If you own a website or work as a webmaster, you're probably familiar with the constant stream of privacy-related updates and changes.
On one side, there’s the new Cookie Law/GDPR regulation, which sets out rules for cookie handling, disclosures, and correct procedures for cookies and third-party software.
On the other, we have growing concerns after the invalidation of the “Privacy Shield” via the Schrems II judgment, which bans data transfers to the USA or US companies with European-based servers.
Recently, this has resulted in a German court banning CookieBot, and regulators in Austria and Norway blocking Google Analytics.
The Italian Privacy Guarantor also announced a new inspection plan, focusing on data processing by database providers, dating sites, and makers of smart toys.
Are you truly compliant?
Key questions to ask:
“Am I certain my website is truly compliant?”
“Does the solution I’m using just look compliant, or does it really meet all regulatory requirements?”
“What financial and reputational risks do I face if I ignore compliance?”
Let’s summarize 5 essential criteria your cookie management solution should meet:
1. 3 + 1 Buttons
Any privacy banner should feature “Accept,” “Customize,” and “Reject” buttons. In Italy, the X “close” button must also be present and should function like “Reject.” Using only custom button texts or alternative wording for “Accept/Reject/Customize” is risky—site owners should comply with both European (3 buttons) and Italian (X button) requirements.
Is clever or alternative wording worth the compliance risk?
2. Data Location
Cookie management solutions can be hosted directly on your own server or provided as an external service (SaaS). This choice has significant implications for privacy and compliance: many SaaS providers are based in the United States. If the Privacy Shield or similar agreements are invalidated again, it would be forbidden to transfer EU data to US-owned servers.
Even if the physical servers are in the EU, US laws such as the “Cloud Act” may allow US authorities access to data stored on those servers.
For the highest level of compliance and data security, it’s always best to use European solutions, or—ideally—host data on your own server.
3. Granular Consent
The user must be able to grant or refuse consent on a detailed, “granular” level—not just grouped by broad categories such as “marketing” or “functionality.”
The Garante’s June 10, 2021 guidelines require banners to provide a dedicated area where users can make detailed choices cookie-by-cookie or for each third party.
Does your banner allow for analytic, per-cookie choice as required by the regulator?
4. Cookie Preference Log (Documentation)
The Italian regulator confirms in their FAQ that a simple technical cookie is enough to track user consent choices. No central consent registry is required. Any log—if used—must only store the most recent user preference, not a history; otherwise, it might constitute unauthorized profiling.
The best practice: use a technical cookie that simply remembers the user’s last choice.
5. Preventive Blocking
All non-essential cookies and software (Google Maps, ReCaptcha, embedded video, etc.) must be blocked by default until the user consents. This requirement goes well beyond pop-up warnings or banners; it demands real technical implementation.
True compliance requires more than appearance—it requires robust technical solutions to avoid penalties or inspections.
Takeaway: In today’s climate, ignoring these issues is not an option. The end of the Privacy Shield and increased inspections make compliance more urgent than ever.
Have you and your clients made truly informed choices?
Share your experience or questions with us—your input helps everyone adapt to these changing regulations.
Click here to join the conversation.
