Maggioli S.p.A. – Complaint Upheld (Italy, 2023)
The Italian data protection authority upheld a complaint against Maggioli S.p.A. for improper cookie practices on its website. The company did not provide a clear way for users to reject cookies and relied on misleading consent methods. This ruling stresses the importance of transparent cookie policies for website operators.
What happened
Maggioli S.p.A. was found to have violated cookie consent rules by not allowing users to easily reject cookies.
Who was affected
Website visitors who encountered the cookie banner were affected.
What the authority found
The Italian DPA ruled that the company failed to comply with GDPR requirements for cookie consent, including the absence of a reject button.
Why this matters
This ruling sets a precedent for stricter enforcement of cookie consent regulations. Website operators should review their cookie policies to ensure compliance and transparency.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In August 2021, noyb (European Centre for Digital Rights) represented data subjects in filing several cookie mass complaints against Maggioli S.p.A. (controller) concerning its use of cookies and other tracking tools. The complaint alleged several violations across a number of the controller’s webpages, including the absence of a reject button at the first layer of the cookie banner, the use of pre-ticked boxes at the second layer and the improper reliance on legitimate interest as a legal basis for processing via cookies. The Italian DPA (Garante) carried out an investigation. During its investigation, it noted that the controller contracted with OneTrust (processor), a service that classified cookies and reported them in the controller’s cookie banner and cookie policy. Notably, only the processor could directly modify the cookie banner and cookie policy. The Garante also observed that the controller used only technical, non-tracking cookies. The processor, however, had erroneously attributed third parties’ tracking cookies that were on the controller’s webpage to the controller. On 30 May 2023, the Garante notified the controller of the alleged violations and that it was initiating the procedure pursuant to Article 166(5) of the Code on Protection of Personal Data. On 29 June 2023, the controller replied with a defensive brief. It noted that, upon discovering the processor’s erroneous cookie categorizations, the controller requested that the error be corrected. When the processor failed to do so in breach of their contract, the controller withdrew from the contract and entered into an agreement with a new supplier to alter the cookie banner. The controller also argued that the failure to inform users about the meaning of the X had not resulted in any violation because the controller only used technical non-tracking cookies. The Garante found that the controller’s conduct breached Articles 4(11), 5, 7, 12, 13, 24, 25 and 28 GDPR. It focused on three core issue
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (3)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Maggioli S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Decision Date
8 February 2023
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-7766About this data
Cite as: Cookie Fines. Maggioli S.p.A. - Italy (2023). Retrieved from cookiefines.eu
Last updated: