Società Onlinestore s.r.l. – Violation Found (Italy, 2024)

Violation Found
Garante per la protezione dei dati personali17 October 2024Italy
final
ePrivacy
Violation Found

The Italian authority found that Società Onlinestore s.r.l. violated cookie consent rules on their website. They did not provide a proper way for users to reject cookies, which is important for user privacy. This ruling shows that businesses must allow users to control their cookie preferences clearly and easily.

What happened

Società Onlinestore s.r.l. failed to provide a proper cookie consent mechanism on their website, including no option to reject cookies.

Who was affected

Website visitors who interacted with the www.onlinestore.it site and had their cookie preferences improperly managed.

What the authority found

The authority determined that the website did not allow users to give informed and freely given consent for cookie usage, violating GDPR requirements.

Why this matters

This ruling highlights the importance of clear cookie consent practices for online businesses. Companies must ensure their cookie banners comply with regulations to protect user privacy.

GDPR Articles Cited

AI-verified

Art. 5(GDPR)
Art. 7(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)
Art. 4(11) GDPR
View original scraped data
Art. 4(11) GDPR
Art. 5(GDPR)
Art. 7(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

d. lgs. 196/2003
Source verified 9 April 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Società Onlinestore s.r.l. actions
Full Legal Summary
Detailed

The Italian supervisory authority investigated the cookie practices of the www.onlinestore.it website on its own volition. The website belonged to e-commerce company Società Onlinestore S.r.l. (the data controller). The website’s cookie banner stated that the website used cookies (including third-party cookies) to offer a better browser experience and that users could edit their cookie preferences. The banner included three options: “Accept”, “Customize”, and “Learn more”. The banner included no option to reject cookies and no “X” iconThe authority's cookie guidelines recommend the use of an "X" button. The "X" must be positioned in the upper right corner of the banner, like the "close" option of many programs. Clicking the "X" button dismisses the banner and rejects all non-necessary cookies, much like a "Reject All" option. See [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9677876 Garante per la protezione dei dati personali (Italy) - 9677876]. to close the banner. The “Customized” option opened a drop-down menu with preferences for both necessary cookies and profiling cookies. Profiling cookies were pre-selected by default and could be de-selected by the user. The authority tested the website and found that the same number of cookies were placed regardless of user preference. In its preliminary view, the authority held that the data controller did not allow users to express informed, freely given, and granular consent. The authority also held that the controller failed to provide users with a clear and transparent cookie notice. In the authority’s view, the controller violated Articles 4(11), 5, 7, 24, and 25 GDPR, [https://www.gazzettaufficiale.it/dettaglio/codici/datiPersonali Article 122 d. lgs. 196/2003]This Article is the Italian implementation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219 Article 5(3) ePrivacy Directive 2002/58/EC]., and the authority's guidelines on cookies and other trackers[https

Outcome

Violation Found

The DPA found a violation but did not impose a fine.

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Pre-ticked Consent Boxes
high

Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.

Art. 4(11) GDPR

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Cookies Persist After Rejection
critical

Tracking cookies remain active or are re-placed even after the user explicitly rejects them.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

No Granular Cookie Choice
high

Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.

Art. 4(11) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Società Onlinestore s.r.l. in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

unknown (claimant)

2021 · DPA OLGLinz

Details

Decision Date

17 October 2024

Authority

Garante per la protezione dei dati personali

GDPRhub ID

gdprhub-8915

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. Società Onlinestore s.r.l. - Italy (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: