SEM Devs
← All articles
gdprcomplianceprivacycookie

Cookie banners and the Italian DPA: what to fix before 2024

14 December 20232 min read

The Italian DPA is again going after non-compliant cookie banners. Between dark patterns, scroll-as-consent and Google Analytics, here are the rules we apply to every client site.

In 2023 the Italian Data Protection Authority kept the pressure on cookie banners high: rulings, sweeps of high-traffic sites and a series of fines that hit smaller companies too. The rules are not new — the guidelines date back to 2021 — but many sites are still out of bounds. Worth a refresher before 2024.

What the DPA does not want to see

  • "Accept" only: the reject button must be in the same layer with the same visual prominence as "Accept".
  • Scroll as consent: scrolling the page or clicking outside the banner is not valid consent.
  • Pre-ticked preferences: non-essential cookie checkboxes must be off by default.
  • Cookie walls: blocking access if the user refuses is allowed only in very narrow cases with an equivalent paid alternative.
  • Periodic re-prompt: re-asking after N months is acceptable only if the user previously refused. You cannot keep nagging users who already accepted.

The three technical points we see most often broken

1. Scripts loaded before consent

Google Analytics, Meta Pixel, Hotjar must not fire before the click. Obvious — yet routinely violated by hastily configured tag managers. The fix is to load scripts in consent mode and activate them via a consent_granted event after approval.

2. Google Analytics and US transfers

After 2022–2023 rulings the DPA is clear: GA4 must be configured with IP anonymisation and an updated Data Processing Addendum. For sensitive sectors (healthcare, finance, public sector) we recommend server-side setups or alternatives like Plausible, Matomo, Umami. Self-hosted, no extra-EU transfer, no cookies in the basic cases.

3. Retention policies

The banner says "12 months" but the cookie lives "10 years". The DPA checks the match between the policy text and what the browser actually receives.

Our pre-launch checklist

  1. DevTools open, network recorded from first load. No tracking script may appear before the user clicks the banner.
  2. "Accept" and "Reject" buttons with the same size, colour and position.
  3. "Customize" button opening a second layer with per-category switches (analytics, marketing, profiling).
  4. Cookie policy on a dedicated page, linked from footer and banner, with up-to-date cookie list and durations.
  5. Mobile test: the banner must not cover more than 30% of the screen nor block the home page from being read.

The perfect banner does not exist, but the compliant one does. If you are unsure about your site, half an hour of expert review fixes 90% of the issues before an inspection does.