Update of the AEPD Guide concerning the use of cookies

The Spanish Data Protection Agency (“AEPD”) published on 28 July 2020 an update of the Guidelines on the use of cookies, with the aim of updating the criteria of the previous Guide published on 12 November 2019. There are some changes in the criteria regarding what was previously established, while following the interpretations provided by other European Union control authorities. These changes have a strong impact on those entities that had been governed by the previous Guideline’s criteria, having until the next 31 October to adapt.

On July 28, the AEPD published an update of its Guide regarding the use of cookies (its previous version was published in November 2019), which sets out criteria defended by different European Control Authorities that were reinforced by the European Supervisor’s opinions in its Guidelines 05/2020 regarding the user’s consent.

It is necessary to highlight that the AEPD establishes the 31st October 2020 as the date on which these measures will be mandatory, a period during which the companies must carry out the relevant proceedings to comply with the new measures required by the Control Authority.

The main updates included in this Guide, apart from highlighting, as in the previous one, the importance of informing the users duly of the nature and purpose of the cookie, are the following:

1. Need for a positive action from the user in order to consider the user’s consent valid. In this sense, it suppresses the simple navigation and the pre-marked boxes as a method of providing a valid consent.
2. Mechanisms should be implemented so that the rejection of the cookies is just as accessible as the acceptation. The insertion of a button or mechanisms to reject all cookies is mandatory.
3. In case of cookies processing special category data, separate information has to be provided, including the special category of use, and the user has to accept the use of such cookies separately.
4. It generally prohibits the use of the so called “Cookie Walls”. It can only be accepted, if: (i) the user has been correctly informed, (ii) an alternative to access to the offered service is provided, without accepting the cookies, and (iii) it is offered by the same publisher.
5. If cookies from third parties are used, the possibility of informing the user that these cookies can be deleted through the systems offered by these third parties is established, as well as through the configuration in the browser, which are additional mechanisms to those implemented in the cookie configurator.

Having the main new features of the updated Guide identified, an overview of the requirements to comply with the Guide is presented below.