Until recently, many companies felt safe, believing that the Privacy Guarantor’s inspection would only be triggered by a user complaint. But things have changed.
Today, the Guarantor acts ex officio, conducting independent checks and directly monitoring websites to verify compliance with GDPR regulations. A complaint is no longer needed to be scrutinized.
This strategy has already cost several companies: first, Maddalena Lines, now Capital Investment. And the next one could be you.
Let's take a closer look at what the Guarantor discovered in the case of Capital Investment and what it means for anyone managing a website.
The mistakes of Capital Investment: what went wrong?
The Guarantor identified several significant violations, including issues with cookie management, transparency of information, and respect for user choices. Errors that, with increasingly strict controls, could affect many other websites.
1. No cookie banner on the first visit: a serious mistake
One of the fundamental rules of GDPR is that if a site uses cookies other than technical ones, it must display a consent banner on the user's first visit.
Capital Investment completely ignored this requirement. There was no banner, no consent request, no notification. Users accessed the site and their data was tracked immediately without their knowledge.
🔴 Why is this a problem?
- GDPR states that any processing of personal data requires the explicit consent of the user, unless it falls under exceptions provided by the law (such as technical cookies).
- Tracking users without notifying them means violating their privacy and ignoring the transparency principle.
If your site uses analytical, profiling, or third-party cookies, you must show a consent banner before collecting any data.
Don't know how to configure the cookie banner for your website? Read the guide.
2. Zero information on cookies and data processing: complete lack of transparency
Even when a website displays a banner, it must provide users with a clear and detailed notice about the use of cookies and the processing of personal data.
GDPR requires that users know:
- Which cookies are installed and for what purpose.
- How their personal data is used.
- If data is shared with third parties and for which purposes.
- How they can change their consent at any time.
In the case of Capital Investment, the Guarantor discovered that none of this information was available.
🔴 Why is this a problem?
- Users had no idea what was happening to their data.
- There was no transparent notice, an essential element of GDPR.
- Even those who wanted to change their preferences had no way to do so.
If your site collects data, you must ensure that users can easily access a clear and complete privacy notice.
To learn more, read "Difference Between Cookie Policy and Privacy Policy: Complete Guide" now.
3. Active cookies without consent: A mistake the Guarantor won’t forgive
One of the most serious issues found by the Guarantor is that Capital Investment’s site activated cookies before the user could give consent.
Do you know how they discovered it? With a simple check from the Chrome browser, which revealed that cookies were already installed before the user had the opportunity to accept or reject them.
To learn more: "How to check the cookies your site installs“.
🔴 Why is this a problem?
- Consent must be obtained beforehand; it cannot be collected after tracking has already started.
- Installing cookies before consent violates GDPR and disregards users' preferences.
- Users must have full control over their data, without coercion or deceptive practices.
Collect consent with Avacy's cookie banner.
Inizia ora4. No link to the privacy policy in the footer: A deficiency that compromises transparency
Even if the site had had a banner (which it did not), it was still missing a fundamental element: a link to the privacy policy in the footer.
GDPR stipulates that users must be able to review their choices and modify their consent at any time. Without a clearly visible link to the privacy policy, this option becomes impossible.
🔴 Why is this a problem?
- Users could not review or modify their preferences.
- The absence of a direct link makes it harder to access the information.
- The site was less transparent and less compliant with GDPR guidelines.
What Does This Mean for Website Owners?
The Capital Investment case serves as a clear warning: the Guarantor is intensifying controls, and you no longer need a complaint to come under examination.
If you manage a website, you must ensure it complies with the regulations, or you risk facing sanctions, loss of trust, and legal issues.
To learn more: "GDPR in 3 Steps: How to Make Your Website Compliant with Avacy“
How to Avoid Problems (and Not Regret It Later)
Essere conformi al GDPR non è solo un obbligo legale, ma anche un vantaggio competitivo. Un sito che rispetta la normativa offre trasparenza agli utenti, migliora la loro esperienza e riduce il rischio di sanzioni e danni alla reputazione.
Here are the key actions to avoid issues:
1. Implement a compliant cookie banner
The first step to comply with the regulations is to use a GDPR-compliant cookie banner that meets the following criteria:
- Display on the first user visit, before third-party or profiling cookies are installed.
- It must clearly inform about which cookies are used and for what purpose.
- It should provide a clear option to accept or reject cookies with equal ease.
- It should allow granular choices, enabling users to select only specific cookie categories and not be forced to accept all of them.
If your site only uses technical cookies, it is not necessary to show a banner, but it is still essential to indicate this clearly in the privacy policy.
Configura ora il cookie banner con Avacy
Inizia ora2. Provide a detailed, clear, and easily accessible privacy policy.
A well-structured privacy policy is essential to ensure transparency and compliance. The GDPR requires every site to inform users about:
- Which data is collected and for what purpose.
- Who has access to this data and whether it is shared with third parties.
- How users can modify their cookie preferences.
- What are the user's rights regarding data protection and how to exercise them.
The privacy policy must be written in a clear manner, avoiding technical jargon and complex legal formulas. Additionally, it must be easily accessible from the cookie banner and the website's footer.
Non sai da dove cominciare? Prova ora il generatore di privacy policy di Avacy
Inizia ora3. Do not install non-technical cookies before explicit user consent
One of the most common mistakes is activating tracking cookies before the user has given their consent. This behavior is a direct violation of the GDPR. una violazione diretta del GDPR.
To be compliant, the site must:
- Block profiling cookies and third-party cookies until the user explicitly accepts them.
- Ensure that the consent is freely given and not forced, without tricks to push the user into accepting (such as the so-called "dark patterns" with more visible acceptance buttons compared to rejection buttons).
- Allow the user to modify their consent at any time, with an easily accessible button or link.
4. Place a link to the privacy policy in the footer
Even after giving consent, users must have the ability to review and modify their choices at any time.
For this reason, it is important to:
- Place a link to the privacy policy in the footer of every page on the site.
- Ensure that the information page is always accessible and up-to-date.
- Offer a button or dedicated area where users can review and modify their consent.
5. Use a certified Consent Management Platform (CMP)
Managing user consent manually can be complex and error-prone. Therefore, an effective solution is to use a certified CMP (Consent Management Platform) that:
- Automates cookie management in compliance with GDPR.
- Generates logs and detailed reports on user preferences, useful in case of inspections.
- Automatically updates to comply with any regulatory changes.
A CMP semplifica the rispetto delle normative e riduce il rischio di violazioni, garantendo una gestione più sicura e trasparente della privacy.
Need help? Avacy is here
Being compliant with the GDPR requires attention to detail and continuous updates. For many companies, managing all this on their own can be complicated, costly, and prone to errors.
Avacy is a privacy management platform designed to automate and simplify GDPR compliance, ensuring your site meets all regulations without complications.
What Avacy offers:
1. Implementation of compliant cookie banners
Avacy provides tools to create and customize GDPR-compliant cookie banners.
The banners generated with Avacy:
- Are fully customizable to the site's needs.
- Offer clear and transparent consent management.
- Automatically block non-technical cookies until explicit user acceptance.
2. Generation of transparent and always up-to-date privacy policies
Writing a clear and compliant privacy policy can be difficult, especially with constantly evolving regulations.
Avacy helps generate and keep privacy policies up-to-date, ensuring they are always:
- Complete and detailed, including all the information required by GDPR.
- Easily accessible, with links in the banner and footer of the site.
- Automatically updated to adapt to new regulations.
3. Advanced consent management
One of the most important functions of Avacy is the certified collection and management of user consent.
The system allows you to:
- Safely record the choices of each user, with data available for audits by the privacy authority.
- Allow users to modify their consent at any time, giving them full control over their data.
- Generate detailed reports to monitor compliance.
4. Monitoring and automatic updates
Privacy rules are constantly evolving, and what is compliant today may not be tomorrow.
Avacy automatically updates to ensure that the site is always:
- Aligned with European regulations.
- In compliance with the latest guidelines from the Privacy Authority and the European Data Protection Board.
- Protected from legal risks, avoiding mistakes that could lead to fines.
5. Easy integration and compatibility with any website
One of the main advantages of Avacy is its ease of implementation. The system is designed to integrate with any platform, such as:
- WordPress
- Shopify
- Magento
- Siti custom
The integration is quick and does not require advanced technical knowledge. In just a few minutes, your site will be fully compliant with GDPR regulations.
Conclusion
The Capital Investment case shows that the Privacy Authority is intensifying its checks, and no longer requires a report to be examined.
If you have a website, verify immediately that it is compliant. Ignoring GDPR is no longer an option: today there are warnings, tomorrow fines could follow.
Relying on a professional solution like Avacy allows you to comply with the regulations without stress, protecting your business and ensuring users have a transparent and safe experience.
