MarckDev
All articles

March 17, 2025 · 4 min read

Privacy and cookie policy for Italian websites: what you need in 2025

Privacy and cookie policy for Italian websites: what you need in 2025

You have a website, you collect contacts through a form, you use some analytics tool, and somewhere at the bottom of the page there's a privacy policy copied years ago from another site. Privacy compliance for an Italian website in 2025 requires something more, and GDPR fines don't only concern multinationals: the authorities also act against small businesses, often following a complaint. Let's look at what must be on your site, without turning this article into legal advice: complex cases require a professional, but you can check the basics right away.

The privacy policy: what it must say (about your site, not someone else's)

The privacy policy is the notice that explains to users what data you collect and what you do with it. To be GDPR-compliant it must describe the reality of your site, not a generic one. The essential contents:

  • Data controller: who you are, with identifying details and a working contact.
  • What data and why: each category of data (form data, newsletter emails, browsing data, order data) with its purpose and its legal basis.
  • Where the data goes: the third-party services that process it on your behalf (hosting, email marketing, analytics, payments) and any transfers outside the European Union.
  • How long you keep it and what rights users have: access, rectification, erasure, objection, and how to exercise them.

The most common mistake we come across: the policy lists services the site no longer uses and ignores the ones added later. The notice needs to be updated when the site changes, like any other page.

The cookie banner: consent must be a real choice

On cookies the basic rule is clear: technical cookies, necessary for the site to work, don't require consent; all the others (non-anonymized analytics, marketing, profiling) can only be set after free and explicit consent. The guidelines of the Italian Garante have set precise boundaries, and the practical requirements for a compliant banner are these:

  • Refusing must be as easy as accepting: a button to refuse or close without consenting, with the same prominence as the accept button.
  • No non-technical cookies before consent: a banner that appears while the marketing scripts have already fired is a violation, not a detail.
  • Granular choices: users must be able to consent by category (analytics, marketing) and be able to change their mind later, through a link that is always reachable.
  • Consent must be recorded: in case of a dispute you must be able to prove who consented, when and to what.

Shortcuts like banners with only an OK button, or consent presumed from scrolling the page, belong to the past and are now open to challenge.

The tools: consent platforms and configuration

Managing all this by hand is unrealistic, which is why consent management platforms (CMPs) exist: services that generate the banner, block scripts before consent, record choices and keep the cookie policy up to date. The most widespread solutions integrate with WordPress, PrestaShop and custom sites.

Installation alone isn't enough, though: the delicate part is the configuration. The CMP must know all the scripts present on the site and effectively block the ones subject to consent, and anyone using advertising tools must correctly configure the transmission of the consent state to the platforms. On the projects we handle, testing is done from a clean browser session: you open the site, refuse everything and verify from the developer tools that no marketing cookie has been set.

Beyond cookies: forms, newsletters and eCommerce

Compliance doesn't end with the banner. The points we most often find uncovered:

  • Contact forms: under every form you need a link to the privacy notice; the consent checkbox is only needed for additional purposes (like the newsletter), not for answering the request.
  • Newsletters: the subscription must be provable, and the double opt-in practice (confirmation by email) remains the most solid route; unsubscribing must work with one click.
  • eCommerce: order data has its own legal bases and retention periods, tied also to tax obligations; marketing to customers has its own rules.
  • Whoever processes data for you: with suppliers that touch personal data (hosting, CRM, email) you need data processing agreements, which serious services make available.

Bring your site into compliance together with whoever builds it

Privacy compliance works when it's built into the site: scripts loaded the right way, forms done properly, CMP configured and tested. When we build websites and eCommerce we set up banners, notices and consent management as part of the project, coordinating with your legal advisor where needed. Book a free call: we'll check how your site is doing and tell you what to fix first.

Related articles