In recent months, the Privacy Guarantor has intensified checks on user consent management and the use of cookies on websites. The good news? For now, no fines. The bad news? Warnings have piled up, signaling that the grace period is ending, and those who do not comply with privacy rules may soon find themselves in trouble.
A key element in this case is that these checks were not initiated following user reports but rather on the direct initiative of the Privacy Guarantor. In other words, the Authority decided not to wait for complaints but to proactively ensure that websites comply with the regulations.
One of the most emblematic cases is that of Maddalena Lines Srl, a company that received a warning for non-compliant cookie banner management.
Let's look at the details of the errors identified and what changes for website administrators.
Errors attributed to Maddalena Lines by the Privacy Guarantor:
1. The cookie banner was misleading and unnecessary
Maddalena Lines claimed to only use technical cookies, i.e., those essential for the website's functioning and that do not require user consent.
So, why was the site still showing a cookie banner? This created confusion because users were prompted to interact with something unnecessary, giving the impression that they had to accept data processing that was not actually taking place.
🔴 Mistake: If you only use technical cookies, the banner is not needed. Its presence can mislead users into thinking that data processing is occurring when it isn’t, which is considered misleading.
Don't know how to set up the cookie banner for your website? Read the guide.
2. The banner message was inconsistent with cookie usage.
The banner displayed on the site included a message like:
“We use cookies to personalize content and ads, provide social media features, and analyze our traffic. We also share information about how you use our site with our analytics, advertising, and social media partners, who may combine it with other information you’ve provided them or collected from your use of their services.”
This type of message is perfectly legitimate if the site uses profiling cookies or third-party cookies.
However, Maddalena Lines claimed to use only technical cookies, which means the message was false or misleading, as it implied tracking activities that did not take place.
🔴 Mistake: The banner must accurately reflect the actual use of cookies on the site. If no profiling or third-party cookies are used, users should not be led to believe otherwise.
Don't know how to set up the cookie banner for your website? Read the guide.
3. Lack of a direct link to the cookie policy
Another issue? The banner did not contain a direct link to the cookie policy.
According to the regulations, users must be able to easily access information about the cookies used on the site. In this case, however, there was no link, not even in the "Show details" section, making data management less transparent.
🔴 Mistake: The cookie policy must be easily accessible and direct, without requiring users to search for it on the site.
To learn more, read "Difference Between Cookie Policy and Privacy Policy: Complete Guide" now.
4. No option to close the banner without accepting cookies
Another issue reported by the Privacy Guarantor: the banner did not provide an option to close it without accepting cookies.
In practice, users were forced to choose between “accept” and “reject” but were not offered a convenient "X" to close the banner and continue browsing.
🔴 Mistake: GDPR guidelines state that users must be able to reject cookies as easily as they can accept them. Without a close button, the banner becomes coercive.
To learn more: "Cookie wall and cookie paywall: what they are and legal implications“.
5. No granular consent management
Finally, Maddalena Lines did not allow users to choose which cookies to accept and which to reject.
If a website uses profiling or third-party cookies, it must give users the ability to select individual categories of cookies they want to enable.
🔴 Mistake: Forcing a “all or nothing” acceptance is not compliant with GDPR rules.
Read more: "How to collect marketing profiling consent: everything you need to know“.
Risks for those who do not comply:
The Authority's action shows that compliance with data protection regulations is no longer an option but a necessity. With increasing inspections and a more proactive approach from the Authority, website owners must ensure GDPR compliance, avoiding mistakes that could lead to unpleasant consequences.
1. Possible financial penalties
For now, the Authority has chosen the path of a warning, giving companies time to comply. However, in the past, significant fines have already been imposed for privacy regulation violations.
Penalties for failing to comply with cookie and consent management rules can reach up to <strong<4% of global annual revenue or €20 million, whichever is higher. In some cases, even seemingly minor errors, such as the absence of a clear option to reject cookies or misleading information, can be considered violations and lead to sanctions.
2. Worsening of the user experience
A poorly designed cookie banner is not just a legal issue; it can also affect the user experience on the website.
If the banner is too invasive, forces unnecessary actions, or does not allow users to continue browsing without accepting cookies, they may simply abandon the site. This leads to:
- Increased bounce rates (users leave the site immediately after opening it).
- Reduced time spent on the site, negatively impacting search engine rankings.
- Decreased conversions, as fewer users stay long enough to take a useful action (purchase, registration, contact request).
3. Loss of trust and damage to reputation
Privacy management is increasingly important for user trust. People are becoming more aware of how their data is handled and expect transparency and clarity from the sites they visit.
If a company uses a misleading cookie banner, does not provide clear information, or forces consent, it may be perceived as untrustworthy. This can have direct consequences on:
- User loyalty, as they may choose not to return to the site.
- Brand reputation, with the risk of negative reviews or reports on social media.
- Relationships with partners and advertisers, who may prefer to work with companies that ensure more transparent data management.
4. Greater exposure to the Garante's inspections
A website that does not comply with privacy guidelines not only risks facing penalties but may also be subject to more frequent inspections by the Authority.
The Authority has shown a willingness to conduct proactive checks without waiting for user reports. This means that a non-compliant website could come under scrutiny even in the absence of complaints, increasing the risk of receiving compliance requests or, in more severe cases, sanctioning measures.
5. Impacts on business and competitiveness
Beyond the direct risks of fines and user loss, non-compliance can have a broader impact on the business. Companies operating internationally or working with partners and suppliers who prioritize data protection may face difficulties if their website does not comply with regulations.
Being GDPR-compliant is not just an obligation but also a competitive advantage. A company that shows it properly handles user privacy can:
- Differentiate itself from competitors by offering greater security and transparency.
- Avoid operational disruptions due to requests for adjustments or legal issues.
- Improve brand perception by showing attention to personal data protection.
In an increasingly strict regulatory environment and with users becoming more privacy-conscious, ignoring these aspects is no longer an option.
How to adapt your site to cookie regulations?
Here are the key actions to avoid issues:
- Check if a cookie banner is necessary: If you only use technical cookies, you probably don’t need one.
- Write clear and consistent messages: The banner must accurately reflect data processing.
- Include a direct link to the cookie policy: Users should easily access details on cookie management.
- Allow users to close the banner without requiring acceptance: No coercion.
- Offer granular consent management: If you use profiling cookies, users must be able to choose which ones to accept.
Make your website GDPR-compliant with Avacy
Start nowCompliance solutions: Avacy’s support
Ensuring compliance with data protection regulations is not only a legal obligation but also a key element for transparency and user trust. However, for many businesses and website managers, complying with the Authority's guidelines can be a complex and tricky process.
The cookie and user consent regulations outline several specific requirements, including:
- A clear and transparent cookie notice, without ambiguous or misleading statements.
- The ability to reject cookies and modify settings as easily as they can be accepted, as required by the GDPR.
- A granular consent management system that allows users to choose which categories of cookies to enable or disable.
- A compliant cookie banner that is visible but non-intrusive, with clear options and a direct link to the cookie policy.
Many businesses underestimate the importance of properly configuring tracking and data collection systems, exposing themselves to the risk of inspections and penalties. This is where Avacy comes into play, a solution designed to offer automated and compliant privacy management.
What Avacy offers:
1. GDPR-compliant cookie banner implementation:
One of the most common mistakes concerns the configuration of the cookie banner. Many websites use misleading, intrusive banners or ones that do not comply with transparency rules.
Avacy allows you to create and customize a banner that complies with the Authority's guidelines, ensuring that:
- It is not shown unnecessarily if the website only uses technical cookies.
- It is clear and consistent with the actual use of cookies.
- It offers clear options for acceptance and rejection, without forcing consent.
2. Advanced consent management
With Avacy, the website will have a granular consent management system, allowing users to:
- Accept only specific categories of cookies (profiling, analytics, marketing, etc.).
- Modify preferences at any time through a simple and accessible interface.
- View a clear and detailed summary of the cookies in use.
Thanks to this feature, the website will be fully compliant with GDPR guidelines, avoiding “all-or-nothing” choices that could be challenged by the Authority.
3. Continuous monitoring and updates
Privacy regulations are constantly evolving, and what is considered compliant today may no longer be in a few months.
Avacy monitors legislative updates and automatically adjusts system settings to keep the website always compliant.
What does this mean in practice?
- No risk of outdated or non-compliant banners.
- Automatic updates to align with new European directives.
- Notifications and detailed reports on any necessary adjustments.
4. Simple integration and compatibility with all websites
One of Avacy's strengths is its ease of implementation. The solution is designed to integrate with any platform (WordPress, Shopify, Magento, custom sites, etc.), without requiring advanced technical skills.
In just a few minutes, the system is up and running and perfectly configured, eliminating the need for complex or costly manual interventions.
5. Compliance audits and reports
Avacy doesn’t just implement a compliant system; it also provides monitoring and analysis tools, including:
- Detailed reports on cookie and consent management.
- Periodic audits to ensure the website complies with GDPR guidelines.
- A history of user preferences to demonstrate that consent was properly collected in case of inspections.
These tools are especially useful for companies that want full control over their compliance and avoid unpleasant surprises during potential inspections by the Authority.
Why choose a professional solution?
Many companies try to manage compliance on their own by manually implementing banners and policies. However, without the right expertise, it’s easy to make mistakes that can lead to:
- Warnings and fines for non-compliant banners.
- A negative user experience due to intrusive or unclear banners.
- Lack of transparency, resulting in a loss of user trust.
Relying on a professional solution like Avacy saves time, reduces legal risks, and ensures a smooth, transparent user experience.
In a constantly evolving regulatory environment, choosing a reliable partner for GDPR compliance management is a strategic move for any company.
Conclusion
The case of Maddalena Lines Srl is a clear sign: the Privacy Guarantor is ramping up checks and is no longer waiting for complaints to intervene. No site is safe: even small mistakes, like a misleading banner or lack of a clear option to reject cookies, can lead to warnings, fines, and damage to reputation.
Complying with GDPR is not just a legal obligation, but a competitive advantage. A transparent and compliant site improves the user experience, strengthens trust, and prevents future issues.
Solutions like Avacy simplify the process, ensuring compliant banners, advanced consent management, and automatic updates.
The message from the Privacy Guarantor is clear: those who don’t comply risk consequences. Now is the time to act.
