On 10 July 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali) approved new Guidelines on cookies and other tracking tools. They were published to ensure compliance of all websites with the General Data Protection Regulation (GDPR) and the ePrivacy Directive.


Companies had six months to comply with the deadline on the 10th of January 2022. From that moment, businesses that fail to abide by such rules could be sanctioned severely by the Garante.


In this article, Didomi will help you find out how to conform to the new Garante directives on cookies.






Cookies and other tracking tools: Definition


Before going into the new guidelines in depth, we should recall what cookies and other tracking tools are.



Cookies can be defined as text files created by a web server, containing data and information that remain stored on users' devices when they connect to the internet through a browser. 


A distinction must also be made between first-party cookies and third-party cookies: the former are created by a website's server that the user is visiting (briefly referred to as the 'publisher'); while third-party cookies are set up by a website that is different from the one that the user is visiting at one moment (for example: a Facebook cookie could be set up on an e-commerce site).


Technical cookies are those that allow you to identify users who have visited your website before, while analytical and profiling cookies enable you to obtain more or less in-depth information about users’ online activities.


The tools described above can be managed actively by users (e.g. refusing consent, removing cookies) and therefore, they are also called 'active identifiers'.


So, what about the 'other tracking tools'? 


Similarly to cookies, they enable processing (e.g. the Garante listed fingerprinting as an example), but they cannot be managed independently by users with the exception of data controller intervention (i.e. the website). Thus, other tracking tools are defined as 'passive identifiers.'


The new Guidelines emphasize the distinction between 'technical cookies,' used to make the website fast and efficient, and 'profiling cookies,' which serve to group users into similar profiles, set up personalized messages, and employ targeted advertising campaigns.


The new guidelines on cookies in Italy: context and requirements


In light of cookies and other tracking tools diffusion, European regulations and the Garante have sought to implement stricter and more precise rules on the protection of users' personal data. 


  • What is meant by collecting consent?

  • How to develop a compliant cookie banner?

  • Is it necessary to collect users' consent for statistical cookies?

  • What is an analytics cookie?


The new Guidelines on cookies and other tracking tools’ aim is to regulate specifically the users’ information supply and online consent. 


Indeed, their legal framework reflects a constant evolution of Privacy, cookie and data protection legislation: the European GDPR, the Italian Privacy Code, but also the ePrivacy Directive, the 12 March 2019 opinion of the EDPB on the interactions between itself and the GDPR, and the CNIL's recommendations that came into force in 2021.


Meanwhile, on 10 December 2020 the Italian Data Protection Authority (Garante per la protezione dei dati personali) launched a public consultation on the draft of the new guidelines. In short, cookies and other tracking tools information are not a starting point, but the apex of a long analysis, and the new rules represent an ‘improved’ version of the European Regulation 2016/679.


Checklist: 10 steps to be comply with the new cookies Guidelines 
Discover the 10 steps to become compliant with the checklist (in Italian) created just for you. With the new Garante Guidelines, collecting user data properly is now a legal obligation, as well as a moral one. The compliance deadline was January 10th, 2022. Hurry up!


Dowload the checklist (in Italian)


The Garante checklist pdf  - Socials (Rectangle)




The new cookie Guidelines affect all companies that are based in Italy or offer their services to Italian users. Briefly, the Garante meant to clarify some core aspects of users’ consent management and personal data, including : 


  1. Cookie banners

  2. Consent collection

  3. Privacy by Design and Privacy by Default

  4. User preferences regarding consent:

  5. Statistical cookies (analytics)

  6. Proof of consent

  7. The legal bases concerning cookies other than consent


The Data Protection Authority’s requirements: what to do


It's now time to get to the heart of the matter. Find below the new guidelines for cookies and other tracking tools


Cookie Banners

When dealing with profiling cookies or other tracking tools on a website, a cookie banner is functional to collect consent. Cookie banners need only appear on the user's first visit, and they must meet the following requirements:


  • While they should allow users to consent to cookies or other tracking tools, collection of consent must be unambiguous. In other words, implied consent or pre-checked boxes are no longer allowed.

  • Cookie banners must include a link to the cookie policy showing any other personal data recipients, retention periods, and user's rights.

  • A link to reach other specific areas should be included as to select granular functionalities, providers, and cookies that users may choose to consent to.

  • They must make revocation of consent easier through an available edit link, should they wish to change their consent settings. This way, preferences can be changed at any time.

  • Lastly, cookie banners must use simple and accessible language. For the sake of uniformity, different-sized and/or colorful buttons should not be used.


Below are two examples of compliant (and performing) cookie banners created by Didomi, those of "Al Femminile" and "Subito.it" respectively. In addition to being in conformity with the cookie guidelines, customized stylistic elements fall perfectly in line with the brand.





If you are interested to know more, have a look at our article on how to implement cookie banners in compliance with Garante's cookie Guidelines.

Collecting consent

Scrolling or scrolling down does not always mean unequivocally giving consent to data processing. As an exception, the Garante found that if methods to clearly express users' intention to consent can be implemented  (e.g. patterns, virtual buttons, color, format or position changes, etc.), they may be deemed to be 'in line with the requirements of the law'.


The aim is, therefore, to avoid 'false positives', (i.e. misinterpretation of random actions such as the positive expression of consent just by scrolling). 


Except in cases where a website allows users to log in without need of consent to the installation and use of cookies (to be assessed case-by-case), cookie walls are deemed unlawful. 


Compliance with Privacy principles by Design and by Default


  • Control over users’ personal data must take place through a cookie banner meant only to process personal data that are necessary to fulfill a specific purpose by default.

  • Also, cookie banners must allow the user to close them by an 'X' in the top right-hand corner without having to consent to the use of cookies or other profiling techniques while maintaining the default settings.


Validity of users’ consent preferences

If compliant with the Regulation, consents collected prior to the publication of the new Garante guidelines on cookies are considered valid, provided that they were recorded at the time of their acquisition and can therefore be documented.


In general, cookie banners can’t be shown to users before 6 months from consent collection.


Analytics cookies (or statistical cookies)

In the new cookie guidelines, the Garante emphasizes that first-party analytics cookies (or statistical cookies) may be installed without collecting users’ consent, if they are akin to technical cookies (e.g. able to create aggregate statistics with IP anonymization and with reference to a single website).


As regards third-party analytics cookies, they can be installed without the user's consent only if they fulfill the following conditions:


  • Third-party analytics cookies are only for aggregated statistics purposes in relation to a single site or a single mobile application. 

  • They are minimized (at least by masking out the fourth component of the IP address).

  • The data collected is not shared or disclosed to third parties.

  • The data obtained is not mixed with other data.


Please note: in some countries (such as Belgium, Ireland, and the UK) analytics cookies always require consent.


Proof of consent

Users' consent to the processing of data must be 'free, specific, informed and unambiguous', as per GDPR.


Other legislation applicable to cookies

In short, the Garante has explicitly stated that cookies and other tracking tools cannot be installed without consent (except under exceptional circumstances, e.g. if the cookies are solely for the purpose of providing a service requested by the user). Consequently, the new cookie Guidelines clarify that legitimate interest is no longer allowed for profiling.


For more information, please read our article on this matter.


The time limit to comply with the new Regulation may have passed (we kindly remind you that the deadline to conform with the new guidelines on cookies and other tracking tools was 10 January 2022), but we are always available to help abide by the law now if you have not already.


  Request a demo


How to comply with the cookie guidelines: Didomi can help


At Didomi, we make sure that our customers comply with the Garante regulations showing them that we support their rights and provide them with personalised experiences; so that we can turn a legal obligation into an opportunity for the brand.


As Didomi has developed expertise on all the core elements of consent collection and management, our products can save you worrying and wasting time when it comes to conforming with your cookie banners, cookie policy and all the other aspects mentioned in the cookie Garante guidelines!


The fundamental elements of a cookie policy:


  • the information on the Data Controller is mandatory (the company name or the name and surname of the  person who owns the site, the registered office, tax code and VAT number, e-mail address); 

  • the name of the Data Protection Officer and his/her contact details; 

  • the list of cookies installed by the site, grouped into categories (technical, profiling and any distinction between first and third parties), together with a brief description of what they are and an indication of the data collection period and retention criteria. We recommend using simple and transparent language;

  • the list of non-technical identifiers;

  • the list of users’ rights as per the GDPR and how to exercise them.



Our cookie banners are 100% compliant with the new Garante guidelines without impacting performances. Indeed, in addition to being a legal obligation, such tools also represent an opportunity to optimize marketing campaigns.


Essentially, at Didomi observance of the law and data protection go hand in hand with personalization and performance optimization!


The main advantages of the Didomi Consent Management Platform are: 


  • It easily manages and optimizes user consent collection across all your channels (web, mobile, apps, smart TV...)

  • It complies with the GDPR (as well as with the new Garante Guidelines)

  • Allows you to easily collect and store user data

  • It is efficient by optimizing consent rates

  • It is customizable - you can test different formats and styles to improve your consent rate

  • Allows you to increase users’ trust while visiting your website and, consequently, improve your brand image


didomi-italian-phone-interfaceDidomi's CMP on mobile - compliant without compromising performance

Start the installation process today with one of our experts, so that you can start to benefit from an effective and compliant Consent Management Platform! 

  Request a demo