Società Onlinestore s.r.l. – Violation Found (Italy, 2024)

Violation Found
Garante per la protezione dei dati personali17 October 2024Italy
final
ePrivacy
Violation Found

Società Onlinestore s.r.l. was found to have poor cookie practices on its website, which did not allow users to easily reject cookies. The cookie banner lacked a clear option for users to refuse non-essential cookies, which is a requirement under privacy laws. This case serves as a warning for online businesses to ensure they provide clear and user-friendly consent options for cookies.

What happened

The website failed to provide a proper option for users to reject cookies before they were placed.

Who was affected

Visitors to the www.onlinestore.it website who were tracked by cookies without proper consent options.

What the authority found

The Garante per la protezione dei dati personali ruled that the company did not allow users to give informed and free consent regarding cookies, violating GDPR requirements.

Why this matters

This ruling emphasizes the need for clear cookie consent mechanisms on websites. Businesses must ensure their cookie banners comply with privacy regulations to avoid similar issues.

GDPR Articles Cited

AI-verified

Art. 5(GDPR)
Art. 7(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)
Art. 4(11) GDPR
View original scraped data
Art. 4(11) GDPR
Art. 5(GDPR)
Art. 7(GDPR)
Art. 12(GDPR)
Art. 13(GDPR)
Art. 24(GDPR)
Art. 25(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 122 Codice Privacy
Source verified 9 April 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Società Onlinestore s.r.l. actions
Full Legal Summary
Detailed

The Italian supervisory authority investigated the cookie practices of the www.onlinestore.it website on its own volition. The website belonged to e-commerce company Società Onlinestore S.r.l. (the data controller). The website’s cookie banner stated that the website used cookies (including third-party cookies) to offer a better browser experience and that users could edit their cookie preferences. The banner included three options: “Accept”, “Customize”, and “Learn more”. The banner included no option to reject cookies and no “X” iconThe authority's cookie guidelines recommend the use of an "X" button. The "X" must be positioned in the upper right corner of the banner, like the "close" option of many programs. Clicking the "X" button dismisses the banner and rejects all non-necessary cookies, much like a "Reject All" option. See [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9677876 Garante per la protezione dei dati personali (Italy) - 9677876]. to close the banner. The “Customized” option opened a drop-down menu with preferences for both necessary cookies and profiling cookies. Profiling cookies were pre-selected by default and could be de-selected by the user. The authority tested the website and found that the same number of cookies were placed regardless of user preference. In its preliminary view, the authority held that the data controller did not allow users to express informed, freely given, and granular consent. The authority also held that the controller failed to provide users with a clear and transparent cookie notice. In the authority’s view, the controller violated Articles 4(11), 5, 7, 24, and 25 GDPR, [https://www.gazzettaufficiale.it/dettaglio/codici/datiPersonali Article 122 d. lgs. 196/2003]This Article is the Italian implementation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219 Article 5(3) ePrivacy Directive 2002/58/EC]., and the authority's guidelines on cookies and other trackers[https

Outcome

Violation Found

The DPA found a violation but did not impose a fine.

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Pre-ticked Consent Boxes
high

Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.

Art. 4(11) GDPR

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Cookies Persist After Rejection
critical

Tracking cookies remain active or are re-placed even after the user explicitly rejects them.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

No Granular Cookie Choice
high

Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.

Art. 4(11) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Società Onlinestore s.r.l. in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

unknown (claimant)

2021 · DPA OLGLinz

Details

Decision Date

17 October 2024

Authority

Garante per la protezione dei dati personali

GDPRhub ID

gdprhub-8915

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. Società Onlinestore s.r.l. - Italy (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: