Cookie Consent and Analytics in Italy: What Italian Website Owners Need to Know in 2026

Italy's Garante declared Google Analytics illegal in June 2022, the third EU country to do so. The Data Privacy Framework has since restored legal cover for US data transfers. But Italy also has a consent exemption for analytics that most Italian website owners have never configured. Here is the full picture.

The Garante: who enforces your privacy rules

The Garante per la Protezione dei Dati Personali is a four-member collegiate body elected by the Italian Parliament for non-renewable seven-year terms. It has roughly 125 staff and an annual budget of EUR 48 million. And it has a financial incentive other DPAs do not: 50% of all fines collected go directly back to the Garante's budget for inspections, enforcement, and public awareness.

President Pasquale Stanzione, a private law professor at the University of Salerno, has publicly defended the Garante's independence against political pressure.

The Garante's track record speaks for itself. It was the first Western country to ban ChatGPT (March 2023), then fined OpenAI EUR 15 million in December 2024, the first GenAI GDPR fine in Europe. It fined Clearview AI EUR 20 million for scraping 10 billion facial images. It fined Enel Energia EUR 79.1 million in February 2024 for telemarketing abuses, the largest fine in Italian GDPR history. While Ireland's DPC takes years to investigate Meta, the Garante went from first ChatGPT complaint to emergency ban in 10 days.

The legal framework

Cookie consent in Italy is governed by Article 122 of the Codice Privacy (Legislative Decree 196/2003), Italy's transposition of the EU's ePrivacy Directive. The Codice Privacy was substantially amended by Legislative Decree 101/2018 to align with the GDPR, but Article 122 survived intact because it implements ePrivacy, not GDPR.

The penalty is not gentle. Cookie violations under Article 122 fall into the higher GDPR penalty tier: up to EUR 20 million or 4% of worldwide annual turnover, whichever is higher. Italy also retains criminal penalties for the worst cases: up to six years imprisonment for intentional large-scale processing violations.

Italy has several cookie-specific quirks not found in other EU countries. The cookie banner must include an X button in the upper right corner that closes the banner without activating any non-technical cookies. If a visitor declines cookies, the site cannot re-present the consent banner for at least six months. And Accept and Reject buttons must have identical formatting: same size, same color weight, same prominence. The Garante was one of the first DPAs to fine a company for dark patterns in cookie banners, issuing EUR 300,000 against Ediscom SpA in February 2023.

Cookie consent: what's actually required

The Garante's current cookie guidelines were adopted June 10, 2021, with a compliance deadline of January 10, 2022. They replaced the 2014 guidelines and remain the binding framework in 2026.

The rules apply to all trackers, not just cookies. Local storage, fingerprinting, pixel tags, device identifiers. If it reads from or writes to the visitor's device, consent is required under Article 122.

An Aarhus University study of 8,666 Italian websites found that 76% had consent interfaces, but only 23% were compliant with the Garante's requirements. 90% had an Accept button, but only 55% had an equally prominent Reject button. Most Italian cookie banners look compliant at a glance. They are not.

The analytics exemption

Italy allows analytics cookies to be treated as technical cookies (exempt from consent) if they meet four conditions:

1. IP masking. At least the fourth octet of IPv4 addresses must be masked before any processing. The Garante notes this creates only 0.4% uncertainty, the minimum acceptable threshold.
2. Single-site scope. Analytics must produce aggregate statistics for a single website or app. No cross-site tracking.
3. No third-party data sharing. Your analytics data stays between you and your tool. It cannot be combined with other data the provider holds.
4. Aggregated output only. It must be impossible to identify individual users from the collected data.

Unlike France, which maintained a formal list of approved tools (now transitioning to self-assessment), Italy takes a principles-based approach. There is no official list. Any tool that meets the four conditions qualifies. This is actually simpler. You do not need to wait for DPA approval. You configure your tool correctly, document compliance, and operate without consent for analytics.

Google Analytics fails all four conditions. Google can cross-reference truncated IP addresses with other data it holds. It processes data across millions of properties. It feeds into Google's advertising ecosystem. The Garante said this explicitly in its 2022 ruling.

Cookieless analytics tools that do not set cookies, do not track users across sites, and do not share data with third parties meet Italy's exemption by design. Clickport falls into this category: first-party data collection, no cookies, no cross-site tracking, no third-party data sharing.

Google Analytics: the status in Italy

On June 9, 2022, the Garante declared Google Analytics unlawful. The case, originating from one of noyb's 101 coordinated complaints filed in August 2020, found that Caffeina Media S.r.l.'s use of Google Analytics transferred personal data to the US without adequate safeguards. The Garante gave 90 days to comply. No monetary fine was issued.

82% of Italian websites still had Google Analytics installed nine months later. The highest non-compliance rate of the three countries studied (France: 74%, Austria: 66%).

Then the EU-US Data Privacy Framework was adopted in July 2023. Google is DPF-certified. The specific transfer objection from the 2022 ruling is, for now, addressed. GA data transfers to the US are currently legal.

But "currently" is doing a lot of work.

The DPF is under simultaneous pressure from three directions. The CJEU has struck down both prior frameworks (Safe Harbor in 2015, Privacy Shield in 2020). Norway's Datatilsynet has warned that if the DPF is revoked, "there will most likely not be a transition period." Max Schrems has said the European Commission may need to "pause or stop the deal on its own."

If the DPF falls, the Garante has already banned Google Analytics once. It would not need to start a new investigation. The precedent is set.

Notable enforcement actions

The Garante's cookie enforcement has been lighter than France's CNIL in monetary terms, but the Ediscom dark patterns case (EUR 300,000, February 2023) set an EU precedent: it was the first time any DPA formally sanctioned dark patterns as a standalone GDPR violation. Cookie compliance was named a priority inspection area for the second half of 2024.

What's coming

The EU Digital Omnibus. Proposed November 2025, the Omnibus would create an EU-wide exemption for cookies used for "aggregated audience measurement for the controller's own use." Italy already allows this under its national guidelines. The Omnibus would codify it across all 27 member states. If your analytics tool qualifies under Italy's exemption today, it will qualify EU-wide once the Omnibus is adopted (expected mid-to-late 2026).

The DPF's fragile future. The CJEU will review the Latombe appeal in late 2026 or early 2027. FISA Section 702 sunsets in April 2026. If reauthorized without codifying DPF privacy safeguards into statute (they currently exist only as executive order commitments), the framework's vulnerability remains. The European Commission has not committed to suspending the DPF even as its foundations erode.

Garante's 2026 inspection plan. At least 40 targeted inspections are planned for the first half of 2026, supported by the Guardia di Finanza. Priority areas include telemarketing in the energy sector, AI tools in education, anonymization techniques, and whistleblowing systems. Cookie compliance is not explicitly named as a 2026 priority, but the Garante's pattern of continuous enforcement suggests it remains on the radar.

What this means for your website

If you're using Google Analytics with a cookie banner: Make sure your banner meets the Garante's 2021 requirements. Equal-prominence Accept and Reject buttons. X button that defaults to no cookies. No re-prompting for six months after refusal. And have a contingency plan for the day the Data Privacy Framework falls. The Garante has already ruled GA illegal once.

If you're using Google Analytics without a cookie banner: You are violating Article 122 of the Codice Privacy. GA does not qualify for Italy's analytics exemption. The penalty is up to EUR 20 million or 4% of global turnover.

If you want analytics without the consent dependency: A cookieless tool that meets Italy's four exemption conditions can track every visitor from the moment they arrive. No banner. No data loss. No DPF risk. Clickport is built this way: no cookies, no cross-site tracking, no third-party data sharing, aggregate-first architecture. It qualifies for Italy's analytics exemption by design.

You can try it free for 30 days, no credit card required. For the full EU-wide picture of Google Analytics' legal status, see our detailed overview.