How many times, out of haste, out of boredom, out of not wanting (again) to deal with the privacy choices of the banners we face when we enter a site, do we rest our finger on the display of our smartphone and give that upward push that slides away that annoyance that keeps us from reading what we were looking for on the fly?
Until now, site operators had exploited that innate annoyance that most of us feel at finding that banner in front of us by making our "NOT" choice, that nudge of the display, signify our acceptance to the installation of all cookies that might be functional to the site operator itself.
It was an implicit "Yes," for them, when for the user it was just an annoying operation.
After January 9, 2022, for the Italian Data Protection Authority, this is no longer the case, reiterating that consent must result from a specific, demonstrable and unequivocal action by the user. In fact, as per the new provisions:
"According to recital 32, actions such as scrolling down a Web page or similar user activity will in no case satisfy the requirement of a clear and affirmative action (necessary for the validity of consent): such actions may be difficult to distinguish from other activities or interactions by a user, and therefore it will also not be possible to determine unambiguous consent [reference provision: Art. 4.11) GDPR and, in conjunction with it, Art. 7]."
As already anticipated, scrolling can no longer, therefore, be considered a consent acquisition, both because it could happen due to an error (inadvertently touching the device's display, accidentally moving the mouse wheel, etc.), and because, at least this has been the case so far, since we have not checked the default settings that the site operator had set, we do not know what we are consenting to.
Only to technical cookies?
To tracking for a manager's analysis on the site?
To allow the data that the operator is collecting to be sold to third parties who will use it to market to us about the most disparate products and services that we don't care about?
Until now, we have almost exclusively ignored what we were saying yes to, only to find ourselves inundated with barrages of promotional emails, phone calls at the most unlikely hours, barrage text messages of offers that "you can't possibly miss."
With the new cookie regulations, every choice must be made well aware of what we are doing, with an action
clear (an action that cannot be mistaken for another made in error) and affirmative (made specifically to achieve that result, whether one is giving consent, withholding it, or choosing to give it only in some respects and not in others), so as to generate unambiguous consent, which is the only legal basis that can be used for the installation of non-technical cookies and/or access to those installed, as provided in Art. 122 Privacy Code, special and prevailing provision on the basis of Art. 6 GDPR.
Recall also that the proof of acquiring valid consent is in the hands of the data controller, who is also, therefore, the only one liable to be sanctioned in case of processing not in accordance with the new provisions.
Also for this, by the way, the cookie settings setting will have to be set by default to denial: apart from technical cookies, which are necessary for the operation of the site (for example, the choice of one language over another), all others will have to be deactivated, and it will only be possible to install them on the user's terminal following the user's specific choice to their installation.
For more information on this you can consult guidelines no. 5/2020 of the EDPB.