The Legal Framework Behind Italian Cookie Rules
Italy regulates cookies through a layered legal structure. The Codice in materia di protezione dei dati personali (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) is the primary national data protection law. Article 122 of the Codice Privacy transposes Article 5(3) of the ePrivacy Directive into Italian law, establishing the requirement for prior consent before storing or accessing information on a user's device.
The GDPR applies directly in Italy and sets the standard for what counts as valid consent. The Garante's 2021 cookie guidelines (published 10 July 2021, enforceable from 10 January 2022) sit on top of these two laws, providing detailed practical rules for how websites must handle cookies and similar tracking technologies.
This means Italian websites face three overlapping sets of obligations: the ePrivacy Directive (as transposed by Article 122), the GDPR's consent standards, and the Garante's specific guidance.
What the Garante's 2021 Cookie Guidelines Require
The Garante's updated guidelines replaced its earlier 2014 cookie guidance and introduced several strict requirements that go beyond what many other EU data protection authorities mandate.
Your cookie banner must present both an "Accept" and a "Reject" option (or an "X" button that functions as rejection) on the first layer. The Garante explicitly requires that users be able to refuse non-essential cookies as easily as they can accept them. Closing the banner with the "X" button must preserve default settings, meaning only strictly necessary cookies remain active.
Granular controls are mandatory. Visitors must be able to select or deselect individual cookie categories, specific functionalities, and named third parties. A simple accept/reject binary is not enough on its own - a second layer must offer category-level choices.
The guidelines also demand uniform visual presentation. Buttons for acceptance and rejection must be the same size, colour, and prominence. Using a large, colourful "Accept" button alongside a small, greyed-out "Reject" link would violate the guidelines and could constitute a dark pattern.
Scroll-Based Consent Is Banned
Before 2022, many Italian websites treated page scrolling as a form of implied consent. The Garante's updated guidelines explicitly prohibit this practice.
Scrolling alone is not a valid mechanism for collecting cookie consent. The only narrow exception applies where scrolling forms one component of a broader, multi-step process that unambiguously records the user's informed choice. In practice, this exception is almost impossible to implement correctly, and relying on it is risky.
The same logic applies to other passive actions. Simply continuing to browse the site, clicking a generic link, or interacting with page content does not constitute valid opt-in consent.
Cookie Wall Restrictions Under Italian Law
A cookie wall blocks access to a website unless the visitor consents to non-essential cookies. The Garante considers cookie walls unlawful by default.
There is one exception: a cookie wall may be permissible if the website offers an equivalent alternative means of accessing the same content or service without requiring consent. This could mean providing a paid, cookie-free version of the site alongside the ad-funded version that uses tracking cookies.
The bar for "equivalent alternative" is high. A stripped-down or degraded version of the site would likely not qualify. If your website uses a cookie wall without a genuine alternative, the Garante can treat any consent obtained through it as invalid under GDPR Article 7.
How Italy Compares to Other EU Countries
Each EU member state interprets the ePrivacy Directive and GDPR consent rules with slight variations. The table below compares Italy's approach to three other major EU jurisdictions.
| Requirement | Italy (Garante) | France (CNIL) | Germany (TTDSG) | Spain (AEPD) |
|---|---|---|---|---|
| Reject button on first layer | Required | Required | Required (per case law) | Recommended |
| Scroll as consent | Banned | Banned | Banned | Banned |
| Cookie walls | Banned (unless equivalent alternative) | Conditional (pay-or-consent model) | Generally banned | Generally banned |
| Equal button prominence | Explicitly required | Explicitly required | Required (court rulings) | Recommended |
| Granular category choices | Required | Required | Required | Required |
| Re-consent period | 6 months recommended | 6 months | Not specified | Not specified |
Consent Re-prompting and Cookie Duration
The Garante recommends that consent preferences be stored for no longer than six months. After that period, the cookie banner should reappear and prompt the visitor to confirm or update their choices.
This applies to the technical cookie that records the user's consent decision (often named something like cookieconsent_status or CookieConsent). Setting this cookie's expiry beyond six months may be considered non-compliant, though the Garante treats this as a recommendation rather than an absolute rule.
For the cookies themselves, the Garante expects cookie durations to be proportionate. A cookie duration of two years for an analytics tracker like _ga is common but should be disclosed clearly in your cookie policy.
Garante Enforcement Actions and Inspection Trends
The Garante has actively enforced its cookie guidelines since January 2022, working with Italy's Guardia di Finanza (Financial Police) to conduct remote inspections of websites. These inspections check banner configuration, consent mechanisms, and cookie policy completeness.
In 2025, the Garante identified violations including incomplete cookie information, missing disclosure of data recipients, and failure to explain that closing the banner with the "X" button maintains default (reject) settings. Some of these decisions resulted in formal warnings rather than monetary fines, particularly where the website operator took prompt corrective action.
The Garante's inspection plan for the first half of 2025 explicitly listed cookies and tracking tools as a priority enforcement area. Fines for cookie violations in Italy follow the GDPR's penalty framework under Article 83, with a maximum of 20 million euros or 4% of annual global turnover.
A 2023 enforcement action against a digital marketing company resulted in a 300,000 euro fine for GDPR violations that included dark pattern techniques in its consent interface.
Cookie Policy Requirements
Your cookie policy must be accessible from the first layer of the banner via a clear link. The Garante requires that it include the identity of the data controller, every category of cookie used, each third party that receives data through cookies, retention periods for each cookie, and instructions for withdrawing consent.
The policy must use plain, accessible language. Technical jargon without explanation does not satisfy the transparency requirement under GDPR Articles 12 and 13.
Compliance Checklist for Italian Cookie Rules
Use this checklist to verify your website meets the Garante's requirements:
Cookie banner displays on first visit with Accept and Reject buttons of equal size and colour
No non-essential cookies fire before consent is given
Scroll-through does not trigger consent
Granular category selection is available (analytics, marketing, functional, third parties)
Cookie wall is absent, or a genuine equivalent alternative is provided
Cookie policy is linked from the banner's first layer
Consent preference cookie expires within six months
A visible mechanism exists for users to change or withdraw consent at any time
All third-party recipients are named in the cookie policy
Consent records are stored as proof of compliance
Running a cookie scan is a practical first step. Automated scanning detects every cookie and tracker on your site, including those set by third-party scripts you may not be aware of.
Frequently Asked Questions
Is scroll-based cookie consent legal in Italy?
No. The Garante's 2021 guidelines explicitly ban scrolling as a method of obtaining cookie consent. Consent must be collected through a clear affirmative action such as clicking an Accept button.
Can I use a cookie wall on my Italian website?
Cookie walls are generally prohibited under the Garante's guidelines. The only exception is when you offer an equivalent alternative way to access the same content without requiring consent, such as a paid subscription option.
How often should I re-ask for cookie consent in Italy?
The Garante recommends re-prompting users for consent every six months. Set the expiry of your consent preference cookie accordingly.
Do I need both Accept and Reject buttons on my Italian cookie banner?
Yes. The Garante requires an Accept option and a Reject option (or an X button that functions as rejection) on the first layer of the banner. Both must have equal visual prominence.
What fines can the Garante impose for cookie violations?
Cookie violations fall under the GDPR penalty framework. The Garante can impose fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. In practice, fines for cookie-specific violations have ranged from formal warnings to several hundred thousand euros.
Does the Garante require naming individual third parties in the cookie policy?
Yes. Your cookie policy must identify each third party that receives data through cookies set on your site, not just generic categories.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Italian and EU law.
