Italian Privacy Code

Codice in materia di protezione dei dati personali (Legislative Decree No. 196/2003), Article 122

Flag of IT
ItalyOpt-inNational
ePrivacy Directive
Back to Regulations Guide

Key Facts

Effective Date
June 30, 2003
Enacted
June 30, 2003
Enforcing Authority
Garante per la protezione dei dati personali (Garante Privacy)
Consent Model
Opt-in
Applies To
Any entity storing or accessing information on terminal equipment of users in Italy

Overview

Italy implements the ePrivacy Directive through Article 122 of the Privacy Code, with comprehensive Garante cookie guidelines effective since January 10, 2022. Italy has several unique interpretations, including that closing a cookie banner with the "X" button does not grant consent and that scrolling cannot constitute consent.

What This Means for Your Website

  • Only technically necessary cookies may be placed by default — all others require consent
  • Scrolling is NOT valid consent under Italian law
  • Clicking the "X" close button closes the banner without granting consent — no cookies may be placed
  • Cookie walls are prohibited
  • You must provide both a first-layer summary and a detailed extended cookie information page
  • Italy uses a hybrid penalty system with both administrative and criminal sanctions

Key Requirements

The Garante enforces cookie requirements with fines of EUR 6,000 to EUR 36,000 for cookie policy violations, plus GDPR penalties. Italy's hybrid system uniquely includes criminal sanctions alongside administrative penalties. The Garante's 2022 guidelines establish detailed requirements for cookie banner design, information layers, and consent mechanics.

How ConsentStack Handles This

ConsentStack implements Italy's unique consent mechanics for Italian visitors: the "X" button dismisses the banner without placing cookies, scrolling does not trigger consent, and detailed cookie information is provided in the required two-layer format.

Penalties

EUR 6,000 to EUR 36,000 for cookie policy violations. GDPR penalties also apply. Hybrid system with both administrative and criminal penalties.

Maximum Fine
€36,000 per violation

Key Requirements

  • Only technically necessary cookies by default
  • Scrolling is NOT valid consent
  • X close button closes banner without granting consent
  • Cookie walls are prohibited
  • Detailed first-layer and extended cookie information pages required
  • Consent must be easily revocable

Notable Provisions

  • Hybrid penalties — both administrative and criminal
  • Garante cookie guidelines effective January 10, 2022
  • X close button means no consent — unique interpretation
  • Scrolling explicitly invalid as consent

Other ePrivacy Directive Related Regulations

FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
SI 336/2011Ireland
Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.
Dutch Telecom ActNetherlands
The Netherlands implements the ePrivacy Directive through Article 11.7a of the Telecommunications Act. The AP launched a major enforcement sweep in April 2025, warning 50 organizations for misleading cookie banners or placing tracking cookies without consent. Cookie walls are not permitted.
LSSISpain
Spain implements the ePrivacy Directive through Article 22 of the LSSI. Cookie violations are classified as slight offenses with EUR 30,000 fines per URL, but multiple URLs multiply penalties. AEPD allows consent-exempt analytics under privacy-friendly configurations, similar to CNIL.
Danish Cookie OrderDenmark
Denmark implements the ePrivacy Directive through the Cookie Order (Cookiebekendtgørelsen), administered by the Danish Business Authority. Cookie consent is a declared 2026 enforcement priority for Datatilsynet, which will examine whether Danish websites give users a genuine choice.
Portuguese ePrivacy LawPortugal
Portugal implements the ePrivacy Directive through Law 41/2004, with a distinctive tiered penalty structure distinguishing between large companies, SMEs, and natural persons. The CNPD issued 90 fines totaling EUR 559,950 in 2023, demonstrating active enforcement.
LEKSweden
Sweden implements the ePrivacy Directive through Chapter 9 Section 28 of LEK. In April 2025, IMY issued a landmark reprimand against Aller Media for dark patterns in cookie banners. Less than 25% of Swedish users accept cookies, reflecting strong privacy awareness.
Polish Telecommunications LawPoland
Poland implements the ePrivacy Directive through Articles 173-174 of the Telecommunications Law. While Article 173(2) technically permits consent via browser settings, PUODO recommends active consent. Since 2019, Article 174 requires cookie consent to meet full GDPR standards.
Norwegian E-Com ActNorway
Norway's January 2025 amendment to Ekomloven marked a major shift from tolerating passive consent to strict opt-in. Pre-ticked boxes and browser settings are now explicitly invalid. Accept and reject options must have equal prominence. Datatilsynet sanctioned 6 websites for tracking pixel violations.
Belgian E-Communications ActBelgium
Belgium enforces strict cookie consent with one of the EU's most active DPAs. Cookie walls are prohibited, and a Reject all button must appear on the first layer with equal prominence to Accept all. Dark patterns in cookie banners are actively enforced against.
Hungarian E-Communications ActHungary
Hungary implements the ePrivacy Directive through Section 155 of Act C of 2003. NAIH actively enforces cookie requirements with a focus on dark patterns and equal accessibility of consent options. Reject All must be equally accessible as Accept All in cookie banners.

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does closing the cookie banner X button grant consent in Italy?

No. Under Italian law, clicking the X close button dismisses the banner without granting consent. No non-essential cookies may be placed. ConsentStack implements this behavior automatically.

Is scrolling valid cookie consent in Italy?

No. The Garante explicitly rules that scrolling does not constitute valid consent. Only active opt-in through clear affirmative action is accepted.

What are the cookie penalties in Italy?

Fines range from EUR 6,000 to EUR 36,000 for cookie policy violations. Italy uniquely has both administrative and criminal penalties for data protection breaches. GDPR fines also apply.

What cookie information must Italian websites provide?

Italian law requires both a concise first-layer summary and a detailed extended cookie information page covering all cookies, their purposes, and third-party access.

Stay compliant with Italian Privacy Code

ConsentStack helps you implement Opt-in consent for Italy automatically.

Get started free