Cookies and other tracking tools.


Articles 122 of the Code and 4, point 11), 7, 12, 13 and 25 of the regulation.

Cookies and other tracking tools

Cookies are usually strings of text that websites (so-called publishers or "first party") visited by the user or different websites or web servers (so-called "third parties") place and store within a terminal device available to the user (so-called “active” identifiers). Similar functions can be performed by other tools which, although using a different technology (so-called "passive" identifiers), allow processing similar to those carried out through cookies.

Cookies and other technical identifiers

They are used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or user to provide this service" (see . art. 122, paragraph 1 of the Code).

They do not require the acquisition of consent, but must be indicated in the information.

First and third party analytics cookies

They are comparable to cookies and other technical identifiers only if:

–  are used solely to produce aggregate statistics and

in relation to a single site or a single mobile application;

–  it is masked, for third-party ones, at least the fourth

component of the IP address;

–  third parties refrain from combining analytics cookies, like this

minimized, with other processing (customer files or statistics of visits to other sites, for example) or by transmitting them to further third parties. However, third parties are permitted to produce statistics with data relating to multiple domains, websites or apps that are attributable to the same publisher or business group.

The owner who carries out on his own the mere statistical processing of data relating to multiple domains, websites or apps attributable to him can also use the unencrypted data, in compliance with the purpose constraint.

Cookies and other tracking identifiers with non-technical function

Used to trace back to specific, identified or identifiable subjects, specific actions or recurring behavioral patterns in the use of the features offered (patterns) for the purpose of grouping the different profiles within homogeneous clusters of different sizes, so that it is also possible to modulate the provision of the service in an increasingly personalized way, as well as sending targeted advertising messages, i.e. in line with the preferences expressed by the user when browsing the internet.

Main innovations introduced by the GDPR having effects on the use of cookies and other tracking tools

– accountability;

–  integration of the information (also specify the data retention times);

–  strengthening of consensus (must be “unequivocal”);

–  respect for the principles of privacy by design and by default.

Information and consent

How to provide the information: – simple and accessible language;

In the case of users with accounts (so-called authenticated users), the cross-referencing of data relating to navigation carried out using multiple devices is prohibited without prior consent.

Additional information to be provided to users

The coding criteria for cookies and other tracking tools adopted, to be communicated, upon request, to the Authority; the possibility, for authenticated users, to consent to tracking carried out also through the cross-analysis of behaviors carried out through the use of different devices.

Analysis of some methods of collecting consent

Scrolling: in itself unsuitable for collecting suitable consent, except in the case in which it is inserted into a more complex process in which the user is able to generate an event, which can be recorded and documented on the server of the site, which can be qualified as a positive action suitable for unequivocally demonstrating the desire to give consent to the processing.

Cookie wall: illicit, except in the case - to be verified on a case-by-case basis - in which the site offers the interested party the possibility of accessing, without giving their consent to the installation and use of cookies, a content or an equivalent service, to be evaluated in light of the principles of the Regulation.

Validity of consents already collected

If they comply with the characteristics required by the Regulation, the consents collected previously maintain their validity provided that, at the time of their acquisition, they have been registered and are therefore documentable

Time to adapt the systems and treatments already in place to the principles expressed by the Guidelines

6 months from the publication of the Guidelines in the Official Journal