Pass the Garante's 2021 cookie test: prove no trackers fire before consent, and back it with localized GDPR documents.
In Italy, cookie consent is governed by Article 122 of the Codice Privacy (Legislative Decree 196/2003), which transposes the ePrivacy Directive (2002/58/EC), read together with the GDPR. The benchmark for compliance is Provvedimento No. 231 of 10 June 2021 โ the Garante per la protezione dei dati personali's "Linee guida cookie e altri strumenti di tracciamento," published in the Gazzetta Ufficiale on 9 July 2021. These guidelines set strict rules: no non-technical cookie or tracking technique (including fingerprinting) may fire before the user gives an unambiguous, informed consent, scrolling alone is not valid consent, and rejecting must be as easy as accepting. A free CookieSentry scan loads your live Italian site the way a real visitor would and names every cookie or tracker firing before consent โ the exact failure the Garante and the Guardia di Finanza look for during inspections.
Article 122(1) Codice Privacy permits storing or accessing information on a user's terminal only after the user has given informed consent; the Garante's 2021 guidelines require that consent be prior, unambiguous and as easy to refuse as to give.
Applicable laws
Supervisory authority
Garante (GPDP)
Garante per la protezione dei dati personali
www.garanteprivacy.it10 June 2021
Date of Garante Provvedimento No. 231 setting Italy's binding cookie guidelines
Garante per la protezione dei dati personali, Provv. n. 231/2021 (garanteprivacy.it)
โฌ20M / 4%
Maximum GDPR fine the Garante can impose for unlawful cookie processing
Article 83(5) GDPR / Garante enforcement
6 months
Maximum a refusal banner should reappear; consent may be remembered up to this period
Garante Cookie FAQ, garanteprivacy.it/faq/cookie
4 June 2025
Garante cookie decision (Provv. n. 327) issued after a Guardia di Finanza inspection
Garante, Provvedimento del 4 giugno 2025 (garanteprivacy.it)
Under Article 122(1) Codice Privacy and the 2021 guidelines, no profiling cookie, third-party cookie or passive tracking technique (such as fingerprinting) may be placed or read on first access. Only technical cookies โ strictly necessary to provide a service the user requested โ are exempt and need only an informative notice.
The Garante expressly rejected consent-by-scroll: the simple scrolling of the page is not in itself suitable to manifest conscious, unambiguous consent. Consent requires a clear, recordable affirmative action by the user.
The banner must offer an equally prominent way to refuse โ for example an 'Accept' command alongside an explicit reject option or an 'X' that closes the banner while keeping default (no-tracking) settings. Pre-ticked boxes and dark patterns favoring acceptance are prohibited.
The banner must identify profiling and third-party cookies, link to the full cookie policy naming recipients of the data and retention periods, and let users select purposes granularly. Closing the banner without choosing must leave only technical cookies active.
Denying access to anyone who refuses consent (a 'cookie wall') is unlawful unless an equivalent alternative is offered, assessed case by case. As accountability under the GDPR requires, you must be able to demonstrate the state of your site at the moment of consent.
Italy did not write a standalone 'cookie law.' The rule lives in Article 122 of the Codice Privacy (Legislative Decree 196/2003), the national transposition of the ePrivacy Directive. Article 122(1) permits storing information on, or reading information from, a user's device only on condition that the user has given consent after being informed through simplified arrangements. Since the GDPR became applicable, that consent must meet the GDPR's standard: freely given, specific, informed and unambiguous.
The operational detail comes from the Garante per la protezione dei dati personali. Its Provvedimento No. 231 of 10 June 2021 โ the 'Linee guida cookie e altri strumenti di tracciamento' โ replaced the 2014 simplified rules and set today's expectations. Crucially, the guidelines confirm that the default state on first access must be zero non-technical cookies and no active or passive tracking, putting the legal burden on the site to keep trackers silent until the visitor chooses otherwise.
Enforcement in Italy is not theoretical. After publishing the 2021 guidelines, the Garante launched a sustained inspection program carried out with the Guardia di Finanza's specialist privacy unit, sampling websites and assessing banners and pre-consent behavior online. Decisions issued in 2025 โ such as the cookie measures of 4 June 2025 (including Provv. n. 327) โ flowed directly from inspections begun in 2023.
Outcomes range from formal warnings under Article 58(2) GDPR to financial penalties; one company in the June 2025 decisions received a sanction of โฌ45,000. Because the maximum exposure for unlawful cookie processing is โฌ20 million or 4% of worldwide turnover under Article 83(5) GDPR, the practical question for any Italian site is simple: can you prove that nothing non-essential fired before consent?
CookieSentry is an audit and GDPR-documents tool, not a consent banner and not a CMP. Keep whatever banner you already run; CookieSentry checks whether it actually holds the line the Garante drew. The scanner loads your live URL like a real visitor and flags every cookie and tracker firing before consent, naming each source, and produces an exportable report and PDF evidence you can keep on file for accountability.
On top of the scan, CookieSentry generates GDPR documents โ privacy and cookie policies and records โ that can be localized to Italian requirements, including the disclosures the Garante expects in a cookie policy: categories, third-party recipients and retention periods. Together, the pre-consent audit and the documents give you a defensible position if the Garante or the Guardia di Finanza comes knocking, without changing how your banner works.
L'archiviazione delle informazioni nell'apparecchio terminale di un contraente o di un utente o l'accesso a informazioni giร archiviate sono consentiti unicamente a condizione che il contraente o l'utente abbia espresso il proprio consenso dopo essere stato informato con modalitร semplificate.
Italy's cookie consent obligation sits in Article 122 of the Codice Privacy (D.lgs. 196/2003), transposing the ePrivacy Directive. The Garante's binding interpretation is Provvedimento No. 231 of 10 June 2021, published in the Gazzetta Ufficiale on 9 July 2021.
The Garante per la protezione dei dati personali (garanteprivacy.it) supervises cookie compliance and works with the Guardia di Finanza's specialist unit to inspect websites. It can warn, order changes, or fine under the GDPR.
The Garante's cookie decisions of 4 June 2025 (including Provv. n. 327) stemmed from 2023 inspections; one entity was sanctioned โฌ45,000 for a non-compliant banner. Inspections of cookie-guideline compliance are ongoing.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent โ the failure Garante (GPDP) is most likely to act on โ and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to Italy's rules. It is not a consent banner โ keep your banner and add the audit and evidence layer on top.
Article 122 of the Codice Privacy (Legislative Decree 196/2003), which transposes the ePrivacy Directive (2002/58/EC), read together with the GDPR. The Garante's Provvedimento No. 231 of 10 June 2021 sets the detailed rules every Italian website must follow.
No. The Garante's 2021 guidelines state that simple scrolling is not, by itself, a valid expression of conscious consent. You need a clear, recordable affirmative action; until then, only technical cookies may load.
Yes. The banner must let users refuse as easily as they accept โ for example via an explicit reject command or an 'X' that closes the banner while keeping only technical cookies active. Pre-ticked boxes and dark patterns are prohibited.
CookieSentry scans your live site like a real visitor and flags every cookie or tracker firing before consent, naming each source, with an exportable PDF report for your records. It also generates GDPR documents โ privacy and cookie policies and records โ localized to Italian requirements. It is not a banner or CMP; you keep your existing banner.
Operating across the EU? The rules differ by market โ check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Italy's rules โ no signup required.
Run a free scan โLast reviewed 2026-06-14. General information on Italy cookie rules, not legal advice; verify current requirements with Garante (GPDP) or qualified counsel.