The New Cookie Law: Scrolling Is Not Consent

How many times, out of haste or annoyance, do we simply swipe away the privacy banner on our smartphone—just to finally access the content we wanted?

Until recently, website operators routinely took advantage of this almost reflex action: they configured their cookie banners so that simply scrolling or dismissing the window (often unintentionally) was interpreted as consent to all cookies—whether technical, for analytics, or for third-party marketing. For users, this "consent" was rarely intentional.

However, starting January 9, 2022, the Italian Data Protection Authority (DPA) made it clear: scrolling or similar actions can no longer be considered valid consent. Consent must result from a deliberate, specific, and demonstrable action by the user.

As the new guidance states:


"According to recital 32, actions such as scrolling down a Web page or similar user activity will in no case satisfy the requirement of a clear and affirmative action (necessary for the validity of consent): such actions may be difficult to distinguish from other activities or interactions by a user, and therefore it will also not be possible to determine unambiguous consent [Reference: Art. 4.11 GDPR and in conjunction with it, Art. 7]."

This means scrolling is no longer a valid means of collecting user consent. This is partly because such an action could result from an error (an accidental swipe, a mistaken mouse wheel movement), and partly because users haven’t checked or don’t even know what the site’s default cookie settings are.

Are we consenting only to technical cookies?
To analytics?
To the sale of our data for marketing of products and services we never requested?

Previously, users often gave implicit "yes" to all this, only to be overwhelmed by unwanted emails, intrusive calls, and endless promotional messages.

With the new cookie regulations, every choice must be made consciously. Consent must be:

  • Clear: the action must be unmistakable (not confused for another, or accidental).
  • Affirmative: intentionally made to provide or withhold consent, or to express preferences in detail.

Only unambiguous consent is considered a legal basis for installing non-technical cookies or accessing those already installed, as required by Art. 122 of the Italian Privacy Code and Art. 6 of the GDPR.

Also remember: The data controller must be able to prove valid consent was obtained and is solely liable for any non-compliance.

This is why cookie settings must, by default, be set to “deny” (except for essential technical cookies). All other cookies must be pre-blocked and activated only after the user’s explicit choice.

For more detailed guidance, see EDPB Guidelines no. 5/2020 (European Data Protection Board).

Download the free guide

Fill out the form and get immediate access to the guide in PDF format.
Mockup del pdf della guida
Loading in Progress...
Request successfully sent. You will be redirected to the download page shortly
By submitting this form I declare that I have read the privacy policy and authorize the Owner to respond to me for what is expressed in point a of the privacy policy
Warning: Your Cookie choices may not allow the form to be submitted.
Click here to review your preferences.
buy now My Agile Privacy - compliant in less than 3 minutes
a Formula Agile SRL project
COE / TAX ID 31366
Via Tre Settembre, 99 - 47891 Dogana - San Marino - RSM
Share capital 26'000€
For assistance: info[at]myagileprivacy.com
GDPR and privacy present complexities that extend beyond achieving website compliance. Compliance obligations span across all business aspects and necessitate expert analysis.
When it comes to implementing Banners and Policies, trust My Agile Privacy—the only solution that excludes unnecessary implementations not mandated by regulations.
Logo CMP partner GoogleLogo CMP partner GoogleLogo CMP partner GoogleLogo IAB Europe approvedLogo IAB Europe approved