How many times, out of haste or annoyance, do we simply swipe away the privacy banner on our smartphone—just to finally access the content we wanted?
Until recently, website operators routinely took advantage of this almost reflex action: they configured their cookie banners so that simply scrolling or dismissing the window (often unintentionally) was interpreted as consent to all cookies—whether technical, for analytics, or for third-party marketing. For users, this "consent" was rarely intentional.
However, starting January 9, 2022, the Italian Data Protection Authority (DPA) made it clear: scrolling or similar actions can no longer be considered valid consent. Consent must result from a deliberate, specific, and demonstrable action by the user.
As the new guidance states:
"According to recital 32, actions such as scrolling down a Web page or similar user activity will in no case satisfy the requirement of a clear and affirmative action (necessary for the validity of consent): such actions may be difficult to distinguish from other activities or interactions by a user, and therefore it will also not be possible to determine unambiguous consent [Reference: Art. 4.11 GDPR and in conjunction with it, Art. 7]."
This means scrolling is no longer a valid means of collecting user consent. This is partly because such an action could result from an error (an accidental swipe, a mistaken mouse wheel movement), and partly because users haven’t checked or don’t even know what the site’s default cookie settings are.
Are we consenting only to technical cookies?
To analytics?
To the sale of our data for marketing of products and services we never requested?
Previously, users often gave implicit "yes" to all this, only to be overwhelmed by unwanted emails, intrusive calls, and endless promotional messages.
With the new cookie regulations, every choice must be made consciously. Consent must be:
- Clear: the action must be unmistakable (not confused for another, or accidental).
- Affirmative: intentionally made to provide or withhold consent, or to express preferences in detail.
Only unambiguous consent is considered a legal basis for installing non-technical cookies or accessing those already installed, as required by Art. 122 of the Italian Privacy Code and Art. 6 of the GDPR.
Also remember: The data controller must be able to prove valid consent was obtained and is solely liable for any non-compliance.
This is why cookie settings must, by default, be set to “deny” (except for essential technical cookies). All other cookies must be pre-blocked and activated only after the user’s explicit choice.
For more detailed guidance, see EDPB Guidelines no. 5/2020 (European Data Protection Board).
