As of January 2022, the new guidelines of the Italian Data Protection Authority on the use of cookies and other tracking tools have come into force, binding anyone with a website, regardless of their activity.

Changes include the methods for signing consent, the installation of cookies by interested parties, and the communication of information.

Therefore, it is advisable to write a checklist to verify the compatibility of the website with the adjustments required by the Guarantor, and avoid the application of penalties, which are quantifiable in an amount equal to 4% of the annual turnover of the company.

Cookies are text files that websites place and store inside a terminal device, in the availability of their visitors. They are temporary files containing various information about the user: their IP address, their unique identifier, their email address and the preferences expressed, such as the categories of products most frequently purchased. It is therefore a tracking of computers and devices to collect information about the person who on the Internet downloads pages, fills in forms, buys goods, watches movies, etc...

By tracking user behaviour on websites, a profile can be built that can be used by advertisers and digital advertising platforms such as Google Analytics and Facebook Ads.

The one envisaged by the Italian Data Protection Authority is an adjustment that should protect users' privacy and facilitate their browsing experience on the web, making it possible to refuse all cookies by simply closing the banner with a click on the X, and no longer suffer their repetitive reappearance after refusal. In the past, accepting all cookies was the most convenient choice, while rejecting some or all of them required several clicks on various boxes, sometimes difficult to apply on the small screen of smartphones. Now, however, it is possible to choose at a glance whether to accept third-party profiling cookies or reject them all.

The most important change for companies concerns the tracking of user behaviour: in fact, banners on profiling cookies can no longer contain a reference to the legal basis of 'legitimate interest' (i.e. without consent).

The only exception applies to cookies that do not track or profile behaviour, technical and analytical cookies (analytics), as long as they only provide aggregate statistics, without tracking in any way the individual user, computer, or mobile phone (no IP address).​

​When we connect to a website, we almost always see a small window (banner) appear, informing us that the website publisher will download cookies on the computer or device used to connect. With the new guidelines, the Guarantor has clarified that cookies, and other tracking tools for purposes other than technical ones, can only be used after obtaining the consent, however informed, of the contractor or user.

The use of cookies must now be clearly communicated on the home page or in the general information of the site, in simple and clear language. The user must be able to close the banner-information with a click on a clearly visible X and this click is equivalent to rejecting all cookies and other profiling techniques. There must be a command to accept cookies and a link to choose analytically what to accept and what to reject. The company must store this information and not ask for consent again for at least six months.

Other practices such as scrolling (where sites consider cookies accepted if the user scrolls down the page) and cookie walls (where sites force the user to accept cookies in order to provide information or services) are also prohibited.​