefit from an efficient, compliant and highly-performing CMP! 


  Request a demo