A recent and far-reaching decision by the Italian Data Protection Authority (Garante) has significantly altered the rules governing marketing privacy consent in Italy, introducing a potential obligation to adopt a double opt-in mechanism for collecting consent, that exceeds the requirements in other EU countries.
Why This Case Matters: A Shift in Privacy Consent Standards in Italy
On June 4, 2025, the Garante issued a decision against Noi Compriamo Auto S.r.l. (NCA), ordering the company to pay a € 45,000 fine for unlawful processing of personal data in connection with its marketing practices. The case arose from a complaint by a user who had received multiple unsolicited promotional emails despite allegedly never having provided valid consent for marketing-related purposes.
The company argued that it relied on third-party partners, including entities based in Spain and the United States, who allegedly collected the data and corresponding marketing-related privacy consents on external portals such as yoursavingfiesta.com and streamail.pro. However, the user was unaware of these websites and denied any involvement.
The most relevant element of the decision is that the privacy consent was proven via logs and IP addresses. The Garante found these elements unreliable and required the company to adopt additional safeguards, such as double opt-in. The double opt-in is a practice in which individuals not only need to grant consent but also confirm it by clicking a link included in a validation email sent to their email address.
The main question here is whether, through this decision, the double opt-in mechanism has become the de facto rule for collecting marketing-related consent in Italy.
Marketing Privacy Consent Must Be Demonstrable
Article 7 of the GDPR requires that privacy consent be demonstrable, and in line with this requirement the Garante emphasized that in contexts involving online forms, lead generation, or third-party intermediaries, simple logs are insufficient.
Instead, it affirmed that “the documentation of consent via double opt-in constitutes, to date, a minimum standard of protection for the data subject as well as for the controller.” This approach is consistent with the interpretation followed by the Italian Data Protection Authority in the Italian Code of Conduct for Telemarketing and Teleselling practices, although this is only mandatory for companies that have committed to it. In other words, in Italy, sending a confirmation email after the initial sign-up is no longer a recommendation—it is required to ensure compliance.
This interpretation is rooted in the Garante’s evolving view of accountability (Article 5(2) and Article 24 GDPR). Controllers must not only obtain privacy consent but also implement technical and organizational measures to prove its validity. That includes building consent flows that are traceable, transparent, and resilient to disputes.
Is the Double Opt-In the Rule for Privacy Consent in Italy?
A significant debate arose after this decision, as it is unclear whether double opt-in is compulsory following the Garante’s decision in order to collect marketing privacy consent, or is just one of the possible options to prove a valid consent reliably. This former approach would create a major inconsistency across the European Union, as the GDPR does not expressly provide for it and has not been validated by the European Data Protection Board.
The question is whether the Garante can set the bar of compliance so high without having agreed on the position with other EU data protection supervisory authorities. Indeed, this view may discriminate against companies operating in Italy and is contrary to the purpose of the GDPR, which is to establish a consistent set of data protection rules across the European Union.
Official guidelines from the EDPB on the matter may help to ensure consistency and clarity. Although the decision of the Garante relates to a matter where there was a lack of control by the company over the source of data used for marketing communications and the NCA had made it overly complex for the user to exercise their rights, the Garante does suggest that, at least in some circumstances, a double opt-in is the minimum standard of protection and therefore mandatory.
How shall companies react to this decision?
If a business is willing to use data for marketing purposes in Italy, it shall consider the following:
- Use Double Opt-In (or equivalent) to Collect Consents: Adopt the double opt-in as a standard for collecting marketing and privacy consent, particularly when relying on web forms, affiliates, or lead-generation platforms. If that is excessively burdensome, you shall find an equivalent solution, but you need to prove that it is reliable through an internal assessment to be lodged with the Garante in case of request;
- Know Your Vendors: Contractual clauses alone are insufficient to demonstrate compliance in the collection and processing of personal data. Vet, audit, and document their practices continuously. Companies shall be able to prove that they have complete control over their data vendors.
- Enable Rights Exercise: Ensure that users can easily access and withdraw consent without encountering technical barriers. This practice is quite complex in large organizations, and technical and organizational solutions shall be implemented to support the timely management of the requests.
- Build Accountability: Document every step in your consent journey and review your records regularly to ensure ongoing compliance. In the case of investigations by the Italian data protection authority, the ability to prove the adoption of the correct practices is pivotal.
[View source.]
