Regulators in several countries are now starting to take a more stringent approach to GDPR consent, and Italy is no exception. On 10 July 2021, Il Garante announced new guidelines on cookies and other tracking technologies, with organisations being given six months to become compliant.

Summary

Who is affected?

Any company with headquarters in Italy, or which targets Italian data subjects, must ensure their cookie banner complies with the Italian DPA’s cookie guidelines before the deadline. That means even sites based elsewhere who might happen to receive visitors from Italy must ensure they’re compliant.

So what’s changed?

The guidelines seek to clarify the existing regulations, and reiterate some key principles that website owners must follow when seeking consent from their users. These include:

  1. Scrolling should not, in itself, be considered as granting consent to the use of cookies.
  2. Cookie walls, which block the visitor from accessing a site unless they accept all cookies, are not allowed
  3. Aside from some very specific circumstances, publishers must not repost banners to seek consent from a user who has already indicated their preferences. They can only do this at least six months after the initial choice.
  4. Only technical cookies (and anonymised analytics cookies) may be used without user consent, and the guidelines make clear that legitimate interest can not be considered a legal basis for using cookies and other tracking mechanisms.

Of course, many reputable websites with appropriate privacy controls will already be compliant with these guidelines. What’s likely to be more significant, and a potential headache for publishers, is the new, more specific stipulations about consent banners.

Cookie banners – what must be included

Since GDPR was introduced across the EU in 2018, internet users have become all too familiar with pop-up consent banners asking them to agree to, or reject, the use of cookies. But these can take varying forms, with some more transparent than others.

To be compliant with the new Italian guidelines, however, the consent banner must include:

  • a button (such as an “X” in the top-right corner), which prevents all but technical cookies from being used if the visitor clicks on it
  • a warning that closing the banner (e.g. by clicking on the “X”) will result in the default settings, i.e. no cookies except technical ones
  • text advising the user that the site may implement profiling cookies or other tracking technologies after obtaining their consent
  • a link to the extended privacy policy that is always accessible from the footer of any page on the site
  • a button enabling the user to accept the implementation of all cookies (or other tracking technologies)
  • a link to a specific area where the user can choose which particular functionalities, third parties and cookies they want to allow

What impact will this have on consent rates?

Since more users opting out of third-party cookies could ultimately reduce a website’s advertising revenue, publishers are understandably concerned about the impact of the changes. The key question is, will implementing the new requirements lead to a significant drop in users opting in to cookies?

To help answer this question, Clickio, the tech partner for publishers, recently ran an experiment with six Italian websites testing two new consent banners against the existing version (pictured below).

The first variation included an “X” in the top-right corner, as suggested by Il Garante:

The second alternative also provided a link to close the banner and thereby reject cookies, but instead made this a text link at the bottom left of the page:

The results

Following a couple of weeks of testing, we’ve been able to see the impact of using the new-style pop-ups compared to the old version. Here are the aggregated results:

So we can see that adding an “X” button at the top right of the CMP, as suggested by the new guidelines, causes a drop in the percentage of users agreeing to all cookies. In fact, in that situation almost a fifth of users choose to reject all. 

However, by following a slightly different interpretation of the guidelines, with a text button at the bottom left providing the same functionality, we see statistics very similar to the previous “no button” version, with only 1% of users choosing to reject all.

Lessons for publishers

It would seem the specific design of the CMP can make a big difference to the overall impact – so it will be important to see how exactly the regulator interprets and enforces the new guidelines on GDPR consent. Meanwhile, publishers need to be adaptable and actively testing alternative banner designs ahead of the new regulations coming into force on 10 January.

Need some help?

Clickio’s Consent Management Platform takes the hassle out of managing GDPR consent. It’s easy to set up in just a few minutes with some simple code and you can see your consent data in real time with live reporting.

Our consent tool is officially recognised by the IAB as compliant with the Transparency and Consent Framework v2.0, and we’ll continue to keep up with changes in regulations to help you stay compliant, while also optimizing the design to drive higher consent rates.

Clickio’s consent tool is available free of charge to all publishers. Click here to find out more.