Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — ITStylized flag-color motif for editorial reference. Not an official symbol.IT
Italy Repubblica Italiana

WEB ANALYTICS · COOKIE COMPLIANCE · SOUTHERN EUROPE · IT

Italy — analytics & cookie compliance reference

What you can run on an Italian-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. Single national DPA (Garante) · among the most aggressive enforcers in the EU · issued the largest analytics-related GDPR fine in EU history (Enel Energia €79M, Feb 2024).

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Italy. Italian-language privacy notices are non-negotiable. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Codice Privacy  Stricter
Codice in materia di protezione dei dati personali (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018)
National implementation of GDPR opening clauses. Special permissions for journalism, employment, public health, biometrics. Garante retains broad sanctioning powers under Art 166. Criminal provisions retained at Art 167–172.
  • Art 2-quinquiesdecies Public-interest processing — Garante prescriptions binding on controllers
  • Art 2-quinquies Child consent — lowered to 14 (vs GDPR default of 16)
  • Art 2-septies Biometric, genetic, health data — Garante prescriptions required
  • Art 114 Workers' Statute Art 4 cross-reference — workplace monitoring rules
  • Art 130 Direct marketing — opt-in for email/SMS/automated calls; soft opt-in for own similar products
  • Art 166 Administrative sanctions — Garante's fining powers complementary to GDPR Art 83
  • Art 167 Criminal liability — up to 6 years for unlawful processing causing harm
Legislative Decree 196/2003, harmonized to GDPR by Legislative Decree 101/2018 (BGBl. n. 205, 4 Sep 2018). Latest amendments via Decreto Capienze 139/2021 + 2023/2024 minor adjustments.
Garante Cookie Guidelines 2021  Stricter
Linee guida cookie e altri strumenti di tracciamento — Provv. n. 231 del 10 giugno 2021
Italian transposition of ePrivacy Art 5(3) cookie rules. Mandates equal-prominence Accept/Reject buttons, no scroll-as-consent, no pre-ticked boxes, granular per-purpose consent, six-month re-prompt cap, and explicit ban on dark patterns / cookie walls in default form.
  • § 4 Strictly-necessary exception narrowly construed — analytics only when fully anonymized + first-party + no third-party transfer
  • § 5 Consent banner — equal-prominence Accept/Reject; X-button must equal 'Reject'
  • § 7 Re-prompt cap — no more than once every 6 months unless conditions change
  • § 10 Italian language required for Italian-targeted sites — Garante 2018 + 2021 reaffirmation
Garante Provvedimento n. 231/2021 (Doc-Web 9677876), in force from 10 Jan 2022
Codice del Consumo
D.Lgs. 206/2005 — Consumer Code
Direct marketing rules layered on GDPR + Codice Privacy Art 130. Anti-spam, soft-opt-in scope, unfair commercial practices over consent flows. AGCM (competition authority) enforces alongside Garante.
  • Art 18-27 Unfair commercial practices — covers misleading consent banners and pre-ticked subscription
  • Art 58 Distance contracts — confirmation + double-opt-in recommended
Legislative Decree 206/2005, latest amendments 2023
Provv. 9782890 (Caffeina Media)  Stricter
Garante Provvedimento n. 9782890 del 9 giugno 2022
Landmark ruling that Caffeina Media's pre-DPF GA4 deployment unlawfully transferred personal data to the US in violation of GDPR Chapter V (Schrems II). Garante ordered controllers to bring deployments into compliance within 90 days. Functionally an industry-wide warning. Post-DPF (10 Jul 2023) the transfer dimension is mitigated for DPF-certified importers, but Italian-language consent + Italian-targeted disclosure obligations stand.
  • Recital 9 IP address + cookie identifiers = personal data even when truncated
  • Recital 12 GA4 default = unlawful US transfer pre-DPF; supplementary measures insufficient
  • Recital 17 Italian-language privacy notice + specific transfer disclosure required
Garante Provv. 9782890, decided 9 June 2022, published 23 June 2022

Regulators

Supervisory authorities that interpret and enforce privacy law here.

Notable enforcement

Italy ranks consistently in the top 3 EU member states by total GDPR fine value, driven by an aggressive Garante and a dense telecom + utility sector. The Garante issued the largest single GDPR fine in EU history for an analytics/marketing-adjacent matter (Enel Energia €79.1M, Feb 2024) and was the first EU DPA to take emergency action against an LLM (ChatGPT, Mar 2023). Italian enforcement focuses on three recurring patterns: (1) unlawful telemarketing using purchased or scraped contact lists, (2) GA4 / cookie-banner non-compliance with the 2021 Cookie Guidelines, and (3) absence of Italian-language privacy notices on Italian-targeted services. Fines have generally stood on appeal — Italian administrative courts are less interventionist than German or French equivalents.

  1. 2024-02 €79.1M
    Enel Energia Garante · Art 5, 6, 7, 24, 25 stood

    Unlawful telemarketing using third-party data without valid consent, plus failure to investigate complaints from data subjects. Largest Italian GDPR fine and largest EU analytics/marketing-adjacent GDPR fine on record at issuance.

  2. 2020-01 €27.8M
    TIM (Telecom Italia) Garante · Art 5, 6, 17, 21 stood

    Aggressive unlawful telemarketing on millions of contacts including non-customers — calls placed despite opt-out registry entries; mishandled exercise of rights.

  3. 2020-11 €16.7M
    Wind Tre Garante · Art 5, 6, 7, 24, 25 stood

    Unlawful telemarketing, unsolicited communications, and inadequate consent management — affected app users, prospects, and existing customers across multiple channels.

  4. 2020-11 €12.3M
    Vodafone Italia Garante · Art 5, 6, 7, 24, 25, 28, 32 stood

    Unlawful telemarketing, third-party list management failures, and processor-oversight gaps. Sister-case to TIM/Wind Tre cluster.

  5. 2024-05 €4.9M
    Edison Energia Garante · Art 5, 6, 7, 24 stood

    Unlawful telemarketing + consent failures + inadequate processor oversight on energy-sector marketing campaigns.

  6. 2024-04 €1.0M
    Iliad Italia Garante · Art 5, 6, 7 stood

    Unlawful telemarketing — calls placed without valid consent and despite opt-out signals.

  7. 2024-12 €271k
    Lazio Region Garante · Art 5, 9, 32 stood

    Health-data exposure incident affecting regional health-service users — security controls inadequate and notification timeline missed.

GA4 status

GA4 is usable in Italy only with prior, explicit, granular consent under Garante Cookie Guidelines (Provv. 231/2021), an Italian-language privacy notice, and explicit disclosure of US transfers. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified — but Garante has not retracted the Caffeina Media ruling. Default GA4 deployments (no consent gate, English-only notice) remain non-compliant.

DPAStance
Garante (Servizio Web)Cookie banner must satisfy Provv. 231/2021 strictly — equal-prominence Accept/Reject, no scroll-consent, granular purposes.
Garante (Trasferimenti)DPF accepted for certified importers; Italian-language disclosure of transfer + recipient still required.
Garante (Marketing)Aggressive on opt-out registry violations and third-party list use — Enel/TIM precedent.
Garante (AI/LLM)Active monitoring post-ChatGPT order — vendors integrating LLM features into analytics pipelines should expect scrutiny.

Cross-border transfers + Schrems II

Italy was among the strictest EU member states pre-DPF — the Garante's June 2022 Caffeina Media ruling functionally banned default GA4 deployments. Post-DPF (10 Jul 2023) the transfer dimension is mitigated for DPF-certified US importers (e.g. Google LLC), but Garante remains cautious. Italian-language privacy notice + explicit transfer disclosure remain non-negotiable. Garante has not retracted the Caffeina ruling — controllers are expected to document the DPF basis and re-confirm consent flows.

EU 2021/914 SCCs are the fallback for non-DPF US recipients. Garante scrutinizes Module 2 (controller-processor) onward-transfer clauses heavily and expects a documented Transfer Impact Assessment. FISA 702 risk acknowledgement is expected even where DPF applies, as a defensive measure.

Topic: International transfers

Employee data

Key thresholds

Child consent age
14 years
Article 27 representative
Required
Marketing consent
Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Italy vs Germany
COMPARE
Italy vs France
COMPARE
Italy vs Spain
COMPARE
Italy vs Switzerland

Common questions

Is Google Analytics legal in Italy in 2026?
Yes, conditionally. GA4 is usable in Italy only with prior, explicit, granular consent under the Garante Cookie Guidelines (Provv. 231/2021), an Italian-language privacy notice, and explicit disclosure of US data transfers. After EU-US DPF (10 Jul 2023) transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. The Garante's June 2022 Caffeina Media ruling (Provv. 9782890) has not been retracted — default GA4 deployments without a TDDDG-equivalent consent gate or Italian-language banner remain non-compliant.
What was the Garante's GA4 ruling?
Provvedimento n. 9782890, decided 9 June 2022 and published 23 June 2022 (Caffeina Media case). The Garante ruled that the controller's default GA4 deployment unlawfully transferred personal data (IP addresses + cookie identifiers) to the United States in violation of GDPR Chapter V and Schrems II. A 90-day compliance order was issued. Functionally an industry-wide warning. Post-DPF the transfer dimension is mitigated for DPF-certified importers, but the consent + Italian-language disclosure obligations remain.
Does my privacy notice need to be in Italian?
Yes for Italian-targeted services. The Garante's 2018 guidance (Provv. 9357640) and reaffirmed 2021 Cookie Guidelines require privacy notices and cookie banners in Italian for Italian-targeted services — English-only is insufficient. Targeting indicators include .it domain, EUR pricing, Italian-language marketing, Italian customer support, and inclusion of Italy in shipping/service zones. International SaaS providers cannot rely on English-only EU-baseline notices.
What is the Italian child consent age?
14 years old. Codice Privacy Article 2-quinquies (introduced by D.Lgs. 101/2018) lowered the age from the GDPR default of 16 to 14 for information-society services consent. Italy is in the lower cluster (alongside Austria, Belgium, Bulgaria, Cyprus, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden) versus the GDPR default of 16. Below 14, parental holder-of-responsibility consent is required.
What does Article 4 of the Workers' Statute mean for analytics tools?
Italy's Statuto dei Lavoratori (Law 300/1970) Article 4 requires either (a) a collective trade-union agreement, or (b) prior authorization from the Ispettorato Nazionale del Lavoro (INL), before deploying any audiovisual or other instruments from which remote-control of worker activity is possible. The Garante interprets this broadly to cover analytics, productivity, MDM, session-replay, and IT-monitoring tools when they touch employee behavior. Codice Privacy Art 114 cross-references this regime. Skipping the Art 4 procedure is independently sanctionable under the Workers' Statute regardless of GDPR consent.
Do I need an Italian DPO?
Italy has not set a national lower threshold for DPO appointment — the GDPR Article 37 criteria apply directly. A DPO is mandatory for public bodies, controllers carrying out large-scale special-category processing, or large-scale systematic monitoring. Most Italian SMBs do not require a DPO unless they operate in healthcare, finance, profiling, or telecom. The Garante is more aggressive than peers on the 'large-scale' interpretation.
Do I need an Italian Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Italy (or any EEA state), unless the small-business exception in Art 27(2) applies. The Garante has actively pursued non-designation in cross-border investigations and treats absence of a representative as an aggravating factor in fining decisions.
What are the Garante's enforcement priorities?
Three recurring patterns dominate: (1) unlawful telemarketing using purchased or scraped contact lists — Enel Energia €79.1M (2024), TIM €27.8M (2020), Wind Tre €17M (2020), Vodafone Italia €12.25M (2020), Iliad €1M (2024), Edison €4.9M (2024). (2) GA4 / cookie-banner non-compliance with the 2021 Cookie Guidelines (Provv. 231/2021). (3) AI / LLM oversight — first EU DPA to act against ChatGPT (Mar 2023), €15M fine Dec 2024. Sectoral focus: telecoms, energy/utilities, healthcare, e-commerce.
Does Italy require double opt-in for email marketing?
No legally — single opt-in is sufficient under Codice Privacy Art 130. Double-opt-in is industry-recommended best practice and significantly reduces evidentiary risk in Garante investigations of marketing complaints. Given Italy's aggressive telemarketing enforcement track record, double-opt-in is the prudent default for any Italian-targeted email/SMS programme.
Does Schrems II still affect transfers to the US post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. The Garante remains the most cautious EU DPA on this point — controllers are expected to document the DPF basis explicitly in their Italian-language privacy notice and to re-validate consent flows. The Caffeina Media ruling has not been formally retracted.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Italy's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.