Updated Cookie Guidelines with implementation deadline January 11, 20241
On July 11, 2023, the Spanish Data Protection Authority (hereinafter, “AEPD”) published an update Guide on the use of cookies (hereinafter, the “Guide”), to align it with the Guidelines 03/2022 on deceptive design patterns issued by the European Data Protection Board (hereinafter, “EDPB”) in February 2023.
It is important to consider with this Guide the AEPD aims to promote transparency with the user, and an adaptation towards a more informed and free consent approach.
The Guide contains recommendations so that entities that use these technologies can adapt their websites, apps or platforms to the new requirements set out by the AEPD. Although these criteria are described as a recommendation, in this matter on the use of cookies and similar technologies, the considerations in the Guide must be considered mandatory.
The deadline for implementing the updates and issues outlined in the Guide was set for January 11, 2024.
The most relevant updates include:
- Mandatory option to reject cookies in the first layer of information and in the same place, format and level as the option to accept.
Undoubtedly, the most significant change consists of the obligation to include in the first layer of information on cookies (in the banner or Consent Management Platform, “CMP”) the option or button to “REJECT”, “REJECT COOKIES” or similar. This change is important, since, to date, it was compatible with the AEPD criteria to include a button to configure cookies without being necessary to directly include a specific rejection option.
Additionally, the option to accept or reject cookies must be presented in a prominent place and format, with both options being at the same level, without making it more complex to reject than accept them. This prevents options such as highlighting the accept button over the reject button, changing the font or font size of the reject button from being implemented.
- Differentiate between personalisation cookies that are decided by the user or the publisher.
When the user themselves makes decision about the use of these personalisation cookies (such as, for example, when choosing a language or the currency in which payment is to be made), the Guide determines that these should be considered as technical cookies that do not require the users’ consent, as long as they are not going to be used for other purposes, both in that session and in a future one.
1 https://www.aepd.es/es/documento/guia-cookies.pdf
If it is the publisher who makes decisions about personalisation cookies based on the information it obtains from the user, it must first provide information, offering the option to accept or reject cookies, in a way that highlights both options. It is also limited to not being able to use them for purposes other than those informed to the user.
- Cookie Walls: the alternative of accessing the service without accepting cookies does not necessarily have to be free of charge.
The previous guide already specified that for consent to be considered to have been granted freely, access to the service and its functionalities could not be conditional on the user consenting to the use of cookies. Therefore, there could be cases in which not accepting the use of cookies would prevent access to the website or the use of the website in its entirety or partial service, provided that the user is informed, and the publisher offers an alternative way of accessing the service without the need to accept the use of cookies. The new version of the Guide clarifies that such an alternative need not necessarily be free of charge.
These new developments are highly relevant for any entity that makes use of cookies or similar technologies, especially considering that the AEPD has always placed special emphasis on the duty of transparency and the collection of consent in this matter.
We remain at your disposal for any questions or queries you may have.
Yours sincerely,
ECIJA Data Protection Area
Telf: + 34 91.781.61.60